Integration Endpoints
The surfaces nucleus exposes for integration β agent discovery (A2A), verification, keyless identity, transparency log, and MCP. Status is honest: some are live today, some are offline/in-browser (no server needed), and some are deploy-ready services you self-host.
| status | meaning |
|---|---|
| π’ LIVE | hosted and reachable right now |
| π΅ OFFLINE | runs client-side / in CI β no endpoint to call |
| π‘ SELF-HOST | the service is built + deploy-ready (fly.toml), but not currently on a public URL β fly deploy to expose it |
Agent discovery (A2A)
A JWS-signed Agent Card describing the agentβs identity, capabilities, and
verification keys (nucleus-agent-card).
GET /.well-known/agent-card.jsonβ π‘ SELF-HOST (published bynucleus-verifier-service)
The card is signed; verify it against the issuerβs jwks.json before trusting it.
Verification
Re-check a signed provenance bundle / receipt (nucleus-verifier-service).
POST /v1/verifyβ verify a bundle inline β π‘ SELF-HOSTPOST /v1/bundles/{hash}/verifyβ verify by content hash β π‘ SELF-HOSTGET /.well-known/jwks.jsonβ issuer verify key β π‘ SELF-HOST
You usually donβt need the server: the offline verifier is live and needs no endpoint.
npm i @coproduct_inc/verifyβverifyReceipt(...)β π΅ OFFLINE (zero-trust, recomputes the verdict)- In-browser WASM demo:
https://coproduct-opensource.github.io/nucleus/verify/β π’ LIVE
Transparency log & witness federation
Tamper-evident inclusion + a cosigning witness ring (nucleus-verifier-service).
GET /v1/log/sizeΒ·GET /v1/log/sthβ π‘ SELF-HOSTGET /v1/log/inclusion-proofΒ·GET /v1/log/consistency-proofβ π‘ SELF-HOSTGET /v1/witness/peersΒ·POST /v1/witness/peer-sthβ π‘ SELF-HOST
Keyless identity (OIDC β SPIFFE)
Federated, keyless identity β exchange a workload OIDC token, publish a verify set
(nucleus-oidc-provider).
GET /.well-known/openid-configurationβ RFC 8414 discovery β π‘ SELF-HOSTGET /jwks.jsonβ RFC 7517 verify set β π‘ SELF-HOSTPOST /oauth/tokenβ RFC 8693 token exchange β π‘ SELF-HOST
DID / WebFinger
Resolve a SPIFFE identity to a DID document + permission-fingerprint binding
(nucleus-identity).
GET /.well-known/webfinger?resource=spiffe://<trust-domain>/...β links to/.well-known/did.json+/.well-known/spiffe-did-binding.jsonβ π‘ SELF-HOST
MCP (agent-native)
Model Context Protocol endpoints so an LLM/agent can call nucleus directly.
- The Vault CTF MCP:
https://nucleus-ctf.fly.dev/mcpβ π’ LIVE - Verifier MCP:
/mcponnucleus-verifier-serviceβ π‘ SELF-HOST nucleus-mcp-server(stdio MCP tool) β π΅ OFFLINE
The Vault (try it / point an agent at it) β π’ LIVE
A formally-verified permission lattice you (or an LLM) try to exfiltrate past.
- Play:
https://nucleus-ctf.fly.dev/(also published at/nucleus/vault/on these docs) GET /api/v1/levelsΒ·GET /api/v1/levels/{level}POST /api/v1/attackΒ·POST /api/v1/challengeGET /openapi.jsonΒ·GET /api(docs)
Honest deployment status (2026-06)
Live today: The Vault (nucleus-ctf.fly.dev), the offline npm verifier
(@coproduct_inc/verify), and the in-browser /verify WASM demo. The
nucleus-verifier-service and nucleus-oidc-provider are built and
deploy-ready (fly.toml in each crate) but are not currently on a public
URL β fly deploy to expose them, or wire your own host. The agent card is
served by the verifier-service, so it goes live when that service is deployed.
For self-hosting recipes see the existing guides in docs/ (verifier integration,
external-RP integration, OpenClaw users).