Summary
GARL brings cryptographic trust scores into your AI workflow. It exposes 18 tools (28 with batch variants) that let you log agent actions, verify reputations with five-dimensional scoring, route tasks to trusted agents by category, and issue revocable capability tokens. Every action gets hashed with SHA-256 and signed with ECDSA-secp256k1, producing a shareable receipt URL. You can check trust scores with `garl_trust_verify`, find the best agent for a task with `garl_trust_route`, compare agents with `garl_trust_compare`, and gate operations behind trust thresholds. It works through MCP, REST, Python and JavaScript SDKs, or as a GitHub Action that signs AI-authored commits. Reach for this when you need verifiable provenance for multi-agent systems or want to delegate tasks based on measured reliability instead of guesswork.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
GARL Protocol
Signed, verifiable receipts for everything your AI agents do.
Every action an AI agent takes — code commits, tool calls, API calls, payments — gets a signed receipt.
GARL signs each one with ECDSA-secp256k1 (RFC 6979 deterministic) and anchors it on Base mainnet, so anyone can verify what an agent did, offline, without trusting GARL.
Add your agent · For Code · Website · Docs · Live receipt · Try It
Try it now
Path A — For Code (GitHub Action, 5 lines of YAML)
Sign every AI-authored commit in your pull requests.
# .github/workflows/garl-receipt.yml
name: GARL Receipt
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
sign:
runs-on: ubuntu-latest
permissions: { contents: read, pull-requests: write, checks: write }
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- uses: Garl-Protocol/garl-receipt-action@v1.1.0
with:
garl-api-key: ${{ secrets.GARL_API_KEY }}
garl-agent-id: ${{ secrets.GARL_AGENT_ID }}
Every PR gets a rolling GARL Receipt comment + informational check:
🔐 GARL Verified AI Code
├── Model: claude-opus-4-6
├── Tool: Claude Code
├── Files touched: 12
├── Duration: 4m 12s
├── Signed: ECDSA-secp256k1 ✓
└── Receipt: https://garl.ai/r/a8f3c2d1
Setup guide: Garl-Protocol/garl-receipt-action ·
Live landing page: garl.ai/for-code.
Path B — For Agents (SDK / MCP)
With Claude Desktop or Cursor (MCP)
Add to your Claude Desktop config (claude_desktop_config.json) or Cursor MCP settings:
{
"mcpServers": {
"garl": {
"command": "npx",
"args": ["-y", "@garl-protocol/mcp-server"]
}
}
}
That's it — 29 named tools (including batch variants like garl_verify_batch) are now available in your AI assistant: receipts, Trust Vector lookups, capability tokens (issue/verify/revoke), Capability Gate pre-flight, UETA §10(b) undo, and more.
With curl (zero install)
# Check an agent's trust score
curl -s "https://api.garl.ai/api/v1/trust/verify?agent_id=5872ce17-5718-4980-ade3-e51c9556fb53" | python3 -m json.tool
# Find the most trusted coding agent
curl -s "https://api.garl.ai/api/v1/trust/route?category=coding&min_tier=silver" | python3 -m json.tool
# See the live leaderboard
curl -s "https://api.garl.ai/api/v1/leaderboard?limit=5" | python3 -m json.tool
With Python
pip install garl-protocol
import garl
garl.init("your_api_key", "your_agent_uuid")
garl.log_action("Analyzed dataset", "success", category="data")
result = garl.is_trusted("target_agent_uuid", min_score=60)
if result["trusted"]:
print(f"Safe to delegate — score: {result['score']}/100")
With JavaScript
npm install @garl-protocol/sdk
import { init, logAction, isTrusted } from "@garl-protocol/sdk";
init("your_api_key", "your_agent_uuid", "https://api.garl.ai/api/v1");
await logAction("Generated REST API", "success", { category: "coding" });
const result = await isTrusted("target_agent_uuid", { minScore: 60 });
if (result.trusted) {
console.log(`Safe to delegate — score: ${result.score}/100`);
}
Receipts — a paste-ready proof for every trace
Every submitted trace gets a public shareable Receipt URL at
https://garl.ai/r/{short} — a cryptographic proof card (agent, tier, task,
duration, SHA-256 hash, ECDSA signature) with an Open Graph image that
previews richly in Slack, Twitter/X, GitHub PRs, and LinkedIn.
curl -s https://api.garl.ai/api/v1/verify/6ff83db8 | python3 -m json.tool
# → receipt_url: https://garl.ai/r/6ff83db8
SDKs expose receipt_url / receiptUrl on every log_action / verify
return and a client.receipt(hash) shortcut. The MCP tool garl_receipt
resolves any short or full hash to a paste-ready URL.
GitHub Action — sign every AI-authored commit
Add Garl-Protocol/garl/integrations/github-action-receipt to your PR
workflow. It detects Claude Code, Cursor, GitHub Copilot, Aider, and Codex
co-author trailers, submits a signed trace per qualifying commit, and posts
a rolling PR comment + informational check with receipt URLs:
- uses: Garl-Protocol/garl/integrations/github-action-receipt@main
with:
garl-api-key: ${{ secrets.GARL_API_KEY }}
garl-agent-id: ${{ secrets.GARL_AGENT_ID }}
Full setup in integrations/github-action-receipt.
Only metadata is uploaded — never diffs or source.
Why GARL?
| Problem | GARL's Answer |
|---|---|
| "Is this agent reliable?" | 5-dimensional trust scoring with Exponential Moving Average |
| "Which agent should I pick?" | Smart routing by category + minimum certification tier |
| "Can I verify its track record?" | Immutable ledger with ECDSA-signed execution traces + shareable Receipt URLs |
| "Does it work with my stack?" | MCP Server · A2A Protocol · REST API · Python & JS SDKs · GitHub Action |
| "Prove this AI commit is real" | GitHub Action posts a signed receipt per AI-authored commit |
| "What about on-chain agents?" | ERC-8004 format compatible (off-chain). Receipt-batch Merkle roots are anchored on Base mainnet (MerkleAnchor at 0xBeD7EdeFbEb02be9682bCdeC5fb5D7DA28b1b6F2). |
Works with
Claude Desktop · Cursor · Any MCP Client · Google A2A · ERC-8004 · REST API · Python · JavaScript · LangChain · CrewAI · AutoGen · LlamaIndex · Semantic Kernel · GitHub Actions
How it works
Every agent action is hashed, signed, scored across five dimensions, and made queryable — creating a verifiable trust record.
Agent executes task → SHA-256 hash + ECDSA signature → 5D EMA scoring → Tier assigned → Queryable via API/MCP/A2A
┌─────────────────────────────────────────────────────────────────┐
│ GARL Protocol │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Python │ │ JS │ │ MCP │ │ A2A │ │
│ │ SDK │ │ SDK │ │ Server │ │ JSON-RPC │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ │ │ │ │ │
│ └──────────────┴──────────────┴──────────────┘ │
│ │ │
│ ┌─────▼─────┐ │
│ │ FastAPI │ REST + A2A + MCP │
│ │ Backend │ Rate Limited + CORS │
│ └─────┬─────┘ │
│ │ │
│ ┌───────────────┼───────────────┐ │
│ │ │ │ │
│ ┌─────▼─────┐ ┌─────▼─────┐ ┌─────▼─────┐ │
│ │ Reputation│ │ Signing │ │ Webhook │ │
│ │ Engine │ │ Engine │ │ Engine │ │
│ │ • 5D EMA │ │ • SHA-256 │ │ • HMAC │ │
│ │ • Tiers │ │ • ECDSA │ │ • Retry │ │
│ └───────────┘ └───────────┘ └───────────┘ │
│ │ │
│ ┌─────▼─────┐ │
│ │ Supabase │ PostgreSQL + RLS │
│ │ │ Immutable Triggers │
│ └───────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
ERC-8004 Compatibility
GARL Protocol serves agent metadata in ERC-8004 format (off-chain). Separately, the Merkle roots of batched Action Receipts are anchored on Base mainnet (MerkleAnchor contract 0xBeD7EdeFbEb02be9682bCdeC5fb5D7DA28b1b6F2, chain 8453). Individual receipts are not written on-chain; anyone can verify a receipt's inclusion against an anchored root via verifyProof.
# Get ERC-8004 compatible metadata for any agent
curl -s "https://api.garl.ai/api/v1/agents/{agent_id}/erc8004" | python3 -m json.tool
# Get trust scores in ERC-8004 Reputation Registry feedback format
curl -s "https://api.garl.ai/api/v1/agents/{agent_id}/erc8004/feedback" | python3 -m json.tool
GARL uses the same cryptographic curve as Ethereum (ECDSA-secp256k1), making trust attestations natively verifiable by on-chain systems.
Documentation
| Topic | Link |
|---|---|
| Full API Reference (50+ REST endpoints + A2A + MCP) | docs/api-reference.md |
| MCP Server (29 named tools, including batch variants) | garl.ai/docs#mcp-server |
| A2A Protocol Integration | garl.ai/docs#a2a |
| ERC-8004 Compatibility | garl.ai/docs#erc-8004 |
| Python & JS SDKs | garl.ai/docs#sdks |
| Architecture & Tech Stack | docs/architecture.md |
| Deployment & Self-hosting | docs/deployment.md |
| Security | docs/security.md |
Interactive API explorer: api.garl.ai/docs (Swagger) · api.garl.ai/redoc
Live now
- garl.ai — Live dashboard & real-time trust feed
- Add your agent — Connect any agent (REST, SDK, MCP, GitHub Action) in three steps
- My Agents — sign in (Clerk) and claim the agents you've connected by API key to track their activity from one place
- Registry — Browse connected agents and their signed, verifiable activity
- Verify — Public cryptographic trace verification
- Playground — Interactive API explorer
- Simulator — 5D trust score calculator with what-if analysis
- Compare — Side-by-side agent comparison with radar overlay
- Swagger — Full OpenAPI documentation
- MerkleAnchor on Base — Receipt-batch Merkle roots anchored on Base mainnet (chain 8453)
- MCP Registry — Listed as
io.github.Garl-Protocol/agent-trust
Contributing
GARL Protocol is open source under the Apache 2.0 License. Contributions are welcome — see CONTRIBUTING.md for guidelines and CODE_OF_CONDUCT.md for community standards. Every commit must be DCO-signed (git commit -s).
Requirements: Python 3.10+ for the backend (PEP 604 union syntax),
Node 18+ for the frontend. macOS users: the system python3 is 3.9
and will fail backend tests — install 3.10+ via pyenv / brew install python@3.12
and invoke explicitly (python3.12 -m pytest tests/).
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Run tests (
python3.12 -m pytestfor backend,npx next buildfor frontend) - Commit your changes with DCO sign-off (
git commit -s -m 'Add amazing feature') - Open a Pull Request
Canonical registry, self-hosting, and marks
- Canonical registry:
https://api.garl.ai— the single deployment whose public key anchors theGARL Verifiedstatus. Public keys are published at/.well-known/garl-keys.json. - Self-hosting is supported and documented in
docs/self-host.md. Self-hosted deployments are first-class participants but are not the canonical registry; see GOVERNANCE.md. - Trademark policy: TRADEMARK.md. The source code is Apache 2.0; the GARL name and logo are project marks and subject to the policy.
Project decision-making, breaking-change process, and the boundary between repository features (Apache 2.0 forever) and potential future Cloud-only services on the canonical registry are documented in GOVERNANCE.md.
License
Apache License 2.0 — see LICENSE for details.
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Configuration
GARL_API_KEYsecretYour GARL API key (get one via garl_register_agent tool or POST https://api.garl.ai/api/v1/agents/auto-register)
GARL_AGENT_IDYour GARL agent UUID (returned on registration)
Categories
Registryactive
Package@garl-protocol/mcp-server
TransportSTDIO
AuthRequired
UpdatedMar 1, 2026
