Specification §17

Three deployment tiers,
one protocol

Vouch Protocol™ conforms at one of three levels. Higher levels are strict supersets of lower levels. Deployments declare the level they target; verifiers expect at least that level's guarantees.

Level 1

Credential

Ad hoc agent-action attestation.

Target deployment

Single agents signing occasional actions. No long-running runtime. No structural capability bounds required.

A conforming L1 implementation MUST

  • Issue and verify Vouch Credentials
  • Sign with the eddsa-jcs-2022 cryptosuite (Ed25519 over RFC 8785 JCS)
  • Resolve issuer DIDs (did:web, did:key at minimum)
  • Enforce credential validity windows
  • Enforce nonce-based replay resistance

MAY omit

  • Delegation chains
  • Sidecar pattern
  • Status-list revocation
  • State Verifiability
Level 2

Structural-Security

Sidecar + delegation + revocation.

Target deployment

Production deployments with LLM-driven agents. Capability bounds and revocation are required.

A conforming L2 implementation MUST

  • Everything from L1
  • Identity Sidecar pattern: signing key isolated from the LLM, intent allow-list enforced before signing
  • Delegation chains with the resource-narrowing rule and the five-link depth bound
  • BitstringStatusList revocation with configurable polling
  • Structured rejection codes for sidecar refusals

MAY omit

  • Dual-proof post-quantum profile
  • Heartbeat Protocol
  • Validator quorum
Level 3

State Verifiable + PQ

The full protocol.

Target deployment

Long-running agents in regulated or adversarial environments. High-stakes actions (financial transfers, regulated submissions, clinical records, production deployments).

A conforming L3 implementation MUST

  • Everything from L2
  • Dual-proof post-quantum cryptosuite (eddsa-jcs-2022 + mldsa44-jcs-2026)
  • Heartbeat Protocol with configurable renewal interval
  • Trust entropy decay against per-action thresholds
  • Behavioural attestation digests + canary commit/reveal chains
  • M-of-N validator quorum, with role-specialised validators (policy, behaviour, budget)

Which tier is right for me?

Just signing a few actions, no LLM runtime? L1 is enough. You get a verifiable credential per action.

Running an LLM agent in production? L2. The Sidecar pattern is the security primitive that bounds a prompt-injected LLM. Without it, a compromised LLM context can sign arbitrary intents.

Regulated industry, long-running agents, or post-quantum mandate? L3. The Heartbeat layer makes silent compromise observable. The dual-proof PQ profile is the migration path off Ed25519 without breaking existing verifiers.

Conformance declaration

Deployments SHOULD publish a machine-readable conformance declaration at a stable URL:

{
  "@context": ["https://vouch-protocol.com/contexts/conformance/v1"],
  "type": "VouchConformanceDeclaration",
  "deployment": "did:web:example.com",
  "level": "L2",
  "implementations": ["vouch-python==1.0.0", "go-sidecar==1.0.0"],
  "validated": "2026-05-18T00:00:00Z",
  "testVectorsPassing": ["jcs", "eddsa-jcs-2022", "bitstring-status-list",
                         "delegation-chain", "sidecar-contract"]
}