Quickstart · Jiffy Trust Protocol
Jiffy Trust Protocol — quickstart
JTP v0.1.0 · Architecture A (Protocol Gateway)
Three snippets, sixty seconds, no signup. Every snippet returns a signed AARM-conformant attestation you can verify offline. Pick a section — each one stands alone.
1. MCP — Claude Code / Cursor
What this gives you: a one-line MCP server install that exposes the jiffy_trust_check tool to any MCP-capable runtime. Your agent calls it before invoking an artifact and gets back a tier, score, and signed attestation.
Install
claude mcp add jiffy-scan-mcp \ -- npx -y @jiffylabs/jiffy-scan-mcp@0.5.1
Run (the tool call shape)
{
"tool": "jiffy_trust_check",
"arguments": {
"artifact": "mcp://example/server",
"type": "mcp"
}
}Expected output (pruned)
{
"tier": "TRUSTED",
"jts": 84,
"attested_at": "2026-04-24T13:00:00.000Z",
"signing_key_id": "jtp-v0.1.0-ed25519-001",
"aarm_conformance": {
"architecture": "A",
"spec_version": "0.1.0"
}
}What just happened: the MCP server forwarded your artifact to the JTP gateway, which classified it into one of five tiers, scored it, attached an Ed25519 signature, and returned the attestation along with an AARM-conformance addendum. The signature verifies offline against the public key at /.well-known/jiffy-trust-pubkey. Formal model: /docs-public/jtp-spec.
2. HTTP API — anonymous curl
What this gives you: the same attestation as Section 1, without MCP. A single curl call against the public /api/v1/trust endpoint returns the signed JSON. No account, no key required.
Run
curl -s "https://jiffylabs.app/api/v1/trust\ ?artifact=mcp%3A%2F%2Fexample%2Fserver&type=mcp" | jq
Expected output
HTTP/2 200
Content-Type: application/json; charset=utf-8
Cache-Control: public, max-age=60, s-maxage=300
Link: </api/v1/aarm/conformance>; rel="aarm-conformance"
{
"artifact": "mcp://example/server",
"tier": "TRUSTED",
"jts": 84,
"aarm_conformance": {
"architecture": "A",
"spec_version": "0.1.0",
"manifest_url": "https://jiffylabs.app/api/v1/aarm/conformance"
}
}What just happened: the gateway returned a signed JSON attestation plus an Link: </api/v1/aarm/conformance>; rel="aarm-conformance" response header pointing at the machine-readable AARM conformance manifest. The body addendum mirrors the link target so consumers can pull conformance metadata in-band. Formal model: /docs-public/jtp-spec.
3. Verify the trust handshake yourself
What this gives you: a five-receipt deploy-keyed sample chain you can pull anonymously and round-trip through /api/v1/aarm/verify-chain. The chain is byte-stable across deploys (regenerated only when the sample-chain key rolls); a successful round-trip proves end-to-end signature verification + hash linkage from a fresh machine in one shot.
Run
curl -s https://jiffylabs.app/api/v1/aarm/sample-chain \
| curl -s -X POST -H "Content-Type: application/json" \
--data-binary @- https://jiffylabs.app/api/v1/aarm/verify-chain \
| jqExpected output
{
"valid": true,
"length": 5,
"tip": "<sha256 of receipt[4]>",
"verified_signatures": 5
}What just happened: the J.4 sample chain is signed with the deploy-keyed jtp-sample-v1-ed25519-001 key (public half pinned in web/src/lib/aarm/sample-chain.ts). The verifier walks the receipt-by-receipt hash links and checks each Ed25519 signature; a single tampered byte fails the round-trip. Receipt-chain protocol details: /docs-public/jtp-spec.