Conduit

Compliance Certificates

Compliance certificates are issued to vendors whose MCP servers pass a trust scan at a qualifying grade. Certificates provide MLSs with independently verified trust data when reviewing vendor access requests.

What is a compliance certificate?

A certificate is a timestamped record that captures:

  • -trust_grade_at_issue: The vendor's grade when the certificate was issued (A+, A, B+, etc.)
  • -trust_score_at_issue: The numerical score (0-100) at issuance
  • -issued_at: When the certificate was generated
  • -expires_at: Expiration date (certificates have a fixed validity period)
  • -status: active, expired, or revoked

Certificate lifecycle

Trust scan passes ──► Certificate issued (active)
                          │
                          ├── Expires → expired (rescan to renew)
                          └── Score drops below threshold → revoked
StatusMeaning
activeCertificate is valid and within its validity period
expiredCertificate validity period has passed — rescan to renew
revokedCertificate revoked due to score degradation or policy violation

For MLS administrators

When reviewing vendor access requests, certificates provide independent verification of vendor trust. The compliance dashboard shows:

  • -Which approved vendors have active certificates
  • -The grade at time of issuance
  • -When certificates expire (so you can require renewal)

Vendors without certificates still show trust scores from their latest scan, but these are point-in-time measurements rather than formally issued credentials.

For vendors

Maintaining an active certificate improves your chances of MLS approval. To obtain and maintain a certificate:

  • 1.Deploy your MCP server through Conduit
  • 2.Pass a trust scan at a qualifying grade
  • 3.A certificate is automatically issued
  • 4.Rescan before expiration to renew

Certificate validation

Certificate status is automatically checked during MLS vendor review. The trust resolution chain is:

Vendor access request
    │
    ├── 1. Check compliance_certificates (active, not expired)
    │       → Use certificate grade and score
    │
    └── 2. Fallback: Check latest trust_scans via vendor's MCP servers
            → Use most recent scan grade and score

Certificates take priority over raw scan results because they represent a formally verified state.

Next: TypeScript SDK →
Data GovernanceTypeScript SDK