OAP
Conformance

Six levels. Mechanically verified. No certification authority.

OAP defines six Conformance Levels (L0 through L5). Implementations declare their Level through a signed Conformance Receipt produced by the open-source test suite. There is no certification authority and no fee. L4 and L5 require independent peer-witness signatures from already-conformant implementations and an anchor in the OAP Registry, an append-only Git repository (RFC 0026).

L0
Compatible
machine-verifiable
Implements MCP or A2A and publishes a minimal OAP Manifest mapping. Self-attested.
L1
Discoverable
machine-verifiable
Full Manifest, categories, examples, machine-validated by the OAP test suite. Self-signed Conformance Receipt.
L2
Billable
machine-verifiable
L1 plus Pricing, Auth, Subscription, Wallet, refund endpoint. Self-signed.
L3
Trusted
machine-verifiable
L2 plus Audit Log, Data Policy, CCC, Verified Publisher, Multi-Party Review for high-risk Actions. DNS or DID-based publisher verification.
L4
Collaborative
machine-verifiable
L3 plus Multi-Agent Coordination, Conflict Resolution, Change Broadcast, Coordination Sessions. Requires at least one independent peer-witness signature, anchored in the OAP Registry.
L5
Peer-Certified
machine-verifiable
L4 plus an independent third-party security audit (SOC 2 Type II, ISO 27001, or equivalent). Requires at least three independent peer-witness signatures from L4+ implementations, anchored in the OAP Registry.

Profiles and tiers (RFC 0025, RFC 0028)

Two profile suffixes refine the base levels. -NC waives the Commerce Plane for non-commercial implementations (RFC 0025). -FINANCE bundles SR 11-7 model risk management, MiFID II, ECOA Reg B, and EU AI Act high-risk obligations on top of L5 (RFC 0028).

L1-NC
L1 Non-Commercial
machine-verifiable
L1 with Wallet, Subscription, and refund waived. For BYOK platforms, self-hosted deployments, and grant- or donation-funded services.
L3-NC
L3 Non-Commercial
machine-verifiable
L3 with the Commerce Plane requirements waived. Trust requirements (Audit Log, Data Policy, CCC, Verified Publisher) still apply in full.
L5-FINANCE
L5 Regulated Finance
machine-verifiable
L5 plus the full RFC 0028 obligations: SR 11-7 Model Inventory, drift detection, champion-challenger promotion, symbiotic escalation with confidence thresholds (Rosenthal-Biswas-Veloso 2010), counterfactual explanations (Wachter-Mittelstadt-Russell 2017), ECOA Reg B adverse-action notices, quarterly disparate-impact audit at the four-fifths rule. At least two of the three peer witnesses MUST be registered to entities under the same regulatory regime (bank, broker-dealer, insurer, payment institution).
Probe coverage status. Every level from L0 through L5, plus L1-NC and L3-NC, has machine-verifiable probes in test-suite/behavior/. The reference server claims L0 and L1 honestly and currently passes 58 out of 58 probes (44 active checks plus 14 not-applicable PASSes for capabilities the reference does not claim). Probes for L2 through L5 activate the moment an implementation’s Conformance Receipt claims those levels, and attest.js ignores not-applicable PASSes when computing credit, so an L1 implementation cannot silently inherit L2..L5 attestation. Probe sources: test-suite/behavior, requirements: levels.json, audited Receipt format: RFC 0019.

How to claim a level

  1. Run node test-suite/runner.js against your deployment.
  2. Run node test-suite/attest.js --target ... --signing-key ... to produce a signed Conformance Receipt.
  3. Publish the Receipt at a stable URL and reference it from your Manifest's conformance.receipt_uri.
  4. For L4 and L5: send your Receipt to peer witnesses (other L4+ implementations) and ask each to run attest.js --peer-witness.
  5. Submit a Pull Request to openagentprotocol-OAP/oap-registry with your implementations/<slug>.json. Browse current entries in the OAP Registry.
  6. The Registry CI gate validates schema, signatures, manifest reachability, peer witnesses, and the 30-day domain-age sybil filter. If everything passes, a Maintainer merges. The merge commit is your anchor.

Conformance Receipts are valid for 90 days and MUST be re-issued before expiry. The full procedure is normative in RFC 0019 and RFC 0026. The Non-Commercial Profile is defined in RFC 0025. The L5-FINANCE Tier is defined in RFC 0028.