WellKnownAI

Maintains a centralized, publicly queryable index of AI service manifests published at provider domains via `.well-known/ai.json` endpoints. Implements a pull-based aggregation model where WellKnownAI periodically fetches and validates manifests from registered provider domains, then serves a unified `registry.json` file mapping domain names to their manifest metadata. Supports decentralized provider self-hosting while enabling downstream systems (MCP clients, agent frameworks) to discover capabilities without direct provider queries.

Provides CLI-based validation tooling (`validate-ai.mjs`) that checks manifest JSON documents against the AI Manifest v0.1 JSON schema, reporting structural conformance errors and warnings. Validates required fields (manifest_version, provider, spec, capabilities), nested object structures (servers, auth, receipts), and field types (strings, arrays, URNs). Outputs validation results as JSON reports suitable for CI/CD integration, enabling providers to catch schema violations before publishing.

Enables providers to declare bearer token authentication requirements in manifests via the `auth.schemes[]` array, specifying that clients must provide a bearer token (e.g., API key, JWT) to access the service. Manifests include `auth.jwks_uri` pointing to the provider's JWKS endpoint for token signature verification. Validation tooling checks that auth schemes are properly formatted and JWKS URIs are valid URLs. Enables downstream systems to understand authentication requirements and implement token validation without hardcoding provider-specific auth logic.

Enables providers to cryptographically sign their manifests using private keys and include signatures in the `receipts.signature[]` array, allowing downstream systems to verify manifest authenticity and detect tampering. Signatures are computed over the manifest JSON using RSA algorithms, with signature metadata (algorithm, key ID, timestamp) included in the receipt. Validation tooling checks signature structure and format but does not verify signature validity (requires downstream systems to perform cryptographic verification using provider's JWKS). Enables end-to-end manifest integrity verification without requiring a centralized signing authority.

Enables providers to declare contact information in manifests via the `contact.*` fields (email, phone, support URL, etc.), allowing downstream systems and users to reach out with questions, issues, or integration requests. Validation tooling checks that contact fields are properly formatted (valid email addresses, valid URLs). Provides a standardized way for providers to publish contact information alongside their manifest, reducing friction for service discovery and integration.

Enables providers to declare service endpoints in manifests via the `servers[]` array, specifying endpoint URLs, types (REST, WebSocket, gRPC, etc.), and metadata. Each server entry includes URL, type, and optional description, allowing downstream systems to discover available endpoints and their protocols without requiring external documentation. Validation tooling checks that server URLs are valid and types are recognized. Supports multiple endpoints per service (e.g., REST API, WebSocket for streaming, gRPC for performance).

Provides CLI validation tool (`validate-jwks.mjs`) that validates RSA public key sets published at `/.well-known/jwks.json` endpoints, ensuring they conform to JWKS specification and contain properly formatted RSA keys. Validates key structure (kty, use, kid, n, e fields), key format (base64url encoding), and key metadata. Enables downstream systems to verify manifest signatures using provider's public keys, establishing a trust chain for manifest authenticity without requiring a central CA.

Provides CLI validation tool (`validate-crl.mjs`) that validates Certificate Revocation List documents published at `/.well-known/ai-crl.json` endpoints. CRL documents contain revocation entries (kid, revocation_reason, revoked_at) that signal when signing keys have been compromised or rotated out. Validates CRL structure, timestamp formats, and revocation entry completeness. Enables downstream systems to check whether a manifest's signing key has been revoked before trusting the signature.

Automatically generates and publishes timestamped snapshots of the complete registry state (all indexed manifests, metadata, validation status) at regular intervals. Each snapshot is a point-in-time copy of `registry.json` with a timestamp, enabling downstream systems to track registry changes over time and detect when manifests have been added, removed, or modified. Snapshots are immutable and archived, providing an audit trail of registry evolution.

Computes and publishes diffs between consecutive registry snapshots, identifying which manifests were added, removed, or modified between versions. Diffs include manifest-level changes (new entries, deleted entries) and field-level changes (capability additions, endpoint modifications). Enables downstream systems to efficiently detect registry changes without downloading and comparing entire snapshots, reducing bandwidth and processing overhead.

Provides an interactive HTML-based UI for browsing the registry, viewing individual manifest entries, and searching for services by provider name or domain. The Registry Viewer displays manifest metadata (provider info, capabilities, endpoints, auth schemes), renders OpenAPI references, and provides links to provider domains and manifest documents. Enables non-technical users and researchers to explore available AI services without parsing JSON or using CLI tools.

Provides two mechanisms for providers to submit their domains to the registry: (1) GitHub PR submission where providers fork the registry repository, add their domain to a manifest list, and submit a pull request for review; (2) Web form submission where providers enter their domain and manifest details through a simple HTML form. Both mechanisms trigger validation of the provider's `.well-known/ai.json` endpoint and JWKS before accepting the submission. Enables decentralized registry growth without requiring centralized account management or API authentication.

Supports embedding or referencing OpenAPI 3.x specification fragments within AI Manifest documents via the `spec.openapi_url` field, enabling providers to link to detailed API documentation without duplicating schema information. Manifests can reference external OpenAPI YAML/JSON files or embed OpenAPI objects directly, allowing downstream systems to discover both high-level capabilities (from manifest) and detailed endpoint schemas (from OpenAPI). Validation tooling accepts and validates OpenAPI references without requiring full OpenAPI document validation.

Defines and validates a URN (Uniform Resource Name) format for identifying capabilities in manifests (e.g., `urn:ai:capability:web-search`, `urn:ai:capability:image-generation`). Capabilities array in manifests contains URN identifiers that enable standardized capability discovery and matching across heterogeneous AI services. Validation tooling checks that capability URNs conform to the URN syntax and follow the `urn:ai:capability:*` namespace convention. Enables downstream systems to match capabilities across services using standardized identifiers rather than free-form strings.