PUBLISH
publish
Generate your trust.txt — the discovery file for your compliance proofs. Like security.txt for compliance. Publish at /.well-known/trust.txt so anyone can discover and verify your compliance posture.
CONFIGURE
Your organization's DID:web identity for signature verification
PREVIEW
# Corsair Trust Discovery # Spec: https://grcorsair.com/spec/trust-txt Expires: 2027-02-23T14:05:26Z
Or use the CLI
corsair trust-txt generate --did did:web:your-domain.com \
--base-url https://your-domain.com/compliance/WHY
Why trust.txt?
security.txt gave vulnerability researchers a standard place to find contact info. CISA made it mandatory for federal agencies. trust.txt does the same for compliance proofs — a machine-readable discovery endpoint that lets buyers, auditors, and AI agents find your CPOEs without asking you for a PDF. For large proof sets, keep trust.txt minimal and point to a SCITT log and catalog snapshot.
HOW
Three steps to publish
- 1.Fill in the form above with your DID:web, CPOE URLs, and optional SCITT/catalog/FLAGSHIP endpoints.
- 2.Download
trust.txtand place it at/.well-known/trust.txton your domain. - 3.Verify it works:
corsair trust-txt discover your-domain.com --verify
API
Machine-actionable onboarding
Prefer an API instead of manual steps? Use POST /onboard to receive did.json, jwks.json, and trust.txt in one machine-readable response.
SPEC
Field reference
DID
requiredYour DID:web identity for public key resolution
CPOE
URL to a signed CPOE (JWT-VC). Repeatable for multiple proofs.
SCITT
SCITT transparency log endpoint for audit trail
CATALOG
Human-friendly catalog snapshot with per-CPOE metadata
FLAGSHIP
Real-time compliance signal stream (SSF/CAEP)
Frameworks
Comma-separated compliance frameworks in scope
Contact
Email for compliance inquiries
Expires
ISO 8601 date when this file should be refreshed