aisthetic·services/ agenttrust gateway
ExplorerProductDocsPricingSecurityEnterpriseSign inSign up free
Embed

Drop the badge on your page in one line.

Pick the snippet that matches how strict your CSP is. Both forms link to the public provider profile and the same auto-cached SVG badge.

Static image (CSP-friendly)

No JavaScript on your page. The badge SVG is fetched fresh every 5 minutes (server-cached). Best fit for static sites and locked-down CSP policies.

<a href="https://aisthetic.services/p?slug=demo" target="_blank" rel="noopener">
  <img src="https://sandbox.aisthetic.services/v1/providers/demo/badge.svg"
       alt="Verified by AgentTrust"
       width="220" height="56" />
</a>

Script tag v2 (animated count + polling)

The v2 widget auto-discovers data-provider, mounts the badge, fetches the current receipt count, and animates a rolling number overlay on top. Optional data-poll-seconds (30–600) refetches the count periodically. No tracking, no cookies, no third-party requests.

<script src="https://aisthetic.services/embed-v2.js"
        data-provider="demo"
        data-style="full"
        data-poll-seconds="120"
        defer></script>

Optional attributes: data-style="compact" skips the count animation; data-anchor="#my-mount" targets an existing element instead of mounting next- sibling of the script tag; data-api overrides the gateway origin if you self-host the badge endpoint; data-poll-seconds="120" refetches every 120 s.

Script tag v1 (auto-mount, no animation)

The v1 widget is preserved for backward compatibility. It mounts the badge once on load and stamps a data-receipt-count attribute on the container so you can hook a CSS counter manually.

<script src="https://aisthetic.services/embed.js"
        data-provider="demo"
        data-style="full"
        defer></script>

The canonical https://aisthetic.services/embed.js URL continues to point at v1; /embed-v1.js is the explicit alias.

Subresource Integrity (SRI), recommended

For maximum trust, pin the script with an integrity="sha384-…" attribute so any future modification of the file by the host server breaks the script load instead of executing tampered code. Compute the hash one-time:

# Compute your own SRI integrity hash (one-time):
shasum -b -a 384 embed-v2.js | cut -d' ' -f1 | xxd -r -p | base64
# Then pin in the script tag:
<script src="https://aisthetic.services/embed-v2.js"
        integrity="sha384-<your-computed-hash>"
        crossorigin="anonymous"
        data-provider="demo"
        defer></script>

What the embed does NOT do

  • Does not set cookies, fingerprint, track, or send analytics.
  • Does not load third-party JS. Single GET to the gateway badge endpoint plus an optional GET to the recent-receipts JSON.
  • Does not imply AgentTrust certifies or vouches for the embedder. The badge says "verified by AgentTrust", meaning the gateway has issued signed receipts for traffic this provider has routed through it.
  • Does not claim SOC 2, does not claim ISO 27001, does not claim HIPAA, does not claim PCI.

Live preview: the badge below is the actual `/v1/providers/demo/badge.svg` endpoint.

Verified by AgentTrust, demo