Accept SatGate capabilities without pretending there is a marketplace.
Acceptance means an upstream verifies SatGate-scoped authority before action and returns receipt-grade evidence after the decision. It does not mean SatGate ranks, endorses, or reputationally scores that upstream.
Verifies scoped SatGate capabilities and returns SatGate-compatible receipts. Acceptance means capability verification and receipt emission. No marketplace, ranking, reputation, or endorsement claim.
{
"schema_version": "satgate.receipt.v1",
"schema_url": "https://satgate.io/.well-known/satgate-receipt.schema.json",
"receipt_id": "rcpt_mock_accept_001",
"evidence_pack_id": "ep_mock_accept_001",
"issuer": "https://satgate.io",
"issuer_kid": "satgate-mock-2026-05",
"acceptor_id": "https://api.internal.example/satgate-mock",
"decision": "allowed",
"decision_reason": "capability_scope_audience_and_budget_ok",
"policy_version": "policy_mock_acceptance_v0",
"timestamp": "2026-05-13T00:00:00Z",
"canonicalization": "jcs-rfc8785",
"hash_algorithm": "sha256",
"signature_algorithm": "ed25519",
"capability_hash": "sha256:mock_capability_hash",
"receipt_hash": "sha256:mock_receipt_hash",
"signature": "ed25519:mock_signature_not_for_production",
"mock_only": true
}Badge and copy
The badge says exactly one thing.
Badge text
Accepts SatGate capabilities
Use when an upstream verifies SatGate-scoped capabilities and returns SatGate-compatible receipts for accepted calls.
Short disclaimer
Capability verification + receipts only
The badge does not mean SatGate endorses the upstream, ranks it, audits its business, or provides network-wide reputation.
Machine signal
roles: ["acceptor"]
Acceptor metadata advertises accepted capability formats, trust anchors, recognized prior receipt decisions, emitted receipt decisions, and the claim boundary.
Minimal integration checklist
Enough to prove acceptance. Not enough to claim reputation.
Publish or document the upstream acceptor identity and contact path.
Accept `Authorization: Bearer <capability>` using `satgate.capability.v1` or `macaroon-bearer`.
Verify issuer trust anchor before fetching issuer JWKS.
Verify signature, expiry, audience, route/tool scope, caveats, budget, and delegation depth before execution.
Execute only the action authorized by the capability.
Return a SatGate-compatible receipt that validates against `satgate.receipt.v1` for the acceptor v0 decision subset: allowed, denied, or paid.
Expose a test vector or mock endpoint before claiming real production acceptance.
Verification criteria
A verifier should be able to reproduce these outcomes.
Capability accepted
A valid scoped capability for the upstream audience and route is accepted before execution.
Capability denied
An expired, wrong-audience, wrong-route, over-budget, or untrusted-issuer capability is rejected with a receipt-grade denial.
Receipt returned
Every allowed or denied call returns a receipt with `schema_version`, `schema_url`, `receipt_id`, `evidence_pack_id`, `issuer`, `issuer_kid`, `decision`, `decision_reason`, `policy_version`, `timestamp`, `canonicalization`, `hash_algorithm`, `signature_algorithm`, `receipt_hash`, and `signature`.
Trust remains bounded
The upstream makes no marketplace, ranking, reputation, or endorsement claim. Acceptance proves verification behavior, not global trust.
No overclaiming
What the badge does not mean.
It does not mean SatGate operates a directory of trusted APIs.
It does not mean the upstream is endorsed, ranked, audited, or safer than another upstream.
It means one integration path has evidence: scoped capability verification before execution and receipt emission after the decision.
- “SatGate trusted marketplace member”
- “SatGate certified reputation score”
- “SatGate endorsed API”
- “Network-approved upstream”
Internal mock first
Use the mock acceptor until a real upstream is ready.
The mock example is deliberately labeled internal: it proves the acceptance shape without claiming public network adoption.