OTR-ID Lifecycle

11.1 What Is an OTR-ID

An OTR-ID is a deterministic, unique identifier generated for every assessed commercial domain. Format: OTR-1{mode}-{fingerprint}-{checksum}

Mode: C = COLD (public assessment), A = AUTH (merchant authorized)
Fingerprint: 12 uppercase hex chars from SHA-256 of normalized domain
Checksum: 2 Base36 chars (Luhn mod-36 + deterministic salt)

Properties:

Deterministic: same domain always produces the same fingerprint
Irreversible: SHA-256 is one-way, original domain cannot be recovered
Only issued to commerce sites (ecommerce/saas) with trust score greater than 0

11.2 Status Lifecycle

OTR-IDs have five possible statuses, managed via shared constants (OTR_ID_STATUS):

Status	Meaning	Recovery
ACTIVE	Normal, trust score valid	—
UPGRADED	Merchant authorized (AUTH mode)	—
SUSPENDED	Anti-fraud triggered (score forced to 0)	Automatic when score recovers
REVOKED	Permanent — identity change, Google Web Risk flagged, or site dead	Requires full rescan by SmartRescan
NOT_APPLICABLE	Non-commerce site — no scoring, no OTR-ID	Automatic if reclassified as commerce

Status Transitions

First scan (commerce, score > 0) → ACTIVE
  ├── Merchant authorizes → UPGRADED
  ├── Anti-gaming triggered → SUSPENDED → score recovers → ACTIVE
  ├── Identity change / WebRisk / site dead → REVOKED (permanent)
  └── Reclassified as non-commerce → NOT_APPLICABLE → reclassified back → new ACTIVE

REVOKED vs NOT_APPLICABLE

These are different states with different recovery paths:

REVOKED: Domain identity changed, flagged as dangerous, or site died. The OTR-ID is permanently removed. A full SmartRescan must run before a new ID can be issued.
NOT_APPLICABLE: Site is non-commercial. No OTR-ID was ever needed. If the site adds commerce features and is reclassified, a new OTR-ID is generated automatically.

11.3 Non-Commerce Sites

Non-commerce sites (government, education, financial institutions, nonprofits) receive NOT_APPLICABLE status:

Identity verification still runs (GLEIF, Wikidata, SSL)
No trust score calculated
No OTR-ID issued
API returns identity signals and safety data
If reclassified as commerce, a new OTR-ID is minted normally

11.4 Parked Domains

Parked or for-sale domains receive NOT_APPLICABLE with siteStatus = PARKED:

Detected via 15+ registrar HTML patterns and fingerprint analysis
No backfill, no scoring, no OTR-ID
If the domain becomes active, SmartRescan detects the change and re-enters the pipeline

11.5 Using an OTR-ID

In agent.json

{
  "trust": {
    "otr_id": "OTR-1C-2265CBCC4D1E-R3"
  }
}

In API Responses

The verify API response includes otrId and otrIdStatus. AI agents should check both:

{
  "otrId": "OTR-1C-2265CBCC4D1E-R3",
  "otrIdStatus": "ACTIVE"
}

For non-commerce sites:

{
  "otrId": "",
  "otrIdStatus": "NOT_APPLICABLE"
}

In Commerce Protocols

In UCP, ACP, and MCP interactions, the OTR-ID serves as supplementary identity verification.

Next chapter: Case Studies — Real-world applications of OTR trust scoring

How to improve your OTR trust score OTR trust scoring case studies

​OTR-ID Lifecycle

​11.1 What Is an OTR-ID

​11.2 Status Lifecycle

​Status Transitions

​REVOKED vs NOT_APPLICABLE

​11.3 Non-Commerce Sites

​11.4 Parked Domains

​11.5 Using an OTR-ID

​In agent.json

​In API Responses

​In Commerce Protocols