Skip to main content

OTR Architecture Overview

2.1 Four-Layer Architecture

+----------------------------------------------------------+
|                Verification Layer                         |
|  REST API . .well-known/otr/verify . MCP Server          |
|  AI agents and developers query trust scores here        |
+----------------------------------------------------------+
|                Identity Layer                             |
|  OTR-ID . Trust Badges (PLATINUM/GOLD/SILVER/BRONZE)     |
|  Each domain receives a unique identifier and badge      |
+----------------------------------------------------------+
|                Scoring Layer                              |
|  Six-Dimension Model . Weight System . Site-Type Adapt.  |
|  50+ signals weighted to produce a 0-100 score           |
+----------------------------------------------------------+
|                Collection Layer                           |
|  DNS . SSL . HTML . Fingerprints . GLEIF . Wikidata . SEC|
|  Automatic collection of public signals from many sources|
+----------------------------------------------------------+

2.2 Data Flow

The complete journey of a domain from initial submission to a trust score: 
Domain Submitted
  |
  v
Collection Layer: Multi-Stage Pipeline
  +- Stage 1-5:   DNS checks (DNSSEC/DMARC/SPF/DKIM/CAA and 12 signals total)
  +- Stage 6-10:  HTML scan (SSL/structured data/policy pages/llms.txt)
  +- Stage 11:    Fingerprint detection (2,438 fingerprints, 975 OTR-scored)
  +- Stage 12:    Site classification (ecommerce/SaaS/non-commercial, 13 subcategories)
  +- Stage 13:    Policy depth analysis (privacy/returns/terms of service quality)
  +- Stage 14:    External data sources (GLEIF/Wikidata/Finnhub/SEC)
  +- Stage 15:    Data integration (multi-source merge, write to storage)
  |
  v
Scoring Layer: Scorer
  +- Read all signals
  +- Group by dimension (V/S/G/T/D/F)
  +- Apply weight matrix (adapted by site type: ecommerce/saas/authorized)
  +- Compute per-dimension scores and total score
  +- Assign badge
  |
  v
Identity Layer: OTR-ID Generation
  +- Format: OTR-{hash}
  +- Links domain, score, and badge
  |
  v
Verification Layer: API Publication
  +- GET /api/otr/verify/{domain}
  +- GET /.well-known/otr/verify
  +- MCP Server: @otr-protocol/mcp-server

2.3 Relationship with Other Commerce Protocols

OTR does not operate in isolation. It serves as the trust infrastructure within the agentic commerce ecosystem: 
                          +-----------+
                          | AI Agent  |
                          +-----+-----+
                                |
                   +------------+------------+
                   |            |            |
             +-----v----+ +----v----+ +----v----+
             |   UCP    | |   ACP   | |   MCP   |
             | Product  | | Orders  | |  Tool   |
             | Discovery| | Payment | | Connect |
             +-----+----+ +----+----+ +----+----+
                   |            |            |
                   +------------+------------+
                                |
                         +------v------+
                         |    OTR      |
                         | Trust Score |
                         +-------------+
  • OTR and UCP: Before an AI agent browses products via UCP, it checks the merchant’s OTR trust score. Low-scoring merchants may have their products deprioritized.
  • OTR and ACP: Before an AI agent places an order on behalf of a consumer, the OTR trust badge is one of the inputs to its risk assessment.
  • OTR and MCP: ORBEXA provides an OTR MCP Server so AI assistants can directly call the verify_domain tool to look up trust scores.

2.4 Site-Type Adaptation

Not all websites are e-commerce stores. OTR automatically adjusts scoring weights based on site type:
Site TypeD-Dimension WeightF-Dimension WeightTypical Characteristics
ecommerceHighHighHas products, shopping cart, payment
saasMediumLowSoftware service, subscription model
authorizedVariesVariesMerchant has authorized deep verification
Classification is performed automatically by the fingerprint engine, based on the site’s technology stack, page structure, and functional features.
Next Chapter: V/S Dimensions — Verification and Security Signals — 13 verification signals + 15 security signals