Marketplace

Connector marketplace

The Attesto Marketplace at https://marketplace.attesto.eu is the public catalog for validated evidence producers. Public visitors can browse connector cards. Tenant acquisition, installation, update, revoke, and artifact download require an authenticated dashboard tenant session. Publisher signup, publisher profile management, and connector submission use a separate marketplace-only developer account. Attesto review and publication are private internal processes and are not exposed to public visitors or marketplace developers.

Marketplace model

A marketplace item is a validated connector asset. The catalog stores the asset metadata, current version, manifest hash, artifact hash, validation result, entitlement state, install state, and marketplace evidence events. The marketplace does not run connector code in the browser and does not expose connector secrets.

Object	Meaning
`asset`	A connector listing such as GitHub, GitLab, or S3/R2 object commitments.
`version`	A validated connector manifest with manifest and artifact hashes.
`entitlement`	The tenant's right to download or install a version.
`install`	A tenant-scoped installation record for the selected version.
`evidence event`	A canonical marketplace receipt for acquisition, installation, submission, or validation.

Browse the public catalog

The public catalog exposes only validated public assets. It is safe to browse without a tenant session:

GET https://marketplace.attesto.eu/v1/marketplace/categories
GET https://marketplace.attesto.eu/v1/marketplace/items?category=devops
GET https://marketplace.attesto.eu/v1/marketplace/items/attesto-github-repository-reference

Every card shows the evidence score, validation state, supported languages, category, current version, and documentation link. Public visitors see a sign-in action instead of acquire/install/download commands.

The Evidence Score is not a marketing rating. It is a deterministic output of attesto-marketplace-validation-v1: the same manifest, source reference, and validator version produce the same score. The score is the sum of explicit criteria for receipts, offline verification, secret scanning, dependency scanning, witness compatibility, documentation, repository reference, Proofstream capability, source reference, and supported Attesto languages. The validation report stores formula, criteria, components, total, and max so operators and publishers can reproduce why a connector received its tier.

Tenant acquisition and install lifecycle

Tenant users with owner, admin, or developer role can acquire and install a free first-party connector. The browser must hold the tenant session cookie and readable CSRF token. Production cookies are scoped to .attesto.eu so a session created on dashboard.attesto.eu also works on marketplace.attesto.eu.

POST /v1/marketplace/items/attesto-github-repository-reference/acquire
X-CSRF-Token: <attesto_csrf cookie>

POST /v1/marketplace/items/attesto-github-repository-reference/install
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "configRef": "tenant-managed-github-installation"
}

Installed free assets can be updated to the current validated version or revoked by an owner/admin. Revoke deactivates both the entitlement and the tenant install; artifact download fails until the tenant acquires and installs the asset again.

POST /v1/marketplace/items/attesto-github-repository-reference/install/update
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "configRef": "tenant-managed-github-installation-v2"
}

POST /v1/marketplace/items/attesto-github-repository-reference/revoke
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "reason": "tenant_request"
}

The artifact endpoint returns the connector manifest only after the tenant has an active entitlement:

GET /v1/marketplace/items/attesto-github-repository-reference/artifact

Connector manifest

A manifest describes the connector without including secrets. It is the object that Python, TypeScript, Go, CLI, backend validation, and the marketplace all validate against the same contract.

{
  "schemaVersion": "attesto.connector.v2",
  "slug": "attesto-github-repository-reference",
  "name": "GitHub Repository Reference",
  "version": "1.0.0",
  "assetType": "connector",
  "category": "devops",
  "summary": "Creates Proofstream references for repository changes.",
  "description": "Records repository change references as verifiable Attesto events.",
  "publisher": {
    "slug": "attesto",
    "name": "Attesto"
  },
  "repository": {
    "url": "https://git.example.com/attesto/connectors/github"
  },
  "documentation": {
    "url": "https://docs.attesto.eu/manuals/connectors.html#github"
  },
  "capabilities": ["proofstream", "offline-verification"],
  "evidence": {
    "receipts": true,
    "offlineVerification": true,
    "witnessCompatible": true
  },
  "security": {
    "secretScan": true,
    "dependencyScan": true
  },
  "supportedLanguages": ["en", "nl", "de", "fr", "es", "pl", "it"],
  "provider": {
    "id": "github",
    "name": "GitHub",
    "websiteUrl": "https://github.com"
  },
  "auth": {
    "mode": "signed-webhook",
    "scopes": ["repo", "push-events"]
  },
  "sync": {
    "modes": ["webhook"],
    "supportsReplay": true,
    "rateLimitPolicy": "provider-default"
  },
  "eventTypes": ["repository.push", "repository.merge_request"],
  "sourceTime": {
    "required": true,
    "timezonePolicy": "source-offset-required"
  },
  "configSchema": { "type": "object", "properties": {} },
  "secretSchema": { "type": "object", "properties": {} },
  "diagnostics": {
    "providerAuthStatus": true,
    "testConnection": true,
    "syncLag": true,
    "replayConflictCheck": true,
    "revocationCheck": true
  },
  "runtime": {
    "officialConnectorKit": true,
    "sdkSurfaces": ["python", "typescript", "go", "cli"],
    "requiredMethods": [
      "metadata",
      "validateConfig",
      "testConnection",
      "sync",
      "handleWebhook",
      "emitProofstreamEvent",
      "diagnostics",
      "revoke"
    ],
    "canary": {
      "status": "green",
      "ref": "release/attesto-2.0-connector-assurance-readiness/result.json"
    }
  },
  "installRequirements": {
    "tenantLoginRequired": true,
    "entitlementRequired": true
  },
  "changelog": [
    {
      "version": "1.0.0",
      "date": "2026-06-09",
      "changes": ["Validated first-party connector release."]
    }
  ]
}

Required fields are checked before an asset can be accepted. The backend validator fails hidden assets below an Evidence Score of 50; Attesto may still apply stricter private release policy for first-party or partner connectors. A score is evidence-derived validation output, not an adoption badge or marketing judgment.

Marketplace CLI publishing flow

Publisher automation can use the Attesto CLI for the same manifest contract as the backend and connector kits. The CLI validates the manifest locally before it sends anything to Attesto. Submission uses a marketplace publisher bearer token. Public documentation covers the publisher path only; Attesto review and publication remain private internal processes. The publisher commands never print stored tokens, Stripe identifiers, connector secrets, or raw customer payloads.

attesto --json marketplace init \
  --output attesto.connector.json \
  --slug acme-risk-connector \
  --name "ACME Risk Connector" \
  --version 1.0.0 \
  --category ai-governance \
  --summary "Produces Attesto evidence for ACME risk decisions." \
  --description "Produces verifiable Proofstream events for ACME risk decisions." \
  --publisher-slug acme \
  --publisher-name ACME \
  --repository-url https://git.example.com/acme/risk-connector \
  --docs-url https://docs.example.com/acme/risk-connector \
  --provider-url https://example.com/acme \
  --auth-mode oauth2 \
  --auth-scopes risk.read,risk.events \
  --sync-modes polling,webhook \
  --event-types risk.decision.created,risk.decision.updated \
  --canary-ref release/acme-risk-connector/canary-result.json \
  --capabilities proofstream,offline-verification

attesto --json marketplace validate \
  --manifest-file attesto.connector.json

attesto --json --token-env ATTESTO_MARKETPLACE_TOKEN marketplace submit \
  --manifest-file attesto.connector.json \
  --source-ref https://git.example.com/acme/risk-connector/releases/v1.0.0 \
  --visibility public \
  --pricing-model free

After submission, the asset remains private pending Attesto review. Attesto reviews validation evidence, source reference, publisher identity, pricing, and release provenance privately. Public docs intentionally stop at the developer submission boundary.

Publisher validation

Marketplace developer accounts are marketplace-only. They can sign up and sign in on marketplace.attesto.eu, manage a publisher profile, choose a developer tier, submit free connector assets for private Attesto review, and start the real developer billing flow for paid publishing. They cannot sign in to dashboard.attesto.eu; normal tenant users still need a normal Attesto tenant account for the dashboard.

POST /v1/marketplace/auth/signup
Content-Type: application/json

{
  "displayName": "ACME Evidence Labs",
  "name": "Publisher Operator",
  "email": "publisher@example.com",
  "password": "<operator-chosen password>"
}

POST /v1/marketplace/auth/login
Content-Type: application/json

{
  "email": "publisher@example.com",
  "password": "<operator-chosen password>"
}

GET /v1/marketplace/auth/me

Creating or updating a publisher profile records marketplace evidence before assets are submitted. A profile alone never publishes an asset: free submissions are private pending review, and paid submissions require an active paid developer tier plus Stripe Connect readiness. This prevents the public marketplace from becoming an open upload surface.

POST /v1/marketplace/publisher/profile
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "displayName": "Attesto Official Connector Team"
}

GET /v1/marketplace/publisher/profile

PATCH /v1/marketplace/publisher/profile
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "displayName": "Attesto Business Connectors"
}

Developer publisher rights are upgraded in-place. The publisher keeps the same marketplace-only account and publisher profile. Community developers can submit free assets for private review. Verified Developer, Professional Publisher, and Marketplace Partner plans use a 14-day Stripe trial and unlock paid connector submission only after Stripe confirms the subscription. Paid listing publication additionally requires Stripe Connect payout readiness. The checkout and portal URLs are created server-side through the encrypted Stripe integration store.

GET /v1/marketplace/developer-tiers

[
  {
    "tier": "community",
    "label": "Free Developer",
    "monthlyCents": 0,
    "annualCents": 0,
    "currency": "EUR",
    "checkoutRequired": false,
    "submissionEnabledWhenActive": false,
    "description": "Marketplace-only developer identity for profile management, manifest preparation, documentation review, and free connector submission into private Attesto review.",
    "requirements": [
      "marketplace publisher profile",
      "private Attesto review before public listing",
      "paid developer publisher tier before paid connector submission"
    ],
    "trialDays": 0
  },
  {
    "tier": "premium",
    "label": "Verified Developer",
    "monthlyCents": 1900,
    "annualCents": 19000,
    "currency": "EUR",
    "checkoutRequired": true,
    "submissionEnabledWhenActive": true,
    "description": "Paid developer publishing tier with a 14-day Stripe trial.",
    "requirements": [
      "active developer subscription",
      "connector validation passes",
      "private Attesto review before public listing"
    ],
    "trialDays": 14
  }
]

GET /v1/marketplace/publisher/billing-state

{
  "publisher": {
    "tier": "premium",
    "developerSubscriptionState": "active",
    "payoutState": "ready",
    "commercialEnabled": true
  },
  "checkoutAvailable": true,
  "billingPortalAvailable": true,
  "canSubmitAssets": true,
  "developerSignupRequired": false,
  "supportedTiers": [
    {"tier": "premium", "label": "Verified Developer", "monthlyCents": 1900, "annualCents": 19000, "currency": "EUR"},
    {"tier": "professional", "label": "Professional Publisher", "monthlyCents": 4900, "annualCents": 49000, "currency": "EUR"},
    {"tier": "partner", "label": "Marketplace Partner", "monthlyCents": 9900, "annualCents": 99000, "currency": "EUR"}
  ],
  "submissionRequirements": [],
  "commercialRequirements": [
    "active developer subscription",
    "Stripe Connect payout readiness"
  ],
  "gracePeriodDays": 14
}

POST /v1/marketplace/publisher/upgrade
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "tier": "premium",
  "interval": "month",
  "successUrl": "https://marketplace.attesto.eu/?publisher=upgrade-success",
  "cancelUrl": "https://marketplace.attesto.eu/?publisher=upgrade-cancel"
}

POST /v1/marketplace/publisher/billing-portal
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "returnUrl": "https://marketplace.attesto.eu/?publisher=billing-return"
}

Publishers that want to sell paid assets must complete Stripe Connect payout onboarding after the developer account is active. The API uses Attesto's server-side encrypted Stripe configuration and returns only a Stripe-hosted onboarding URL. It does not return Stripe secret keys, connected-account IDs, or payout credentials to the frontend.

POST /v1/marketplace/publisher/payout/onboarding
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "returnUrl": "https://marketplace.attesto.eu/?publisher=payout-return",
  "refreshUrl": "https://marketplace.attesto.eu/?publisher=payout-refresh",
  "country": "NL"
}

POST /v1/marketplace/publisher/payout/status

Paid connector acquisition uses Stripe Checkout with Stripe Connect. The backend creates the Checkout Session, applies the Attesto application fee, routes the developer share to the connected account, and waits for the verified Stripe webhook before creating the tenant entitlement and marketplace ledger entry.

POST /v1/marketplace/items/{slug}/acquire
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "successUrl": "https://marketplace.attesto.eu/?marketplace=checkout-success",
  "cancelUrl": "https://marketplace.attesto.eu/?marketplace=checkout-cancel"
}

Webhook result:
marketplace_purchase_created
marketplace_entitlement_created
marketplace_revenue_split_recorded

Stripe refund and payout notifications are also processed through the verified webhook endpoint. A full refund closes the entitlement, revokes active installs for the connector, blocks artifact download, and records the refund and entitlement-revocation evidence. Payout events reconcile eligible publisher ledger entries and record payout evidence without exposing Stripe object identifiers or provider payloads to the browser.

Webhook result for full refund:
marketplace_refund_recorded
marketplace_entitlement_revoked

Webhook result for payout:
developer_payout_completed

Webhook result for failed payout/refund:
developer_payout_failed
marketplace_refund_failed

Active developer publishers can then submit business connectors through the marketplace publisher surface. The submit action validates the manifest, records a validation run, creates a private pending-review asset, stores the version hashes, and records marketplace evidence. Even when visibility is requested as public, the listing remains hidden until private Attesto review and publication policy are complete. Unqualified tenants receive a fail-closed response before manifest validation runs.

POST /v1/marketplace/publisher/assets
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "sourceRef": "https://example.com/repository/connector-release",
  "visibility": "private",
  "pricingModel": "free",
  "manifest": { "...": "attesto.connector.v2 manifest" }
}

Attesto review and publication are private internal processes. They write marketplace evidence, but the internal endpoints and procedures are not part of the public developer documentation. The public catalog only returns approved, non-revoked versions.

The source reference must point to the real release source for the connector. Secrets, private keys, API tokens, and customer payloads must never be placed in connector manifests.

Marketplace evidence events

Marketplace publisher profile create/update, acquisition, install, install update, entitlement revoke, paid purchase, refund, payout, publisher submission, and validation/review actions write canonical marketplace evidence. The receipt hash is derived from the canonical evidence envelope and payload hash; the receipt record stores the tenant, actor, subject, timestamp, and sanitized payload for tenant audit views. This gives operators a deterministic audit trail for who changed publisher identity and who acquired, installed, updated, reviewed, published, refunded, paid out, or revoked which connector version.

GET /v1/marketplace/evidence/<receipt-id-or-receipt-hash>

Security boundaries

Public catalog browsing is unauthenticated and read-only.
Tenant acquire, install, artifact download, install update, and tenant revoke actions require dashboard tenant auth and CSRF.
Marketplace asset submission, publisher profile changes, developer-tier checkout, billing portal access, and payout onboarding require marketplace-only developer auth and CSRF.
Free marketplace developer accounts can submit free assets for private review; paid assets require an active paid developer tier and Stripe Connect readiness.
Public listing review, publication, and marketplace asset withdrawal are private Attesto processes and are not public marketplace or developer APIs.
Connector manifests are metadata only; they must not contain secrets or raw customer payloads.
The frontend only receives public catalog data and non-secret build metadata.
Production bundles must not include source maps, source files, test fixtures, credentials, or API keys.
Marketplace evidence supports auditability; it does not certify third-party legal compliance by itself.