The verdict API

Endpoints

GET /v1/index.json                        # all packages + schema version
GET /v1/schema.json                       # JSON Schema for the verdict document
GET /v1/verdicts/{ecosystem}/{slug}.json  # one verdict (npm | pypi)
GET /v1/badge/{ecosystem}/{slug}.json     # shields.io endpoint format

Slug convention: @scope/name → at-scope-name, lowercase, _ → -.

Versioning promise

The schema is semver'd (schema_version in every document) and additive-only within /v1 — fields are added, never renamed or removed. Breaking changes mean a /v2.

Facts, not grades

This site publishes what is verifiable: verification status, CVEs with named sources, declared capabilities, hash-pin availability. No letter grades for packages yet — a package's risk depends on how you deploy it. When that changes, the grade will mean something.

No user data

Verdicts on this site describe public packages. Scanning happens on your machine — mcp-audit uploads nothing, and a plain scan makes zero network calls. This API contains data about public packages only.