NCP v0.1 Specification
NCP v0.1 defines a portable JSON trigger for passive AI runtimes. The protocol is deployment-agnostic and can run local-first, private cloud, hosted, or hybrid.
The live validator is exposed at https://ncplabs-web--ncplabs.us-central1.hosted.app/api/ncp/validate. Schema metadata is exposed at https://ncplabs-web--ncplabs.us-central1.hosted.app/api/ncp/schema.
Validation Rules
ncp_version,id, andtimestampare required.typemust besignalortrigger.confidenceandpersonal_relevanceare between 0 and 1.severityandsensitivitymust use allowed values.
Privacy Rule
Sensitive payloads should use context references instead of copying raw data. Avoid storing actual secrets, full private emails, bank details, school messages, legal content, or API keys in NCP events or Firestore.
NCP Auth v0.1
- Receivers must require TLS and authenticate events before parsing or routing.
- NCP-native senders should use
Authorization: Bearer ncp_live_.... - Production senders should sign the raw request body with
X-NCP-SignatureandX-NCP-Timestamp. - Receivers should reject stale timestamps, invalid signatures, inactive tokens, and replayed event IDs.
- Tokens must be scoped, revocable, rotatable, and stored only as hashes by receivers.
- Connection records should expose a user-readable app, source, audience, environment, allowed event types, and last-used time.
{
"ncp_version": "0.1",
"type": "signal | trigger",
"id": "string",
"source": {
"system": "string",
"event_type": "string"
},
"timestamp": "ISO timestamp",
"domain": "string",
"subject": "string",
"summary": "string",
"severity": "critical | high | medium | low | info | opportunity",
"confidence": "0..1",
"sensitivity": "public | internal | private | financial | legal | security | secret | family | health",
"personal_relevance": "0..1 optional",
"context_refs": "references to external context",
"action_contract": "allowed, requires approval, forbidden",
"delivery_policy": "urgency and channels"
}{
"Authorization": "Bearer ncp_live_...",
"X-NCP-Timestamp": "2026-05-31T18:00:00Z",
"X-NCP-Signature": "sha256=base64url(hmac_sha256(token, timestamp + '.' + raw_body))",
"X-NCP-Event-Id": "evt_01H..."
}