What Ontario does not check (limitations).
Ontario reports are designed to reduce blind spend by publishing observable, reproducible readiness evidence for x402 flows. They are not a certification of safety, legality, or service quality. This page makes the boundary explicit so agents and humans use Ontario correctly.
For the positive scope, see what Ontario checks and the Ontario x402 Trust Standard.
Ontario does not audit your code or infrastructure
No vulnerability audit
Ontario does not perform a full security review of application code, dependencies, configs, or cloud setup.
No data-privacy guarantee
Ontario does not verify how services store, share, or retain user data beyond what is observable in a scan.
No auth / permission validation
Ontario does not prove that private endpoints enforce correct authorization, rate limits, or abuse controls.
No continuous penetration testing
Reports are point-in-time. Ontario does not guarantee an endpoint remains safe or unchanged after verification.
Ontario does not verify business, identity, or partnerships
- No KYC / legal entity verification for service operators.
- No claim of partnerships, endorsements, or ecosystem listings beyond public evidence.
- No verification of “activity”, “traction”, or “certifications” unless directly linked as evidence in a report.
Ontario does not guarantee outcomes, correctness, or uptime
- No guarantee the endpoint returns correct answers or meets any domain-specific quality bar.
- No guarantee of latency, availability, or SLA adherence beyond what is measurable during the scan.
- No guarantee that a payment will lead to a successful response (e.g., paid-but-denied edge cases).
How agents should use Ontario safely
Treat Ontario as one input to your payment policy. A conservative default is:
- Require a recent, integrity-valid report before auto-paying unknown endpoints.
- Review warnings and recommendations; re-run verification after fixes or deployments.
- Use spend caps, sandboxing, and allow/deny lists for higher-risk actions.
- Prefer multiple reports over time for endpoints you intend to rely on.
curl https://ontarioprotocol.com/.well-known/x402-trust.json curl https://ontarioprotocol.com/api/verify/reports