Enforgate
Start free
Browse documentation

How do per-agent trust scores work?

Every API key builds up a track record: how often its calls get allowed versus blocked, and how many behavioral anomalies it's triggered. Enforgate turns that history into a single 0-100 trust score per key, so you can spot a key that's drifting from its normal pattern at a glance.

How the score is computed

Each key starts at a neutral 50. As calls accumulate, the score blends that neutral prior with the key's actual allow rate: at 0 calls the prior fully dominates, and by 50 callsthe real behavior fully dominates the prior. A key that's allowed every time trends toward 100; one that's mostly blocked trends toward 0.

Each detected behavioral anomaly (see checkBaselinein the OWASP Agentic AI Top 10 coverage) subtracts 5 points from the result, capped at a 25-point penalty so a handful of anomalies can't erase an otherwise long, clean history outright.

What counts as allowed or blocked

The score updates after every audited call, fire-and-forget, so it never adds latency to the call itself. What counts toward each side:

  • Counts as allowed: a plain allow verdict, a temp-allow or standing-grant auto-resolution, and a require_approvalcall that a human later approves. Once a held call is approved, it's good behavior, the same as if it had been allowed outright.
  • Counts as blocked: a deny verdict, and a require_approval call that ends up denied or times out unresolved.

Where you see it

On /dashboard/keys, each key with at least 3 calls shows a colored chip: trusted (score 80 and up), neutral (50-79), or risky (below 50). A key with fewer than 3 calls shows no chip yet, rather than labeling a brand-new key off a single data point.

Trust scores are informational only. They don't feed back into the policy engine, gate any plan feature, or change a verdict for future calls. The score is a signal for a human reviewing a key, not an enforcement mechanism, and it's available on every plan.

Reading the number

It's a lifetime running average, not a recent-activity window: a key with thousands of past calls and a brief bad streak today won't crater overnight, and a key that misbehaved long ago recovers gradually as clean calls accumulate, not instantly. Because the update runs after the response is already on its way back to the agent, the chip can lag the very latest call by a moment, it's never blocking, just slightly behind.