Nolixan

Agent identity & JIT credentials

Give each agent its own DID identity, mint short-lived just-in-time credentials, discover shadow agents, and attach a signed capability contract.

When several agents share one API key, you can't tell them apart in the audit log. Agent identities fix that: each agent gets a DID (did:nolixan:…) and its own keypair, so every action is attributed to a specific agent — and you can issue it just-in-time, short-lived credentials instead of standing access.

Register an agent

curl -X POST https://your-host/api/v1/agents/ \
  -H "Authorization: Bearer <JWT>" -H "Environment-Id: 1" \
  -H "Content-Type: application/json" \
  -d '{ "name": "billing-agent", "capabilities": ["stripe/*"] }'
# → { "did": "did:nolixan:…", "private_key": "…" }  ← shown ONCE

The private key is returned once — store it securely. The agent's actions are then attributed to its DID.

MethodPathPurpose
GET/agents/List agent identities
POST/agents/Register an agent (generates DID + keypair)
POST/agents/{agent_id}/rotateRotate the keypair (same DID, new key)
POST/agents/{agent_id}/revokeRevoke the agent (kills all its JIT credentials)

Writes require the canManageAgents permission.

JIT short-lived credentials

Instead of a long-lived key, mint a credential scoped to a task and a short TTL (≤ 1 hour). It expires on its own — no standing access to leak.

curl -X POST https://your-host/api/v1/agents/{agent_id}/credentials \
  -H "Authorization: Bearer <JWT>" \
  -H "Content-Type: application/json" \
  -d '{ "environment_id": 1, "scope": ["stripe/create-refund"], "ttl_seconds": 900 }'
# → { "token": "…", "scope": [...], "expires_at": "…", "agent_did": "did:nolixan:…" }
MethodPathPurpose
POST/agents/{agent_id}/credentialsMint a JIT credential (ttl_seconds default 900)
POST/agents/{agent_id}/credentials/revoke-allRevoke every JIT credential for the agent

Shadow-agent discovery

Find actors taking actions in an environment that aren't registered — risk-ranked from the audit trail:

curl "https://your-host/api/v1/agents/shadow?environment_id=1&window_hours=168" \
  -H "Authorization: Bearer <JWT>"

Related read-only feeds: /agents/decision-feed (live allow/deny/escalate stream) and /agents/scope-drift (OAuth scope-drift findings).

Capability contract (signed authority)

Each agent has a signed capability contract — the precise set of providers/actions it's authorized for, versioned and diffable like "git for authority":

MethodPathPurpose
GET/agents/{agent_id}/capability-contractCurrent signed contract
GET/agents/{agent_id}/capability-contract/versionsAll versions
GET/agents/{agent_id}/capability-contract/diff?from=&to=Diff two versions

Each contract is Ed25519-signed (signer_public_key, content_hash) so you can prove what an agent was authorized to do at any point in time.

On this page