Agent identity & JIT credentials
Give each agent its own DID identity, mint short-lived just-in-time credentials, discover shadow agents, and attach a signed capability contract.
When several agents share one API key, you can't tell them apart in the audit log. Agent identities fix that: each agent gets a DID (did:nolixan:…) and its own keypair, so every action is attributed to a specific agent — and you can issue it just-in-time, short-lived credentials instead of standing access.
Register an agent
The private key is returned once — store it securely. The agent's actions are then attributed to its DID.
| Method | Path | Purpose |
|---|---|---|
GET | /agents/ | List agent identities |
POST | /agents/ | Register an agent (generates DID + keypair) |
POST | /agents/{agent_id}/rotate | Rotate the keypair (same DID, new key) |
POST | /agents/{agent_id}/revoke | Revoke the agent (kills all its JIT credentials) |
Writes require the canManageAgents permission.
JIT short-lived credentials
Instead of a long-lived key, mint a credential scoped to a task and a short TTL (≤ 1 hour). It expires on its own — no standing access to leak.
| Method | Path | Purpose |
|---|---|---|
POST | /agents/{agent_id}/credentials | Mint a JIT credential (ttl_seconds default 900) |
POST | /agents/{agent_id}/credentials/revoke-all | Revoke every JIT credential for the agent |
Shadow-agent discovery
Find actors taking actions in an environment that aren't registered — risk-ranked from the audit trail:
Related read-only feeds: /agents/decision-feed (live allow/deny/escalate stream) and /agents/scope-drift (OAuth scope-drift findings).
Capability contract (signed authority)
Each agent has a signed capability contract — the precise set of providers/actions it's authorized for, versioned and diffable like "git for authority":
| Method | Path | Purpose |
|---|---|---|
GET | /agents/{agent_id}/capability-contract | Current signed contract |
GET | /agents/{agent_id}/capability-contract/versions | All versions |
GET | /agents/{agent_id}/capability-contract/diff?from=&to= | Diff two versions |
Each contract is Ed25519-signed (signer_public_key, content_hash) so you can prove what an agent was authorized to do at any point in time.