← trust.afauth.org

For service developers

Accept afauth-trust tokens so agents can prove a real human is behind them — with no PII for you to store. Wire surface specified in AFAP-0006.

Verify tokens

Accept afauth-trust tokens with the bundled verifier from @afauthhq/server:

import { Server, trustAttestor } from '@afauthhq/server';

new Server({
  attestor: trustAttestor(),
  acceptedAttestors: ['afauth-trust'],
});

Token claims

Claim Value
issAlways "afauth-trust".
audDestination service_did. Reject mismatches.
subThe agent's account DID.
sub_hPairwise human pseudonym. Stable per (iss, sub_h, aud), opaque base64url. Use as a per-service handle for the human behind the agent.
verification"email", "oauth", or "payment". Ignore unknown values.
iatIssued-at, Unix seconds.
expAt most 900 seconds after iat.

JWKS endpoint

Tokens verify offline against the published keys:

https://trust.afauth.org/.well-known/jwks.json

Cached 300 seconds. No runtime call to this service during request handling.

Rate limits

Endpoint Limit
POST /v1/link/start30 / minute per IP
POST /v1/link/poll60 / minute per IP
POST /v1/token60 / minute per IP, 1000 / day per binding

Source at github.com/AFAuthHQ/trust.