For service developers
Accept afauth-trust tokens so agents can prove a real human is
behind them — with no PII for you to store. Wire surface specified in
AFAP-0006.
Verify tokens
Accept afauth-trust tokens with the bundled
verifier from @afauthhq/server:
import { Server, trustAttestor } from '@afauthhq/server';
new Server({
attestor: trustAttestor(),
acceptedAttestors: ['afauth-trust'],
});
Token claims
| Claim | Value |
|---|---|
iss | Always "afauth-trust". |
aud | Destination service_did. Reject mismatches. |
sub | The agent's account DID. |
sub_h | Pairwise human pseudonym. Stable per (iss, sub_h, aud), opaque base64url. Use as a per-service handle for the human behind the agent. |
verification | "email", "oauth", or "payment". Ignore unknown values. |
iat | Issued-at, Unix seconds. |
exp | At most 900 seconds after iat. |
JWKS endpoint
Tokens verify offline against the published keys:
https://trust.afauth.org/.well-known/jwks.json
Cached 300 seconds. No runtime call to this service during request handling.
Rate limits
| Endpoint | Limit |
|---|---|
POST /v1/link/start | 30 / minute per IP |
POST /v1/link/poll | 60 / minute per IP |
POST /v1/token | 60 / minute per IP, 1000 / day per binding |
Source at github.com/AFAuthHQ/trust.