Skip to main content
Hand-maintained reference. For the authoritative flags on your installed version, run the command with --help.
# Signed GET (default method)
afauth call https://api.example.com/afauth/v1/accounts/me

# Signed POST with inline body
afauth call --method POST --data '{"x":1}' https://api.example.com/x

# POST with body read from a file (--data accepts @path syntax)
afauth call --method POST --data @body.json https://api.example.com/x

# Repeatable extra headers
afauth call --header 'X-Trace: abc' --header 'X-Tenant: foo' \
            https://api.example.com/x

# Include response headers in output
afauth call --show-headers https://api.example.com/afauth/v1/accounts/me

# Attach an attestation proactively (otherwise auto-minted on a §10.7 challenge)
afauth call --attest "$(afauth trust token did:web:api.example.com)" https://api.example.com/x
Against an attested_only service, afauth call runs the §10.7 refresh-on-challenge loop: on 401 attestation_required it mints a fresh attestation from your trust binding and retries once. A revoked or expired binding surfaces with re-link guidance rather than looping. --attest attaches one up front. See Keep attested access live.