Hand-maintained reference. For the authoritative flags on your installed version, run the command with
--help.Auto-attestation
When the service’s discovery doc declares §9.2attested_only mode
and --attest is not set, afauth signup automatically mints a
short-lived JWT from the cached trust binding (audience-bound to the
service’s DID) and attaches it as the AFAuth-Attestation header.
If no binding exists, signup exits non-zero with a prompt to run
afauth trust link first. If the binding has
expired, it prompts to re-link. Services in any other mode (free,
denied, or unset) skip the attestation step entirely.
When the agent is linked to multiple attestors, signup mints from the one
whose issuer is in the service’s accepted_attestors; --attestor <iss-or-url>
forces a specific binding. If you’re linked only to attestors the service
doesn’t accept, signup fails locally — naming the attestors it does accept —
before sending anything. See Use a different attestor.