Skip to main content
Hand-maintained reference. For the authoritative flags on your installed version, run the command with --help.
# Implicit signup (§6.3) — signed GET /accounts/me creates the account.
afauth signup https://api.example.com

# Explicit signup (§6.4) — POST /accounts with a terms-version receipt.
afauth signup --explicit --terms-version 2026-05-01 https://api.example.com

# Override the auto-mint with an explicit attestation JWT (testing).
afauth signup --attest "$JWT" https://api.example.com

# Choose which linked attestor to mint from when several could apply.
afauth signup --attestor acme-trust https://api.example.com

Auto-attestation

When the service’s discovery doc declares §9.2 attested_only mode and --attest is not set, afauth signup automatically mints a short-lived JWT from the cached trust binding (audience-bound to the service’s DID) and attaches it as the AFAuth-Attestation header. If no binding exists, signup exits non-zero with a prompt to run afauth trust link first. If the binding has expired, it prompts to re-link. Services in any other mode (free, denied, or unset) skip the attestation step entirely. When the agent is linked to multiple attestors, signup mints from the one whose issuer is in the service’s accepted_attestors; --attestor <iss-or-url> forces a specific binding. If you’re linked only to attestors the service doesn’t accept, signup fails locally — naming the attestors it does accept — before sending anything. See Use a different attestor.
$ afauth signup https://api.example.com
attested via afauth-trust
signed up to https://api.example.com as did:key:z6Mk… (UNCLAIMED)