Hand-maintained reference. For the authoritative flags on your installed version, run the command with --help.
afauth trust manages the agent’s binding(s) to a human account at one or more
trust attestors. A binding lets the agent mint
short-lived §10 attestation JWTs so it can sign up to services that require
attestation (attested_only mode). An agent may link to several attestors at
once; signup/token pick the one a given service accepts (its
billing.accepted_attestors), or --attestor chooses explicitly — see
Use a different attestor. Binding state is
stored at ~/.afauth/trust.json (chmod 600).
afauth trust link
Bind this agent to a human-controlled account. Opens a deep link the human
visits in a browser; after they confirm, the binding (its id and expiry) is
recorded locally. There is no bearer token — the agent authenticates future
mints by signing with its account key. The expiry is an inactivity window:
it refreshes on every mint, so an agent in regular use never needs to re-link.
# Link against the default attestor (https://trust.afauth.org).
afauth trust link
# Custom attestor + a label shown on the human's confirm page.
afauth trust link --base https://trust.example.com --label "Atlas (research agent)"
| Flag | Default | Notes |
|---|
--base | https://trust.afauth.org | Trust attestor base URL. |
--label | — | Short label shown on the confirmation page. |
--key | ~/.afauth/key.json | Agent key path. |
--poll | 3 | Seconds between poll attempts (loopback fallback). |
--timeout | 600 | Give up after N seconds. |
--no-loopback | false | Disable the loopback callback shortcut. |
--no-browser | false | Don’t auto-open the browser; just print the link. |
Linking a new base URL adds a binding — an agent can hold several attestors at once. Re-linking the same base refreshes it in place. List them with afauth trust status.
afauth trust token <service-did>
Mint a §10 attestation JWT for a single service, audience-bound to its DID.
Signs the mint request with the agent key (no bearer token); run afauth trust link first.
afauth trust token did:web:api.example.com
# Choose among multiple linked attestors (by issuer or base URL).
afauth trust token --attestor acme-trust did:web:api.example.com
| Flag | Default | Notes |
|---|
--attestor | — | Which linked attestor to mint from (issuer or base URL). Default: the only binding (errors if several are linked). |
--key | ~/.afauth/key.json | Agent key path (must match the linked binding). |
--timeout | 30 | Request timeout in seconds. |
afauth trust status
List every linked binding (attestor identifier, base URL, binding id, expiry).
afauth trust forget
Delete local binding state. By default forgets all bindings; pass
--attestor to drop just one. This does not revoke server-side — to revoke
the binding at the attestor, visit trust.afauth.org/account.
afauth trust forget # forget all bindings
afauth trust forget --attestor acme-trust # forget just one (issuer or base URL)
| Flag | Default | Notes |
|---|
--attestor | — | Forget only this attestor (issuer or base URL). Default: all bindings. |