Skip to main content
Hand-maintained reference. For the authoritative flags on your installed version, run the command with --help.
afauth trust manages the agent’s binding(s) to a human account at one or more trust attestors. A binding lets the agent mint short-lived §10 attestation JWTs so it can sign up to services that require attestation (attested_only mode). An agent may link to several attestors at once; signup/token pick the one a given service accepts (its billing.accepted_attestors), or --attestor chooses explicitly — see Use a different attestor. Binding state is stored at ~/.afauth/trust.json (chmod 600). Bind this agent to a human-controlled account. Opens a deep link the human visits in a browser; after they confirm, the binding (its id and expiry) is recorded locally. There is no bearer token — the agent authenticates future mints by signing with its account key. The expiry is an inactivity window: it refreshes on every mint, so an agent in regular use never needs to re-link.
# Link against the default attestor (https://trust.afauth.org).
afauth trust link

# Custom attestor + a label shown on the human's confirm page.
afauth trust link --base https://trust.example.com --label "Atlas (research agent)"
FlagDefaultNotes
--basehttps://trust.afauth.orgTrust attestor base URL.
--labelShort label shown on the confirmation page.
--key~/.afauth/key.jsonAgent key path.
--poll3Seconds between poll attempts (loopback fallback).
--timeout600Give up after N seconds.
--no-loopbackfalseDisable the loopback callback shortcut.
--no-browserfalseDon’t auto-open the browser; just print the link.
Linking a new base URL adds a binding — an agent can hold several attestors at once. Re-linking the same base refreshes it in place. List them with afauth trust status.

afauth trust token <service-did>

Mint a §10 attestation JWT for a single service, audience-bound to its DID. Signs the mint request with the agent key (no bearer token); run afauth trust link first.
afauth trust token did:web:api.example.com

# Choose among multiple linked attestors (by issuer or base URL).
afauth trust token --attestor acme-trust did:web:api.example.com
FlagDefaultNotes
--attestorWhich linked attestor to mint from (issuer or base URL). Default: the only binding (errors if several are linked).
--key~/.afauth/key.jsonAgent key path (must match the linked binding).
--timeout30Request timeout in seconds.

afauth trust status

List every linked binding (attestor identifier, base URL, binding id, expiry).
afauth trust status

afauth trust forget

Delete local binding state. By default forgets all bindings; pass --attestor to drop just one. This does not revoke server-side — to revoke the binding at the attestor, visit trust.afauth.org/account.
afauth trust forget                       # forget all bindings
afauth trust forget --attestor acme-trust # forget just one (issuer or base URL)
FlagDefaultNotes
--attestorForget only this attestor (issuer or base URL). Default: all bindings.