Pre-claim (unclaimed) accounts have no owner to recover through — re-create the account with a fresh key. See Rotate keys.
Order matters
Recovery spans two layers that share no transaction — the attestor (stops new attestations) and each service (holds its own revocation list and account state); these are the global and local levers of the revocation model. You are the sequencer, and two asymmetries make the order load-bearing:- Per-binding revoke is permanent; whole-account pause is reversible. Resuming a paused account restores minting for every binding you didn’t separately revoke — so a careless pause-then-resume silently re-arms the stolen key.
- A re-key produces a new DID with no attestor binding. Re-keying restores the agent at your services, but can’t reach
attested_onlyservices until you re-link the new key at the attestor.
- Revoke the compromised binding at the attestor — permanent.
- Revoke the key at each service that trusts the signature directly (§8.4).
- Re-key each of those services to a fresh key (§8.2).
- Re-link the new key at the attestor.
- Resume the account — only if you blanket-paused it in step 1, and only after the compromised binding is revoked.
Revoke the compromised binding at the attestor — permanent
If your agent links to a human through the trust attestor, sign in at the attestor dashboard, find the compromised agent under Linked agents, and Revoke it. This is per-agent and permanent — there is no un-revoke — so it’s the durable containment for the stolen key, and it leaves your other agents running.Revoking stops new attestation tokens for that key immediately. Services that re-check attestation on each request — or that hold an attested session (§10.7) — lock the thief out within the token lifetime (≤ 15 min), since the agent can no longer mint a refresh. Tokens already minted stay valid until they expire — revoking stops new issuance, it does not recall outstanding tokens.
Revoke the key at each service that trusts it directly
A service that authenticates the agent’s signature — rather than re-checking an attestation on every request — never hears about the attestor revoke. At each such service the owner revokes the key: see Revoke an account. The old key then fails with
401 revoked_key.Re-key each service to resume (§8.2)
Revoke pauses the account. To bring the agent back on the same account, the owner re-keys from a fresh owner session:The owner binding carries forward and
account_id is stable — the re-key swaps the credential within the same account (§10.4.4: one account, many devices), it does not create a new one. The agent’s credential becomes the new DID (returned in the response as agent_did); the old DID stays revoked. The agent restarts with the new key.Re-link the new key at the attestor
A re-key gives the agent a new This creates a fresh binding for the new DID. Because
did:key, and the attestor binding was keyed to the old DID — so nothing carries over automatically. Until you re-link, the new key has no attestation and cannot reach attested_only services (the SDK default).Re-run the link flow under the new key, from the same human account:sub_h is keyed on the human, not the key, each service sees the same sub_h as before — per-human policy and state carry forward (§10.5.1). Full flow: Link your agent to a human.Resume the account — only if you paused it
If in step 1 you used the blanket Pause all agents (not per-binding revoke), resume it now at
trust.afauth.org/account — resuming requires a fresh sign-in (§7.5). Resume only after the compromised binding is revoked: resuming restores minting for every binding that isn’t individually revoked.If you used per-binding Revoke in step 1, skip this — the account was never paused.What recovery can and can’t reach
- The agent’s local state is untrusted. Don’t rely on the agent cleaning up its own cache or ledger — the attacker controls it. Recovery is owner- and service-side only.
- Signature-only, non-attested services are a blind spot for attestor-side action. Only that service’s own revoke reaches them (step 2). For high-value operations, gate on live attestation — per-request, or a lighter-weight attested session (§10.7) — so an attestor-side revoke actually takes effect.
- Re-key swaps the credential, not the account.
account_idis stable across a re-key (§10.4.4), so the owner binding and any state you keyed onaccount_idcarry forward; only the agent’s credential DID changes (returned asagent_did), so service-internal state keyed on the raw DID must be moved. Agent credentials aredid:key— there is no stable-identifier agent DID method, so the credential rolling on re-key is inherent.