Pre-claim rotation (§8.1)
While the account isUNCLAIMED or INVITED, the agent signs a rotation request with the old key:
Server.handleKeyRotation verifies the old key’s signature, moves the account to the new DID, and adds the old DID to the revocation list (§8.3). A request signed by the old key afterwards fails with 401 revoked_key.
did:key changes the agent’s DID on rotation — the DID is the key, so external references to the old DID stop resolving; a caller holding the old DID updates its reference from the rotation response (agent_did). Agent credentials are did:key and AFAuth has no stable-identifier agent DID method, so recovery is owner-driven (revoke + re-key), not a persistent DID. (Post-claim, a service-side account_id is stable across re-key — §10.4.4 — so the account survives even as the DID rolls.) See Identity and keys.Claimed accounts can’t self-rotate
Post-claim,handleKeyRotation rejects an agent-signed rotation with 403 — changing a claimed account’s key is an owner-binding operation, not something the agent’s signature can authorize alone. The owner re-keys instead (§8.2). See Recover a compromised key.
Spec: §8.1.