# AFAuth > Agent-First Auth — the open protocol that makes AI agents first-class citizens of every service. ## Docs - [Changelog](https://docs.afauth.org/changelog/overview.md): What's new in AFAuth across the spec, SDKs, and CLI. - [Versioning & stability](https://docs.afauth.org/changelog/versioning.md): What 'Spec v0.1 — Stable' means in practice: the forward-compatibility rules you can build on, and the policies that aren't defined yet. - [afauth accounts](https://docs.afauth.org/cli/commands/accounts.md): Inspect local account state, optionally refreshing from the service. - [afauth call](https://docs.afauth.org/cli/commands/call.md): Make a signed HTTP request to an AFAuth-supporting service. - [afauth discover](https://docs.afauth.org/cli/commands/discover.md): Fetch and validate a service's /.well-known/afauth discovery document. - [afauth init](https://docs.afauth.org/cli/commands/init.md): Generate a keypair and write it to ~/.afauth/key.json. - [afauth invite](https://docs.afauth.org/cli/commands/invite.md): Invite a human (or external identity) to claim an agent-owned account. Supports all four §7.7 recipient types. - [afauth keys](https://docs.afauth.org/cli/commands/keys.md): Manage agent keys: rotate, export, import, and prune backups. - [afauth signup](https://docs.afauth.org/cli/commands/signup.md): Sign up an agent to a service. Auto-mints a trust attestation when the service requires one. - [afauth status](https://docs.afauth.org/cli/commands/status.md): Local readiness dashboard: identity, key location, trust-attestor linkage, and known accounts. - [afauth trust](https://docs.afauth.org/cli/commands/trust.md): Bind an agent to a human-controlled account at an afauth-trust attestor (AFAP-0006), and mint per-service attestation JWTs. - [afauth whoami](https://docs.afauth.org/cli/commands/whoami.md): Print the agent's did:key identity. - [Install](https://docs.afauth.org/cli/install.md): Install the afauth CLI via Homebrew, install script, or go install. - [afauth CLI](https://docs.afauth.org/cli/overview.md): Reference command-line agent runtime — single static binary, no SDK required. - [Attestation](https://docs.afauth.org/concepts/attestation.md): A §10 mechanism that lets services know which runtime an agent is operating in — and gives them a per-human, per-service pseudonym to key anti-abuse state off. - [The ceremony](https://docs.afauth.org/concepts/ceremony.md): An AFAuth account is created by an agent and optionally bound to a human owner later. The agent's signature alone never binds ownership — that's the protocol's security boundary. - [Error envelope](https://docs.afauth.org/concepts/error-envelope.md): Every AFAuth-conformant service returns errors in one shape: { error: { code, message, details? } }. The code is stable; the message is for humans. - [Glossary](https://docs.afauth.org/concepts/glossary.md): Every AFAuth term in one place — identity, signing, attestation, ownership, and operations. - [Sign in with AFAuth](https://docs.afauth.org/concepts/human-oidc-signin.md): How a human signs in to a service and lands in the account their agent already created — the agent-first analogue of 'Sign in with Google'. - [Identity and keys](https://docs.afauth.org/concepts/identity-and-keys.md): AFAuth names agent accounts with a did:key Decentralized Identifier — the identifier is the public key, verifiable offline with no registry or DNS. - [Revocation](https://docs.afauth.org/concepts/revocation.md): An agent is cut off by two independent levers — a global one at the attestor, a local one at each service. What each reaches, and which to pull when. - [Security model](https://docs.afauth.org/concepts/security-model.md): What AFAuth protects against, what it assumes, and what it deliberately leaves to services — the §12 threat model, digested. - [The service directory](https://docs.afauth.org/concepts/service-directory.md): What registry.afauth.org is, why listing is opt-in, and how it relates to the protocol itself. - [Signing requests](https://docs.afauth.org/concepts/signing.md): AFAuth signs HTTP requests with RFC 9421 — standard machinery, plus AFAuth-specific canonical components that bind each signature to a single service, time window, and replay-protected nonce. - [The trust attestor](https://docs.afauth.org/concepts/trust-attestor.md): What trust.afauth.org is, why a default §10 attestor exists, and what a trust attestation actually proves. - [Use AFAuth with Claude Code & Codex](https://docs.afauth.org/equip-your-agent.md): Install the afauth CLI so the coding agent you already run can sign up for and use services on its own — as itself, with you on the hook and ownership you can claim later. - [Accept afauth-trust attestations](https://docs.afauth.org/guides/accept-afauth-trust.md): Configure your service to accept short-lived JWTs from trust.afauth.org as a signal that a human stands behind an agent. - [Add Sign in with AFAuth](https://docs.afauth.org/guides/add-sign-in-with-afauth.md): Let humans sign in to your service and land in the account their agent already created. - [Build an agent (CLI)](https://docs.afauth.org/guides/build-an-agent-cli.md): Use the afauth CLI as your agent runtime — single static binary, no SDK required. - [Deploy to Cloudflare Workers](https://docs.afauth.org/guides/deploy-cloudflare-worker.md): Run an AFAuth service on Cloudflare Workers with @afauthhq/worker. - [Invite and claim](https://docs.afauth.org/guides/invite-and-claim.md): Hand off an agent-owned account to a human owner. - [Keep attested access live](https://docs.afauth.org/guides/keep-attested-access-live.md): Close the attestation blind spot without per-request cost: keep a fresh attestation on file (§10.7), so revoking once at the attestor drops access everywhere within the window. - [Link your agent to a human](https://docs.afauth.org/guides/link-to-a-human.md): Use trust.afauth.org so services that require attestation accept your agent. - [List your service on registry.afauth.org](https://docs.afauth.org/guides/list-on-the-registry.md): Step-by-step: prove control of your discovery host, submit a listing, manage it over time. - [Migrate from OAuth or API keys](https://docs.afauth.org/guides/migrate-from-oauth.md): AFAuth doesn't replace your existing auth — it adds an agent-native front door alongside it. Here's the incremental path. - [Rate limiting](https://docs.afauth.org/guides/rate-limiting.md): Per-route limits and the §11.3 rate_limit_exceeded response. - [Recover a compromised key](https://docs.afauth.org/guides/recover-a-compromised-key.md): Your agent's key leaked. Lock the thief out, re-key, and re-link — in the right order — to get the agent running again. - [Revoke an account](https://docs.afauth.org/guides/revoke-an-account.md): Owner-authenticated revocation: cut off a compromised or retired agent key at your service. - [Rotate keys](https://docs.afauth.org/guides/rotate-keys.md): Pre-claim agent key rotation (§8.1). Claimed or compromised? See Recover a compromised key. - [Run your own attestor](https://docs.afauth.org/guides/run-your-own-attestor.md): Operate a trust-class attestor under your own issuer — for a private agent fleet or as an alternative public attestor — that conformant services and agents recognize. - [Troubleshooting](https://docs.afauth.org/guides/troubleshooting.md): The errors you'll actually hit — clock skew, attestation_required, revocation that didn't propagate — with the cause and the fix. - [Use a different attestor](https://docs.afauth.org/guides/use-a-different-attestor.md): Link your agent to an attestor other than trust.afauth.org — a private/enterprise attestor or an alternative public one — and have it present the attestation the target service actually accepts. - [Verify a request](https://docs.afauth.org/guides/verify-a-request.md): Use the Verifier to authenticate incoming AFAuth requests. - [How it works, end to end](https://docs.afauth.org/how-it-works.md): The whole arc in one place: an agent generates a keypair, proves a human stands behind it without revealing them, signs its first request to create an account, and optionally hands ownership to a human later. - [Introduction](https://docs.afauth.org/introduction.md): AFAuth is the open protocol that lets AI agents sign up to services on their own behalf, with their own cryptographic identity, and hand ownership to a human later. - [Quickstart: build an agent](https://docs.afauth.org/quickstart-agent.md): Generate a keypair, link your agent to a human, and make your first signed request that a default service accepts — five minutes. - [Quickstart: accept AFAuth on your service](https://docs.afauth.org/quickstart-service.md): Mount the discovery document, verify a signed request, and start accepting agents. - [Error codes](https://docs.afauth.org/reference/error-codes.md): The full §11.3 reserved error code list, each row with its HTTP status, when it's returned, and what a client should do. - [Registry API](https://docs.afauth.org/reference/registry-api.md): Endpoints at registry.afauth.org/v1 — request shapes, responses, errors. - [Trust API](https://docs.afauth.org/reference/trust-api.md): Endpoints at trust.afauth.org — link flow, attestation tokens, JWKS, and OIDC sign-in. - [/.well-known/afauth](https://docs.afauth.org/reference/well-known-afauth.md): Reference page for the AFAuth discovery document — schema, fields, examples. - [@afauthhq/agent](https://docs.afauth.org/sdk/typescript/agent/overview.md): Client-side SDK: Agent.generate(), signRequest, protocol-aware builders, discovery, AttestedFetcher (§10.7). - [@afauthhq/core](https://docs.afauth.org/sdk/typescript/core/overview.md): Shared primitives: did:key codec, DID resolvers, RFC 9421 canonicalisation, content-digest, recipient types, error envelope. - [Installation](https://docs.afauth.org/sdk/typescript/installation.md): Install the AFAuth TypeScript SDK packages from npm. - [TypeScript SDK](https://docs.afauth.org/sdk/typescript/overview.md): Reference TypeScript SDK for the AFAuth protocol — four composable packages under @afauthhq. - [@afauthhq/server](https://docs.afauth.org/sdk/typescript/server/overview.md): Service-side SDK: defineService, Verifier, Server handlers (incl. owner re-key/revoke + §10.7 verifyAttested), RateLimiter, Attestor, Memory stores. - [@afauthhq/worker](https://docs.afauth.org/sdk/typescript/worker/overview.md): Cloudflare Workers bindings: createWorker, DurableObjectNonceStore, KvNonceStore, KvRevocationList, KvAttestedFreshnessStore, KvRateLimiter, D1AccountStore. - [Ship AFAuth in your CLI](https://docs.afauth.org/ship-afauth-in-your-cli.md): Distribute a CLI or client that provisions an agent-native identity for your users — its own keypair, no portal account — by embedding the AFAuth agent role. - [Conformance](https://docs.afauth.org/spec/conformance.md): Conformance criteria for agent and service roles. - [Specification](https://docs.afauth.org/spec/core.md): AFAuth Protocol v0.1 — normative specification. - [Test vectors](https://docs.afauth.org/spec/test-vectors.md): Appendix C — canonical inputs, signatures, discovery docs, recipients, errors, replay-window vectors. - [well-known discovery document](https://docs.afauth.org/spec/well-known.md): JSON Schema for /.well-known/afauth. - [Why AFAuth](https://docs.afauth.org/why-afauth.md): Existing auth assumes a human is the root of trust. Agents need a different model. ## OpenAPI Specs - [openapi](https://docs.afauth.org/api-reference/openapi.json)