This page covers the default agent flow. Per-symbol typedoc reference is planned but not yet published.
Two responsibilities
Agent—Agent.generate()/Agent.fromPrivateKey(),signRequest, the protocol-aware builders (owner invitation, key rotation, account introspection), andfetchDiscovery/assertDiscoveryDocument.TrustClient(AFAP-0006) — binds the agent’s DID to a human and mints the attestation that default services require.
Default flow: signing up to an attested_only service
Services built withdefineService default to unclaimed_mode: "attested_only", so a request with no AFAuth-Attestation header is rejected with 401 attestation_required. The agent links to a human once, then mints a per-service JWT per request:
unclaimed_mode: "free" service the link/mint steps are unnecessary — a bare signed request suffices. Full walkthrough: Link your agent to a human and the Trust API reference.
One call: signup() + the shared agent home
signup() collapses the flow above into one call — discover, link to a human only if the service is attested_only and the agent isn’t linked yet, then send the signed implicit-signup request:
optional service onLink never fires and the agent signs up with just its key. This is the call a service-distributed CLI builds on.
For Node clients, @afauthhq/agent/node persists the shared agent home (~/.afauth, honouring $AFAUTH_HOME) so a human links once across every AFAuth tool on the machine — in the same on-disk format the afauth CLI uses:
loadOrCreateAgent()/loadAgent/saveAgent— thedid:keykeypair (key.json).loadBinding/saveBinding— trust-attestor bindings (trust.json).
Keeping access live (§10.7)
For ongoing requests to an attested-session service,AttestedFetcher runs the refresh-on-challenge loop for you — it signs each request and, on 401 attestation_required, mints a fresh attestation (via TrustClient) and retries once:
TrustHttpError (re-link, don’t retry). See Keep attested access live.