- Go 1.23+
- Running Auth4Agent server
- Verified operator domain
- Network access to Auth4Agent server
git clone https://github.com/auth4agents/auth4agent-cli.git
cd auth4agent-cligit clone https://github.com/auth4agents/auth4agent-cli.git
cd auth4agent-cligo mod tidygo mod tidygo build -o build/auth4agent.exeRun:
./build/auth4agent.exe --helpgo build -o build/auth4agentRun:
./build/auth4agent --helpBefore starting, verify the server is running:
./build/auth4agent.exe health./build/auth4agent healthExpected:
{
"status": "ok",
"timestamp": 1234567890
}Operator setup establishes:
- trust domain
- root identity
- authorization authority
This is typically performed once per organization/domain.
Generates:
- operator keypair
- operator identity config
./build/auth4agent.exe init --operator --domain example.com --server http://localhost:8080./build/auth4agent init --operator --domain example.com --server http://localhost:8080Expected output:
{
"mode": "operator",
"domain": "example.com",
"root_public_key": "base64...",
"server": "http://localhost:8080"
}Registers operator with server.
./build/auth4agent.exe register operator./build/auth4agent register operatorExpected:
operator registered
id: 550e8400-e29b-41d4-a716-446655440000
domain: example.com
status: active
IMPORTANT: Save the operator ID for agent registration.
./build/auth4agent.exe verify-operator instructions./build/auth4agent verify-operator instructionsExpected:
dns verification instructions
domain: example.com
record_type: TXT
name: _auth4agents.example.com
value: abc123def456...
after propagation run:
auth4agents verify-operator confirm
Example:
Type: TXT
Name: _auth4agents.example.com
Value: abc123def456...
TTL: 300
Wait for DNS propagation (usually 5-30 minutes).
./build/auth4agent.exe verify-operator confirm./build/auth4agent verify-operator confirmExpected:
operator verified
verified_at: 2024-01-15T10:30:00Z
./build/auth4agent.exe verify-operator status./build/auth4agent verify-operator statusExpected:
operator verification status
id: 550e8400-e29b-41d4-a716-446655440000
domain: example.com
status: active
verified_at: 2024-01-15T10:30:00Z
Agents are autonomous machine identities.
Each agent:
- owns its own DID
- owns its own private key
- authenticates independently
Generates:
- DID
- agent keypair
- DID document
./build/auth4agent.exe init --domain example.com --server http://localhost:8080./build/auth4agent init --domain example.com --server http://localhost:8080Expected output:
{
"mode": "agent",
"did": "did:agent:example.com:5e5009ae48d7e3ea",
"public_key": "base64...",
"did_document": {...},
"server": "http://localhost:8080"
}Use operator ID from step 7.
./build/auth4agent.exe register agent --operator-id YOUR_OPERATOR_ID./build/auth4agent register agent --operator-id YOUR_OPERATOR_IDExpected:
agent registered
did: did:agent:example.com:5e5009ae48d7e3ea
status: active
./build/auth4agent.exe whoami./build/auth4agent whoamiExpected:
Mode: Agent
DID: did:agent:example.com:5e5009ae48d7e3ea
Operator: 550e8400-e29b-41d4-a716-446655440000
Server: http://localhost:8080
Authorization is operator-controlled.
Agents cannot assign permissions to themselves.
./build/auth4agent.exe agent-scopes set --scopes read:payments,read:orders./build/auth4agent agent-scopes set --scopes read:payments,read:ordersExpected:
{
"updated": true,
"did": "did:agent:example.com:5e5009ae48d7e3ea",
"allowed_scopes": ["read:payments", "read:orders"]
}./build/auth4agent.exe agent-scopes list./build/auth4agent agent-scopes listExpected:
Allowed scopes for did:agent:example.com:5e5009ae48d7e3ea:
- read:payments
- read:orders
Agents authenticate using:
- DID
- challenge signing
- proof exchange
./build/auth4agent.exe issue --scope read:payments --aud https://api.example.com./build/auth4agent issue --scope read:payments --aud https://api.example.comFlow:
- Request challenge
- Sign challenge locally
- Exchange signed proof
- Receive JWT
Expected:
token issued
did: did:agent:example.com:5e5009ae48d7e3ea
scope: read:payments
audience: https://api.example.com
expires_at: 2024-01-15T11:30:00Z
eyJhbGciOiJFZERTQSIsImtpZCI6ImtleS0xIiwidHlwIjoiSldUIn0...
$env:JWT_TOKEN = "eyJhbGciOiJFZERTQSIsImtpZCI6ImtleS0xIiwidHlwIjoiSldUIn0..."export JWT_TOKEN="eyJhbGciOiJFZERTQSIsImtpZCI6ImtleS0xIiwidHlwIjoiSldUIn0..."If an agent requests unauthorized scopes:
./build/auth4agent.exe issue --scope admin:root --aud https://api.example.com./build/auth4agent issue --scope admin:root --aud https://api.example.comExpected:
scope not allowed
Authorization is deny-by-default.
Note: When a challenge expires (410 Gone) or is already used (409 Conflict), request a new challenge automatically.
If the server URL changes:
./build/auth4agent.exe set-server --url http://new-server:8080./build/auth4agent set-server --url http://new-server:8080./build/auth4agent.exe revoke token --token "JWT_TOKEN" --reason "compromised"./build/auth4agent revoke token --token "JWT_TOKEN" --reason "compromised"./build/auth4agent.exe revoke agent --id AGENT_UUID --reason "decommissioned"./build/auth4agent revoke agent --id AGENT_UUID --reason "decommissioned"./build/auth4agent.exe revoke suspend --agent-id AGENT_UUID --reason "investigating"./build/auth4agent revoke suspend --agent-id AGENT_UUID --reason "investigating"./build/auth4agent.exe revoke reactivate --agent-id AGENT_UUID./build/auth4agent revoke reactivate --agent-id AGENT_UUID./build/auth4agent.exe revoke list./build/auth4agent revoke listPerforms:
- signature verification
- issuer validation
- expiration validation
- JWKS validation
No online introspection required.
./build/auth4agent.exe verify --token "JWT_TOKEN"./build/auth4agent verify --token "JWT_TOKEN"Expected:
token verification
valid: true
expired: false
issuer: https://auth.example.com
subject: did:agent:example.com:5e5009ae48d7e3ea
audience: [https://api.example.com]
scope: read:payments
operator_id: 550e8400-e29b-41d4-a716-446655440000
issued_at: 2024-01-15 10:30:00 +0000 UTC
expires_at: 2024-01-15 11:30:00 +0000 UTC
Performs:
- server-side verification
- revocation checks
- online introspection
./build/auth4agent.exe verify --token "JWT_TOKEN" --online./build/auth4agent verify --token "JWT_TOKEN" --onlineExpected:
online verification: success
Most commands support:
--json
Example:
./build/auth4agent.exe verify --token "JWT_TOKEN" --json./build/auth4agent verify --token "JWT_TOKEN" --jsonC:\Users\<USER>\.auth4agents\
~/.auth4agents/
operator.json
keys/operator.key
agent.json
keys/agent.key
Private keys never leave local machine.
- Never commit
.auth4agentsdirectory - Never share
.keyfiles - Backup identities securely
- Use HTTPS in production (
AUTH4AGENT_BASE_URL=https://...) - Rotate server signing keys regularly
- Restrict operator access
- Verify DNS ownership before production deployment
- Use
revoke tokenimmediately if token is compromised - Regularly audit
revoke listfor unauthorized revocations
| Action | Command |
|---|---|
| Check server health | health |
| Init operator | init --operator |
| Register operator | register operator |
| Get DNS instructions | verify-operator instructions |
| Verify operator | verify-operator confirm |
| Check verification status | verify-operator status |
| Init agent | init |
| Register agent | register agent --operator-id <id> |
| Show identity | whoami |
| Assign scopes | agent-scopes set --scopes <scopes> |
| List scopes | agent-scopes list |
| Issue token | issue --scope <scope> --aud <audience> |
| Verify token (offline) | verify --token <token> |
| Verify token (online) | verify --token <token> --online |
| Revoke token | revoke token --token <token> |
| Revoke agent | revoke agent --id <agent-id> |
| Suspend agent | revoke suspend --agent-id <agent-id> |
| Reactivate agent | revoke reactivate --agent-id <agent-id> |
| List revoked agents | revoke list |
| Update server URL | set-server --url <url> |
| JSON output | --json flag on any command |
# 1. Check server health
auth4agent health
# 2. Operator setup
auth4agent init --operator --domain example.com --server https://auth.example.com
auth4agent register operator
auth4agent verify-operator instructions
# ... add DNS TXT record and wait ...
auth4agent verify-operator confirm
auth4agent verify-operator status
# 3. Agent setup
auth4agent init --domain example.com --server https://auth.example.com
auth4agent register agent --operator-id <operator-id>
auth4agent whoami
# 4. Authorization
auth4agent agent-scopes set --scopes read:payments,read:orders
auth4agent agent-scopes list
# 5. Authentication
auth4agent issue --scope read:payments --aud https://api.example.com
# 6. Verification
auth4agent verify --token "<jwt>" --online
# 7. Revocation (if needed)
auth4agent revoke token --token "<jwt>" --reason "compromised"
auth4agent revoke list| Error | Solution |
|---|---|
410 Gone |
Challenge expired - request new challenge |
409 Conflict |
Challenge already used - request new challenge |
404 Not Found |
Challenge not found - request new challenge |
agent is not active |
Agent revoked or suspended - check status |
# Check server health first
auth4agent health
# Update server URL if changed
auth4agent set-server --url http://new-server:8080# List current scopes
auth4agent agent-scopes list
# Update scopes if needed
auth4agent agent-scopes set --scopes read:payments,write:reports