Issue. Verify. Revoke.

Mint an Ed25519-signed agent passport. Binds agent_id → operator_id → jurisdiction → policy_bundle with the model provider's capability_attestation. Writes to the permanent registry.

curl -X POST https://aiegis.ie/api/agent/issue \
  -H "X-API-Key: ak_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "operator_id": "op_acme_corp",
    "jurisdiction": "EU",
    "risk_classification": "high",
    "policy_bundle": "eu_ai_act+gdpr",
    "capability_attestation": {
      "model": "claude-opus-4-7",
      "provider_signature": "..."
    }
  }'

Response — full passport JSON per /identity/spec with appended signature and audit_lineage_hash.

Verify a passport's Ed25519 signature against the published key, check expiry, check the revocation list. Sub-15ms p95 on customer infrastructure (loopback).

curl -X POST https://aiegis.ie/api/agent/verify \
  -H "Content-Type: application/json" \
  -d '{"passport": { ... full passport JSON ... }}'

{
  "valid": true,
  "agent_id": "agent_b3a9f1...",
  "expires_at": "2027-05-08T22:00:00Z",
  "revoked": false,
  "verified_at": "2026-05-08T22:30:14Z"
}

Revoke a previously-issued passport. Propagates through the SQLite revocation store. Subsequent verifies fail immediately. Reason field is logged for the audit trail.

curl -X POST https://aiegis.ie/registry/revoke \
  -H "X-API-Key: ak_operator_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "agent_b3a9f1...",
    "reason": "compromised — prompt injection detected"
  }'

Published Ed25519 public keys for verification. Returns { keys:[{key_id, public_key_pem, status, rotated_at}], active_key_id }. Verifiers cache by key_id.

Returns the active revocation list: { revocations:[...], count: N }. Verifiers can poll on a short cache TTL or subscribe via SIEM export.