# Identity API

> Issue. Verify. Revoke. Three endpoints. Ed25519 throughout. Designed for real-time verification on customer infrastructure.

## Authentication

All identity endpoints require an `X-API-Key` header.

## POST /api/agent/issue
**Auth required.**

Mint an Ed25519-signed agent passport. Binds `agent_id` → `operator_id` → `machine_fingerprint` → biometric-attested human → `jurisdiction` → `policy_bundle`. Writes to the permanent registry.

```bash
curl -X POST https://aiegis.ie/api/agent/issue \
  -H "X-API-Key: ak_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "operator_id":          "op_acme_corp",
    "jurisdiction":         "EU",
    "risk_classification":  "high",
    "policy_bundle":        "eu_ai_act+gdpr",
    "capability_attestation": {
      "model":              "claude-opus-4-7",
      "provider_signature": "..."
    }
  }'
```

Response — full passport JSON per `/identity/spec` with appended `signature` and `audit_lineage_hash`.

## POST /api/agent/verify
**Public.**

Verify a passport's Ed25519 signature against the published key, check expiry, check the revocation list. Designed for real-time verification on customer infrastructure.

```bash
curl -X POST https://aiegis.ie/api/agent/verify \
  -H "Content-Type: application/json" \
  -d '{"passport": { ... full passport JSON ... }}'
```

Response:
```json
{
  "valid":        true,
  "agent_id":     "agent_b3a9f1...",
  "expires_at":   "2027-05-08T22:00:00Z",
  "revoked":      false,
  "verified_at":  "2026-05-08T22:30:14Z"
}
```

## POST /registry/revoke
**Auth required (operator key).**

Revoke a previously-issued passport. Propagates through the SQLite revocation store. Subsequent verifies fail immediately. Reason field is logged for the audit trail.

```bash
curl -X POST https://aiegis.ie/registry/revoke \
  -H "X-API-Key: ak_operator_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id":  "agent_b3a9f1...",
    "reason":    "compromised — prompt injection detected"
  }'
```

## GET /identity/did.json
**Public.**

The AiEGIS issuer DID document. Published per W3C did:web. Returns the active Ed25519 verification key as `publicKeyMultibase` on the `verificationMethod` array. Any party can resolve `did:web:aiegis.ie` and verify a passport signature against this key.

## Rate limits

`/api/agent/issue` is rate-limited per operator key (10 issuances/hour by default — adjustable in your contract). `/api/agent/verify` and `/identity/did.json` are designed to be called on every agent action with no rate limit.