{"name":"agentisecure","description":"Identity provider, provenance gateway, and credential vault for AgentiAgency. Agents request policies, HITLs approve via WebAuthn. OAuth federation with Google, GitHub, Microsoft, X (Twitter), Meta (Facebook), and Telegram.","requires":["vault.local","provenance.authority"],"provides":["secret.read","secret.write","secret.admin","provision.agent","webauthn.relay","auth.provenance","oidc.provider","identity.provision","policy.request","policy.approve","email.send","oauth.google","oauth.github","oauth.microsoft","oauth.x","oauth.meta","oauth.telegram"],"reboot_required":false,"auth_methods":["provenance_token","webauthn_assertion","oidc_id_token","oauth2_authorization_code","oauth2_jwt_bearer","telegram_widget","break_glass"],"version":"0.9.0","capability_namespaces":{"examples":["secret:read:agenti/token/myapp/**","secret:write:agenti/users/me/**","identity:create","identity:**","provision.agent","oauth.github","credential:mint:gcp"],"format":"action:resource/path (colons separate action and resource path; ** matches any depth)","note":"Use colon-separated format in policy/request, not dot-notation. For provider capabilities (GitHub, GCP, AWS) use the provider's native scope strings verbatim. For internal AgentiAgency capabilities use this format. Policy triple authoring follows Cedar (https://www.cedarpolicy.com) — USE CEDAR for any new policy definitions."},"endpoints":[{"method":"GET","path":"/surface","auth":false,"description":"This document"},{"method":"GET","path":"/hints","auth":false,"description":"Integration guide"},{"method":"POST","path":"/policy/request","auth":"token_or_session","description":"Request capabilities from HITL"},{"method":"GET","path":"/policy/request/{id}","auth":false,"description":"Poll for approval status"},{"method":"GET","path":"/policy/events","auth":false,"description":"SSE stream for policy events"},{"method":"POST","path":"/token/renew","auth":"token","description":"Renew a still-valid provenance token"},{"method":"POST","path":"/device/start/{provider}","auth":false,"description":"Start OAuth device flow for bootstrap"},{"method":"POST","path":"/auth/jwt","auth":false,"description":"RFC 7523 JWT bearer — present any OIDC-signed JWT, receive agentisecure provenance token. Self-describing: issuer discovered from 'iss' claim. No provider pre-configuration required."},{"method":"GET","path":"/device/poll/{flow_id}","auth":false,"description":"Poll device flow for token"},{"method":"GET","path":"/v1/secret/data/{path}","auth":"token","description":"Read secret from your vault namespace"},{"method":"POST","path":"/v1/secret/data/{path}","auth":"token","description":"Write secret to your vault namespace"},{"method":"POST","path":"/identities/{name}/token","auth":"hitl","description":"HITL: mint initial token for agent identity"},{"method":"POST","path":"/plan","auth":"token","description":"Check if token authorizes action (dry run)"},{"method":"POST","path":"/test","auth":"token","description":"Execute authorized action with audit trail"}]}