Applied Identities →
Developer Guide

Integrate with the credential provider

Everything you need to register agents, issue Verifiable Intent credentials, create mandates, and verify transaction presentations against this server.

Issuer Public Key
Verify credentials issued by this server

This is the server's signing key — the public half. When this server issues an L1 credential, it signs the SD-JWT with the corresponding private key. Any verifier can confirm the credential is authentic by checking the signature against this public key. It's the same concept as a certificate authority's public certificate. There is one key for the server, not one per visitor.

Active Issuer Key

GET /.well-known/jwks.json
Loading issuer key…
Checking… Raw JSON →
Authentication
Bearer token access
API endpoints use Bearer token authentication. Include the token in the Authorization header. Tokens are scoped to one of four roles, each with access to a different set of endpoints.

issuer

Register agents, issue L1 credentials. Internal operations role.

agent

Create L2 mandates, generate key pairs. Scoped to a specific registered agent.

verifier

Submit L3 presentations for verification. Read-only access to verification results.

admin

Full access to all endpoints. Used for setup and testing.

# Include the Bearer token in every authenticated request
curl -X POST https://vi.appliedidentities.com/api/v1/agents/register \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ ... }'
API Reference
Endpoints
GET /.well-known/jwks.json Public
Returns the issuer's active public keys in JWK Set format. Use this to verify the signature on any L1 credential issued by this server. Standard JWKS discovery endpoint per RFC 7517.
GET /api/v1/verify/chain/:agentId Public
Full chain verification for a registered agent. Returns the Verifiable Intent credential chain status (L1, active L2 mandates, L3 presentation history) and the governance chain cross-reference (Passport serial, Soul Document, Constitution). One query, two verification systems.
POST /api/v1/agents/register issuer / admin
Register an agent with governance attestation. Accepts the agent's ES256 public key and an attestation object linking to the Identity Architecture chain (Passport serial, Soul Document serial, Constitution serial, governance tier).
POST /api/v1/keys/generate agent / admin
Generate an ES256 (P-256) key pair. Returns both public and private JWK. Helper utility — the server does not store the generated keys. The agent stores the private key securely; the public key is used in agent registration.
POST /api/v1/credentials/l1/issue issuer / admin
Issue an L1 SD-JWT identity credential for a registered agent. Binds the agent's identity to a user/organization public key via the cnf claim. The credential includes pan_last_four, scheme, and selectively disclosable email. Signed by the issuer's ES256 key.
POST /api/v1/credentials/l2/create agent / admin
Create an L2 mandate in immediate or autonomous mode. Immediate mandates carry final transaction values. Autonomous mandates carry constraint envelopes (amount bounds, merchant allowlists, budget caps, product restrictions) and bind to the agent's key for delegation. The sd_hash cryptographically binds the L2 to the L1.
POST /api/v1/credentials/l3/create agent / admin
Create L3a (payment) and L3b (checkout) presentation credentials from an autonomous L2 mandate. Test server helper — resolves L2 constraints into final values and generates the cross-bound L3 pair. Production agents would sign L3 credentials locally.
POST /api/v1/credentials/l3/verify verifier / admin
Submit paired L3a and L3b presentations for full-chain verification. Runs the complete pipeline: L1 issuer signature, L2 sd_hash binding, L3 signature and selective sd_hash verification, cross-binding validation (transaction_id == checkout_hash), and constraint satisfaction for all eight constraint types. Returns detailed per-step and per-constraint results.
GET /health Public
Server health check. Returns service status, version, and timestamp.
Quick Start
Verify an agent's chain in one call
The chain verification endpoint is public and requires no authentication. It returns both the Verifiable Intent credential status and the governance chain cross-reference for any registered agent.
Request
curl https://vi.appliedidentities.com/api/v1/verify/chain/1
Response
{
  "agent": "Nell Ashpool",
  "vi_chain": {
    "l1_status": "active",
    "l1_issuer": "https://vi.appliedidentities.com",
    "l1_expires": "2027-03-12T00:00:00Z",
    "active_l2_count": 1,
    "total_l3_presentations": 0
  },
  "governance_chain": {
    "passport_serial": "AI-PASS-NELL-2026-001",
    "soul_serial": "AI-SOUL-NELL-2026-001",
    "constitution_serial": "AI-CONST-AI-2026-001",
    "governance_tier_class": "3-A",
    "platform_verify_url": "https://platform.appliedidentities.com/chain"
  }
}