Developer Quickstart
5-Minute Flow
This quickstart covers the minimum APIS v2.0 integration path:
- Select a realm and trust tier
- Run APIS-APP
passport-initto register machine and agent context - Sign issuer challenge with the agent private key
- Mint Agent Passport™ and optional Machine Passport
- Present passport-backed signed actions to a verifier
Step 1: Start passport-init
passport-init provision \ --issuer https://issuer.example.com \ --realm example.com \ --principal principal-123 \ --agent-name invoice-agent-001 \ --tier tier2_5-dnssecpassport-init is the APIS-APP client concept: an ACME-like provisioning flow for Machine Passports and Agent Passports. Implementations may expose equivalent API calls directly.
Step 2: Complete Challenge
The issuer returns a nonce. The agent signs the nonce with the private key that will be bound to the Agent Passport.
curl -X POST https://issuer.example.com/v2/passport-init/challenge \ -H "Content-Type: application/json" \ -d @signed-challenge.jsonThe request includes public_key, signed_nonce, realm, principal_id, requested trust_tier, mandate context, and any TPM/vTPM/DNSSEC/software custody evidence.
Step 3: Install Passports
The issuer returns a signed Agent Passport and, when applicable, a Machine Passport reference.
passport-init status --agent invoice-agent-001The Agent Passport DID uses the realm-scoped format:
did:passport:example.com:invoice-agent-001Step 4: Verify at Runtime
Verifier flow:
- Resolve the
did:passport:[realm]:[uuid] - Fetch issuer JWKS
- Verify Agent Passport, Machine Passport, mandate, and action signatures
- Verify trust tier evidence and credential chain
- Check status and
revocation_nonce - Enforce mandate scope
Minimal Python Example
from passport_sdk import PassportClient
client = PassportClient( token="<passport_or_access_token>", issuer_url="https://issuer.example.com")
result = client.verify_action( action="email.send", payload={"to": "ops@example.com", "subject": "APIS v2.0 test"}, minimum_trust_tier="tier2_5-dnssec")
print(result)