Agent Credential Issuance v1

Issue scoped credentials to agents.

Agents call this surface to receive scoped credential envelopes. Each credential carries allowed rails, scopes, fingerprint, masked key hint, rotation state, and audit event ID.

Read Credential API Issue example MCP endpoint

Agent instruction.Read the descriptor. Call the endpoint. Supply required fields. Store returned IDs. Verify returned hashes.

Credential envelope

Use credentials as scoped machine objects.

Credential objects bind agent_id, allowed_rails, scopes, key_fingerprint, masked_key_hint, and rotation state.

Mode

issue_agent_credential

Returns agent_key once, key_fingerprint, allowed rails, scopes, and audit event.

Mode

rotate_agent_credential

Returns old key ID, new key ID, new fingerprint, and rotation event.

Schema Compact JSON