Skip to main content
A Vane Agent Passport (CAP+JWT) is a short-lived signed credential that encodes an agent’s identity and authorization. Third-party verifiers can verify passports offline using only the CA public key. All endpoints require authentication.

POST /v1/agents/:agentId/passport

Issues a new passport for the specified agent. Returns 404 if the agent is not registered under the authenticated company.

Path parameters

Request body (optional)

Response 201

Error responses

Example


POST /v1/agents/:agentId/passport/rotate

Rotates a passport. Revokes the current passport and issues a new one with identical scopes and TTL. The current valid passport must be presented in the Vane-Passport header. This is the correct path for credential refresh — it ensures there is no gap in authorization, and the old credential is immediately invalidated.

Path parameters

Request headers

Response 200

Error responses

Example


POST /v1/passport/verify

Server-side passport verification. Checks the passport signature, expiry, audience, claims structure, and revocation status. Optionally checks whether the passport grants a specific tool scope. Requires authentication. For most production verifiers, use the @vane.build/mcp-middleware package for offline verification without a network call.

Request body

Response 200 — valid

Response 400 — invalid

Example — verify with tool check