# Step 1: Company SVID (subject)
COMPANY_SVID=$(curl -s -X POST http://localhost:3000/v1/companies/svid \
-H "Authorization: Bearer $API_KEY" | jq -r '.svid')
# Step 2: Orchestrator SVID (first actor)
ORCH_SVID=$(curl -s http://localhost:3000/v1/agents/orchestrator/svid \
-H "Authorization: Bearer $API_KEY" | jq -r '.svid')
# Step 3: Exchange — "orchestrator acts on behalf of acme"
ROUND1=$(curl -s -X POST http://localhost:3000/v1/token/exchange \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $API_KEY" \
-d "{
\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\",
\"subject_token\": \"$COMPANY_SVID\",
\"subject_token_type\": \"urn:ietf:params:oauth:token-type:jwt\",
\"actor_token\": \"$ORCH_SVID\",
\"actor_token_type\": \"urn:ietf:params:oauth:token-type:jwt\"
}" | jq -r '.access_token')
# Now ROUND1 encodes: { sub: acme, act: { sub: orchestrator } }
# Step 4: Sub-researcher SVID (second actor)
SUB_SVID=$(curl -s http://localhost:3000/v1/agents/sub-researcher/svid \
-H "Authorization: Bearer $API_KEY" | jq -r '.svid')
# Step 5: Exchange again — "sub-researcher acts on behalf of orchestrator, which acts on behalf of acme"
ROUND2=$(curl -s -X POST http://localhost:3000/v1/token/exchange \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $API_KEY" \
-d "{
\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\",
\"subject_token\": \"$ROUND1\",
\"subject_token_type\": \"urn:ietf:params:oauth:token-type:jwt\",
\"actor_token\": \"$SUB_SVID\",
\"actor_token_type\": \"urn:ietf:params:oauth:token-type:jwt\"
}")