Skip to main content

Overview

Vane supports passport revocation via two mechanisms:
  1. Revocation list (GET /v1/passports/revoked) — full list of all revoked passports for a company.
  2. OCSP status check (GET /v1/ocsp/:jti) — signed status response for a specific passport.
Both are authenticated endpoints. The OCSP response is signed with the company’s Ed25519 key, so the status can be verified without trusting the HTTP transport.

The revocation trade-off

Vane passports are verified offline by default. This is a feature — it allows MCP servers to verify agent credentials without a round-trip to Vane. But it means revocation is not instant for offline verifiers. The options: For most use cases, short TTLs (1 hour) plus OCSP on suspicious activity is the right balance. For high-security environments, use POST /v1/passport/verify (server-side, checks revocation automatically).

Revocation workflow

Immediate revocation

After this:
  • POST /v1/passport/verify returns { "valid": false, "code": "PASSPORT_REVOKED" }.
  • GET /v1/ocsp/:jti returns { "status": "revoked" }.
  • Offline verifiers (@vane.build/mcp-middleware) still accept the passport until its exp.

Planned rotation

Use POST /v1/agents/:agentId/passport/rotate instead of manual revocation. This atomically revokes the old passport and issues a new one with the same scopes, preventing a gap in authorization.

OCSP response format

The OCSP response is signed with the company’s Ed25519 key. The signature covers the response data object (excluding caPublicKey and signature):
To verify the OCSP signature independently:
  1. Remove caPublicKey and signature from the response.
  2. Canonicalize the remaining object (sort keys recursively, JSON-stringify).
  3. Compute SHA-256 of the canonical string.
  4. Verify the Ed25519 signature over that hash using the caPublicKey.

Caching

OCSP responses include Cache-Control: public, max-age=300 (5 minutes). This means:
  • A verifier that caches OCSP responses will see revocations within 5 minutes.
  • A freshly revoked passport may still pass OCSP checks for up to 5 minutes if the cache holds a stale "valid" response.
If you need immediate revocation, call POST /v1/passport/verify — it always checks the live database state.

Integrating OCSP in a verifier