Overview
Vane supports passport revocation via two mechanisms:- Revocation list (
GET /v1/passports/revoked) — full list of all revoked passports for a company. - OCSP status check (
GET /v1/ocsp/:jti) — signed status response for a specific passport.
The revocation trade-off
Vane passports are verified offline by default. This is a feature — it allows MCP servers to verify agent credentials without a round-trip to Vane. But it means revocation is not instant for offline verifiers. The options:
For most use cases, short TTLs (1 hour) plus OCSP on suspicious activity is the right balance. For high-security environments, use
POST /v1/passport/verify (server-side, checks revocation automatically).
Revocation workflow
Immediate revocation
POST /v1/passport/verifyreturns{ "valid": false, "code": "PASSPORT_REVOKED" }.GET /v1/ocsp/:jtireturns{ "status": "revoked" }.- Offline verifiers (
@vane.build/mcp-middleware) still accept the passport until itsexp.
Planned rotation
UsePOST /v1/agents/:agentId/passport/rotate instead of manual revocation. This atomically revokes the old passport and issues a new one with the same scopes, preventing a gap in authorization.
OCSP response format
The OCSP response is signed with the company’s Ed25519 key. The signature covers the response data object (excludingcaPublicKey and signature):
- Remove
caPublicKeyandsignaturefrom the response. - Canonicalize the remaining object (sort keys recursively, JSON-stringify).
- Compute SHA-256 of the canonical string.
- Verify the Ed25519 signature over that hash using the
caPublicKey.
Caching
OCSP responses includeCache-Control: public, max-age=300 (5 minutes). This means:
- A verifier that caches OCSP responses will see revocations within 5 minutes.
- A freshly revoked passport may still pass OCSP checks for up to 5 minutes if the cache holds a stale
"valid"response.
POST /v1/passport/verify — it always checks the live database state.