Per-Agent Identity
Host → Agent hierarchy. Ed25519 keypair per conversation.
The ASAP Protocol separates the long-lived client environment (Host) from each runtime actor (Agent). Every conversation, task, or session receives its own Ed25519 keypair — so you can audit, scope, and revoke individual agents without affecting the rest of your fleet.
Two JWT types, one hierarchy
Hosts are registered once; agents are minted on demand. Each request carries a short-lived agent+jwtsigned by the agent's key, while privileged operations (registration, revocation, key rotation) require the Host JWT.
- POST /asap/agent/register: mint an agent under a host, receiving its own keypair and capability grants.
- GET /asap/agent/status: inspect lifecycle, grants, and lifetime clocks.
- POST /asap/agent/revoke: terminate a single agent; revoke a Host and all its agents cascade.
- Backward compatible: existing OAuth2 flows keep working alongside the new identity model.
Three independent lifetime clocks — session TTL, max lifetime, absolute lifetime — give you the same ergonomics as modern session management, with reactivation as an explicit security checkpoint.
Key Capabilities
Host JWT + Agent JWT
Distinct typ: host+jwt and typ: agent+jwt flows with separate verification paths.
Cascade revocation
Revoke a Host and every agent under it is invalidated atomically.
Replay detection
jti cache with 90s TTL window blocks token replay out of the box.