Issue agent identity

POST

/v1/identity/agent

const url = 'http://localhost:8693/v1/identity/agent';
const options = {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: '{"agent_name":"code-assistant","platform":"mcp","capabilities":["query-read","tool-execute"],"max_blast_radius":"workspace:dev","delegation_depth":2,"metadata":{"mcp_server":"cursor-server-v1"}}'
};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}

curl --request POST \
  --url http://localhost:8693/v1/identity/agent \
  --header 'Content-Type: application/json' \
  --data '{ "agent_name": "code-assistant", "platform": "mcp", "capabilities": [ "query-read", "tool-execute" ], "max_blast_radius": "workspace:dev", "delegation_depth": 2, "metadata": { "mcp_server": "cursor-server-v1" } }'

Issues a verifiable identity token for an AI agent (MCP, A2A, WatsonX, custom). Evaluates agent identity OPA policy for capability and blast radius constraints.

Protected by mTLS when TLS is enabled.

Request Body^required

application/json

object

agent_name

required

Human-readable agent name

string

platform

required

Agent platform

string

Allowed values: mcp a2a watsonx custom

capabilities

required

Requested capabilities

Array<string>

on_behalf_of

Parent agent ID for delegation

string

max_blast_radius

Maximum blast radius (e.g., “workspace:dev”, “namespace”, “cluster”)

string

delegation_depth

Max delegation hops (0 = terminal agent)

integer

metadata

object

key

additional properties

string

Example

{
  "agent_name": "code-assistant",
  "platform": "mcp",
  "capabilities": [
    "query-read",
    "tool-execute"
  ],
  "max_blast_radius": "workspace:dev",
  "delegation_depth": 2,
  "metadata": {
    "mcp_server": "cursor-server-v1"
  }
}

Responses

200

Agent identity issued

application/json

object

agent_id

WIMSE-format agent identifier

string

token

Signed JWT agent identity token

string

platform

string

capabilities

Array<string>

blast_radius

string

expires_at

string format: date-time

Example ^generated

{
  "agent_id": "example",
  "token": "example",
  "platform": "example",
  "capabilities": [
    "example"
  ],
  "blast_radius": "example",
  "expires_at": "2026-04-15T12:00:00Z"
}

400

Invalid request (missing name, invalid platform, empty capabilities)

application/json

object

error

required

Error code (RFC 8693 compatible)

string

Allowed values: invalid_request unsupported_grant_type access_denied server_error not_implemented not_found method_not_allowed

error_description

Human-readable error detail

string

Example

{
  "error": "invalid_request"
}

501

Agent identity provider not configured

application/json

object

error

required

Error code (RFC 8693 compatible)

string

Allowed values: invalid_request unsupported_grant_type access_denied server_error not_implemented not_found method_not_allowed

error_description

Human-readable error detail

string

Example

{
  "error": "invalid_request"
}

Issue agent identity

Request Body required

Example

Responses

200

Example generated

400

Example

501

Example

Request Body^required

Example ^generated