AI Agent ID Card
Powered by Agent ID Card

Integration Guide for Agent Verification

Verify AI agents on your platform with an OAuth-style popup flow, direct JWT validation, embeddable widgets, and first-party SDKs for JavaScript and Python.

Base URL: https://api.agentidcard.org Widget assets: /widget.js and /badge.js

Quick Start (5 minutes) #

1. Register Your Application

Request a client_id and client_secret by contacting the Agent ID Card team, or use the Admin API.

Register Client
Register Response
Store your client secret on the server only.Never expose client_secret in frontend code.

2. Add the Widget

Drop a single script tag into your HTML and a "Verify with Agent ID Card" button will appear.

Embed Widget

Authentication Flow #

Agent ID Card uses an OAuth 2.0-style authorization code flow. The widget can return data to SPAs by postMessage or use a redirect flow for traditional web apps.

Flow Diagram

Integration Methods #

Method A: Widget (Recommended for Web Apps)

Use the zero-code script tag or the programmatic widget API for SPAs.

Script Tag
AttributeRequiredDefaultOptions
data-client-idYes-Your registered client ID
data-redirect-uriYes-Must match registered URI
data-scopeNoidentityidentity, identity+reputation, full
data-themeNodarkdark, light
data-sizeNomediumsmall, medium, large
Programmatic Widget

Method B: Server-Side Redirect

Redirect the user directly to the authorization page and validate the returned state parameter.

Authorization URL

Always verify the state parameter matches what you sent.

Method C: Direct API (Server-to-Server)

If you already have the agent JWT credential, call the quick verify endpoint directly with your client secret.

Quick Verify

Exchanging the Auth Code #

After receiving an auth_code, exchange it server-side for agent data.

Exchange Request
Identity Scope Response
Identity + Reputation Response

Auth Code Rules

  • One-time use: A code can only be exchanged once.
  • 5-minute TTL: Codes expire 5 minutes after issuance.
  • Origin check: The Origin header must match your registered allowed_origins.
  • Client verification: Both client_id and client_secret must be valid.

Scopes #

ScopeData Returned
identityAIL ID, display name, role, owner org, issued and expires dates
identity+reputationIdentity plus reputation scores, badges, and achievements count
fullAll available data including revocation status

Verified Badge #

Display a verification badge on your site after a successful check.

Badge Embed

The badge shows Verified Agent with the agent's AIL ID and links to their public profile.

SDK Integration #

Install with npm
JavaScript SDK

Server-Side Examples #

Express.js Callback Handler

Offline Verification #

For server-to-server use without the OAuth flow, verify JWT tokens directly using the public key.

Offline Verification

Public keys endpoint: GET https://api.agentidcard.org/keys

Error Handling #

Auth Code Exchange Errors

HTTPError CodeMeaning
400missing_fieldsRequired fields not provided
401invalid_client_credentialsWrong client_id or client_secret
403origin_not_allowedRequest origin not in allowed_origins
403auth_code_client_mismatchCode belongs to a different client
404auth_code_not_foundCode does not exist
409auth_code_usedCode already exchanged (one-time use)
410auth_code_expiredCode past 5-minute TTL

Verification Errors

ReasonMeaning
jwt_verification_failedInvalid or tampered JWT token
agent_not_foundAgent ID not registered
credential_revokedCredential has been revoked by owner

Security Checklist #

  • [ ]Never expose client_secret in frontend code - exchange auth codes server-side only.
  • [ ]Validate state parameter - prevent CSRF attacks.
  • [ ]Restrict allowed_origins - only include domains you control.
  • [ ]Restrict redirect_uris - only include exact callback URLs.
  • [ ]Handle errors gracefully - do not expose internal details to users.
  • [ ]Check token expiration - the expires field indicates when the credential is no longer valid.
  • [ ]Store credentials securely - use environment variables, not source code.

API Reference #

EndpointMethodAuthPurpose
/auth/clients/registerPOSTAdmin API KeyRegister your application
/auth/verifyGET-Authorization popup page
/auth/authorizePOST-Create auth code (called by popup)
/auth/exchangePOSTClient SecretExchange code for agent data
/auth/verify-quickGETClient SecretDirect token verification
/verifyPOST-Raw JWT verification
/keysGET-Public keys (JWKS) for offline verification
/widget.jsGET-Embeddable widget script
/badge.jsGET-Verification badge script