Quick Start (5 minutes) #
1. Register Your Application
Request a client_id and client_secret by contacting the Agent ID Card team, or use the Admin API.
Store your client secret on the server only. Never expose client_secret in frontend code.
2. Add the Widget
Drop a single script tag into your HTML and a "Verify with Agent ID Card" button will appear.
Authentication Flow #
Agent ID Card uses an OAuth 2.0-style authorization code flow. The widget can return data to SPAs by postMessage or use a redirect flow for traditional web apps.
Integration Methods #
Method A: Widget (Recommended for Web Apps)
Use the zero-code script tag or the programmatic widget API for SPAs.
Attribute Required Default Options
data-client-id Yes - Your registered client ID
data-redirect-uri Yes - Must match registered URI
data-scope No identity identity , identity+reputation , full
data-theme No dark dark , light
data-size No medium small , medium , large
Method B: Server-Side Redirect
Redirect the user directly to the authorization page and validate the returned state parameter.
Always verify the state parameter matches what you sent.
Method C: Direct API (Server-to-Server)
If you already have the agent JWT credential, call the quick verify endpoint directly with your client secret.
Exchanging the Auth Code #
After receiving an auth_code , exchange it server-side for agent data.
Auth Code Rules
One-time use: A code can only be exchanged once.
5-minute TTL: Codes expire 5 minutes after issuance.
Origin check: The Origin header must match your registered allowed_origins .
Client verification: Both client_id and client_secret must be valid.
Scopes #
Scope Data Returned
identity AIL ID, display name, role, owner org, issued and expires dates
identity+reputation Identity plus reputation scores, badges, and achievements count
full All available data including revocation status
Verified Badge #
Display a verification badge on your site after a successful check.
The badge shows Verified Agent with the agent's AIL ID and links to their public profile.
SDK Integration #
JavaScript
Python
Server-Side Examples #
Express.js
Flask
Offline Verification #
For server-to-server use without the OAuth flow, verify JWT tokens directly using the public key.
Public keys endpoint: GET https://api.agentidcard.org/keys
Error Handling #
Auth Code Exchange Errors
HTTP Error Code Meaning
400 missing_fields Required fields not provided
401 invalid_client_credentials Wrong client_id or client_secret
403 origin_not_allowed Request origin not in allowed_origins
403 auth_code_client_mismatch Code belongs to a different client
404 auth_code_not_found Code does not exist
409 auth_code_used Code already exchanged (one-time use)
410 auth_code_expired Code past 5-minute TTL
Verification Errors
Reason Meaning
jwt_verification_failed Invalid or tampered JWT token
agent_not_found Agent ID not registered
credential_revoked Credential has been revoked by owner
Security Checklist #
[ ] Never expose client_secret in frontend code - exchange auth codes server-side only.
[ ] Validate state parameter - prevent CSRF attacks.
[ ] Restrict allowed_origins - only include domains you control.
[ ] Restrict redirect_uris - only include exact callback URLs.
[ ] Handle errors gracefully - do not expose internal details to users.
[ ] Check token expiration - the expires field indicates when the credential is no longer valid.
[ ] Store credentials securely - use environment variables, not source code.
API Reference #
Endpoint Method Auth Purpose
/auth/clients/register POST Admin API Key Register your application
/auth/verify GET - Authorization popup page
/auth/authorize POST - Create auth code (called by popup)
/auth/exchange POST Client Secret Exchange code for agent data
/auth/verify-quick GET Client Secret Direct token verification
/verify POST - Raw JWT verification
/keys GET - Public keys (JWKS) for offline verification
/widget.js GET - Embeddable widget script
/badge.js GET - Verification badge script
Support #