@dupecom/botcha-cloudflare 0.21.0 → 0.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (88) hide show
  1. package/README.md +74 -9
  2. package/dist/agent-auth.d.ts +129 -0
  3. package/dist/agent-auth.d.ts.map +1 -0
  4. package/dist/agent-auth.js +210 -0
  5. package/dist/agents.d.ts +10 -0
  6. package/dist/agents.d.ts.map +1 -1
  7. package/dist/agents.js +51 -1
  8. package/dist/app-gate.d.ts +6 -0
  9. package/dist/app-gate.d.ts.map +1 -0
  10. package/dist/app-gate.js +69 -0
  11. package/dist/apps.d.ts +9 -0
  12. package/dist/apps.d.ts.map +1 -1
  13. package/dist/apps.js +26 -0
  14. package/dist/dashboard/account.d.ts +63 -0
  15. package/dist/dashboard/account.d.ts.map +1 -0
  16. package/dist/dashboard/account.js +488 -0
  17. package/dist/dashboard/api.js +15 -68
  18. package/dist/dashboard/auth.d.ts.map +1 -1
  19. package/dist/dashboard/auth.js +14 -14
  20. package/dist/dashboard/docs.d.ts.map +1 -1
  21. package/dist/dashboard/docs.js +146 -3
  22. package/dist/dashboard/layout.d.ts.map +1 -1
  23. package/dist/dashboard/layout.js +2 -2
  24. package/dist/dashboard/mcp-setup.d.ts +15 -0
  25. package/dist/dashboard/mcp-setup.d.ts.map +1 -0
  26. package/dist/dashboard/mcp-setup.js +391 -0
  27. package/dist/dashboard/showcase.d.ts +6 -10
  28. package/dist/dashboard/showcase.d.ts.map +1 -1
  29. package/dist/dashboard/showcase.js +67 -991
  30. package/dist/dashboard/whitepaper.d.ts.map +1 -1
  31. package/dist/dashboard/whitepaper.js +42 -4
  32. package/dist/index.d.ts +3 -0
  33. package/dist/index.d.ts.map +1 -1
  34. package/dist/index.js +452 -52
  35. package/dist/mcp.d.ts +20 -0
  36. package/dist/mcp.d.ts.map +1 -0
  37. package/dist/mcp.js +1290 -0
  38. package/dist/oauth-agent.d.ts +130 -0
  39. package/dist/oauth-agent.d.ts.map +1 -0
  40. package/dist/oauth-agent.js +194 -0
  41. package/dist/static.d.ts +732 -1
  42. package/dist/static.d.ts.map +1 -1
  43. package/dist/static.js +646 -2
  44. package/dist/tap-a2a-routes.d.ts +355 -0
  45. package/dist/tap-a2a-routes.d.ts.map +1 -0
  46. package/dist/tap-a2a-routes.js +475 -0
  47. package/dist/tap-a2a.d.ts +199 -0
  48. package/dist/tap-a2a.d.ts.map +1 -0
  49. package/dist/tap-a2a.js +502 -0
  50. package/dist/tap-agents.d.ts +15 -0
  51. package/dist/tap-agents.d.ts.map +1 -1
  52. package/dist/tap-agents.js +31 -1
  53. package/dist/tap-ans-routes.d.ts +302 -0
  54. package/dist/tap-ans-routes.d.ts.map +1 -0
  55. package/dist/tap-ans-routes.js +535 -0
  56. package/dist/tap-ans.d.ts +241 -0
  57. package/dist/tap-ans.d.ts.map +1 -0
  58. package/dist/tap-ans.js +481 -0
  59. package/dist/tap-delegation-routes.d.ts.map +1 -1
  60. package/dist/tap-delegation-routes.js +11 -0
  61. package/dist/tap-did.d.ts +140 -0
  62. package/dist/tap-did.d.ts.map +1 -0
  63. package/dist/tap-did.js +262 -0
  64. package/dist/tap-oidca-routes.d.ts +383 -0
  65. package/dist/tap-oidca-routes.d.ts.map +1 -0
  66. package/dist/tap-oidca-routes.js +597 -0
  67. package/dist/tap-oidca.d.ts +288 -0
  68. package/dist/tap-oidca.d.ts.map +1 -0
  69. package/dist/tap-oidca.js +461 -0
  70. package/dist/tap-routes.d.ts +24 -8
  71. package/dist/tap-routes.d.ts.map +1 -1
  72. package/dist/tap-routes.js +169 -23
  73. package/dist/tap-vc-routes.d.ts +358 -0
  74. package/dist/tap-vc-routes.d.ts.map +1 -0
  75. package/dist/tap-vc-routes.js +367 -0
  76. package/dist/tap-vc.d.ts +125 -0
  77. package/dist/tap-vc.d.ts.map +1 -0
  78. package/dist/tap-vc.js +245 -0
  79. package/dist/tap-x402-routes.d.ts +89 -0
  80. package/dist/tap-x402-routes.d.ts.map +1 -0
  81. package/dist/tap-x402-routes.js +579 -0
  82. package/dist/tap-x402.d.ts +222 -0
  83. package/dist/tap-x402.d.ts.map +1 -0
  84. package/dist/tap-x402.js +546 -0
  85. package/dist/webhooks.d.ts +99 -0
  86. package/dist/webhooks.d.ts.map +1 -0
  87. package/dist/webhooks.js +642 -0
  88. package/package.json +3 -1
package/dist/static.js CHANGED
@@ -86,6 +86,26 @@ curl https://botcha.ai/agent-only -H "Authorization: Bearer <token>"
86
86
  | \`GET\` | \`/v1/agents/:id\` | Get agent by ID (public, no auth) |
87
87
  | \`GET\` | \`/v1/agents\` | List all agents for your app (auth required) |
88
88
 
89
+ ### Webhooks (v0.22.0)
90
+
91
+ | Method | Path | Description |
92
+ |--------|------|-------------|
93
+ | \`POST\` | \`/v1/webhooks\` | Register a webhook endpoint (returns secret once) |
94
+ | \`GET\` | \`/v1/webhooks\` | List webhooks for your app |
95
+ | \`GET\` | \`/v1/webhooks/:id\` | Get webhook details |
96
+ | \`PUT\` | \`/v1/webhooks/:id\` | Update URL, event subscriptions, enabled state |
97
+ | \`DELETE\` | \`/v1/webhooks/:id\` | Delete webhook + secret + delivery logs |
98
+ | \`POST\` | \`/v1/webhooks/:id/test\` | Send a signed test event to endpoint |
99
+ | \`GET\` | \`/v1/webhooks/:id/deliveries\` | List last 100 delivery attempts |
100
+
101
+ Supported emitted events:
102
+ - \`agent.tap.registered\`
103
+ - \`token.created\`
104
+ - \`token.revoked\`
105
+ - \`tap.session.created\`
106
+ - \`delegation.created\`
107
+ - \`delegation.revoked\`
108
+
89
109
  ### TAP (Trusted Agent Protocol)
90
110
 
91
111
  | Method | Path | Description |
@@ -113,6 +133,85 @@ curl https://botcha.ai/agent-only -H "Authorization: Bearer <token>"
113
133
  | \`GET\` | \`/v1/invoices/:id\` | Get invoice details |
114
134
  | \`POST\` | \`/v1/invoices/:id/verify-iou\` | Verify Browsing IOU |
115
135
 
136
+ ### x402 Payment Gating (Epic 3 — v0.22.0)
137
+
138
+ Pay $0.001 USDC on Base to receive a BOTCHA verification token. No challenge required.
139
+
140
+ \`\`\`bash
141
+ # 1. Discover payment requirements
142
+ curl https://botcha.ai/v1/x402/info
143
+
144
+ # 2. Request without payment → 402
145
+ curl https://botcha.ai/v1/x402/challenge
146
+ # Response: 402 + X-Payment-Required: {"scheme":"exact","network":"eip155:8453",...}
147
+
148
+ # 3. Sign ERC-3009 transferWithAuthorization and encode as base64 JSON
149
+ PAYMENT_PROOF="base64({ scheme: 'exact', network: 'eip155:8453', payload: { from, to, value, validAfter, validBefore, nonce, signature } })"
150
+
151
+ # 4. Pay and receive token
152
+ curl https://botcha.ai/v1/x402/challenge -H "X-Payment: $PAYMENT_PROOF"
153
+ # Response: 200 + { access_token, refresh_token, payment: { txHash, payer, amount } }
154
+
155
+ # 5. Access double-gated resource (BOTCHA + x402)
156
+ curl https://botcha.ai/agent-only/x402 \
157
+ -H "Authorization: Bearer <access_token>" \
158
+ -H "X-Payment: $RESOURCE_PAYMENT_PROOF"
159
+ \`\`\`
160
+
161
+ | Method | Path | Description |
162
+ |--------|------|-------------|
163
+ | \`GET\` | \`/v1/x402/info\` | Payment configuration (wallet, amount, network) — PUBLIC |
164
+ | \`GET\` | \`/v1/x402/challenge\` | Pay → BOTCHA token (no app_id needed) — PUBLIC |
165
+ | \`POST\` | \`/v1/x402/verify-payment\` | Verify raw x402 payment proof — PUBLIC |
166
+ | \`POST\` | \`/v1/x402/webhook\` | Facilitator settlement webhook — PUBLIC |
167
+ | \`GET\` | \`/agent-only/x402\` | Demo: BOTCHA token + x402 payment required |
168
+
169
+ ### ANS (Agent Name Service)
170
+
171
+ | Method | Path | Description |
172
+ |--------|------|-------------|
173
+ | \`GET\` | \`/v1/ans/botcha\` | BOTCHA's ANS identity record — PUBLIC |
174
+ | \`GET\` | \`/v1/ans/resolve/:name\` | Resolve ANS name via DNS TXT — PUBLIC |
175
+ | \`GET\` | \`/v1/ans/resolve/lookup?name=...\` | Resolve ANS name via query parameter — PUBLIC |
176
+ | \`GET\` | \`/v1/ans/discover\` | List BOTCHA-verified ANS agents — PUBLIC |
177
+ | \`GET\` | \`/v1/ans/nonce/:name\` | Get ANS ownership nonce — AUTH REQUIRED |
178
+ | \`POST\` | \`/v1/ans/verify\` | Verify ANS ownership and issue badge — AUTH REQUIRED |
179
+
180
+ ### DID / Verifiable Credentials
181
+
182
+ | Method | Path | Description |
183
+ |--------|------|-------------|
184
+ | \`GET\` | \`/.well-known/did.json\` | BOTCHA DID document (did:web:botcha.ai) — PUBLIC |
185
+ | \`GET\` | \`/.well-known/jwks.json\` | JWKS alias for resolvers that append \`.json\` — PUBLIC |
186
+ | \`POST\` | \`/v1/credentials/issue\` | Issue BOTCHA VC from access token — AUTH REQUIRED |
187
+ | \`POST\` | \`/v1/credentials/verify\` | Verify BOTCHA VC JWT — PUBLIC |
188
+ | \`GET\` | \`/v1/dids/:did/resolve\` | Resolve did:web DID documents — PUBLIC |
189
+
190
+ ### A2A Agent Card Attestation
191
+
192
+ | Method | Path | Description |
193
+ |--------|------|-------------|
194
+ | \`GET\` | \`/.well-known/agent.json\` | BOTCHA A2A Agent Card discovery document — PUBLIC |
195
+ | \`GET\` | \`/v1/a2a/agent-card\` | BOTCHA A2A Agent Card alias — PUBLIC |
196
+ | \`POST\` | \`/v1/a2a/attest\` | Attest an A2A Agent Card (embeds JWT in extensions.botcha_attestation) — AUTH REQUIRED |
197
+ | \`POST\` | \`/v1/a2a/verify-card\` | Verify an attested A2A Agent Card — PUBLIC |
198
+ | \`POST\` | \`/v1/a2a/verify-agent\` | Verify by full card or by \`agent_url\` shorthand — PUBLIC |
199
+ | \`GET\` | \`/v1/a2a/trust-level/:agent_url\` | Get current trust level for URL-encoded agent URL — PUBLIC |
200
+ | \`GET\` | \`/v1/a2a/cards\` | List BOTCHA-attested A2A cards — PUBLIC |
201
+ | \`GET\` | \`/v1/a2a/cards/:id\` | Get specific A2A attestation record — PUBLIC |
202
+
203
+ ### OIDC-A Attestation
204
+
205
+ | Method | Path | Description |
206
+ |--------|------|-------------|
207
+ | \`GET\` | \`/.well-known/oauth-authorization-server\` | OAuth/OIDC-A authorization server metadata — PUBLIC |
208
+ | \`POST\` | \`/v1/attestation/eat\` | Issue Entity Attestation Token (EAT, RFC 9334 profile) — AUTH REQUIRED |
209
+ | \`POST\` | \`/v1/attestation/oidc-agent-claims\` | Issue OIDC-A claims block (JWT + decoded claims) — AUTH REQUIRED |
210
+ | \`POST\` | \`/v1/auth/agent-grant\` | Create OAuth-style agent grant — AUTH REQUIRED |
211
+ | \`GET\` | \`/v1/auth/agent-grant/:id/status\` | Poll pending grant status — AUTH REQUIRED |
212
+ | \`POST\` | \`/v1/auth/agent-grant/:id/resolve\` | Approve/deny grant — AUTH REQUIRED |
213
+ | \`GET\` | \`/v1/oidc/userinfo\` | OIDC-A UserInfo endpoint (accepts BOTCHA or EAT bearer token) — AUTH REQUIRED |
214
+
116
215
  ### TAP Full Spec — Verification (v0.16.0)
117
216
 
118
217
  | Method | Path | Description |
@@ -340,6 +439,14 @@ API: https://botcha.ai/openapi.json
340
439
  API-Type: REST
341
440
  API-Format: OpenAPI 3.1.0
342
441
 
442
+ # MCP Server (Model Context Protocol)
443
+ MCP: https://botcha.ai/mcp
444
+ MCP-Discovery: https://botcha.ai/.well-known/mcp.json
445
+ MCP-Transport: Streamable HTTP (2025-03-26 spec)
446
+ MCP-Protocol: JSON-RPC 2.0
447
+ MCP-Tools: list_features, get_feature, search_docs, list_endpoints, get_endpoint, get_example
448
+ MCP-Note: Ask the BOTCHA MCP server any question about features, endpoints, or code examples
449
+
343
450
  # Documentation
344
451
  Docs: https://botcha.ai
345
452
  Docs: https://botcha.ai/docs
@@ -366,6 +473,9 @@ Feature: Email-Tied App Creation (email required, 6-digit verification, account
366
473
  Feature: Secret Rotation (rotate app_secret with email notification)
367
474
  Feature: Agent-First Dashboard Auth (challenge-based login + device code handoff)
368
475
  Feature: Agent Registry (persistent agent identities with name, operator, version)
476
+ Feature: Agent Re-identification — prove you are the same agent in a new session via OAuth refresh token (brt_), provider API key hash, or Ed25519 keypair challenge-response
477
+ Feature: Agent OAuth Device Authorization Grant (RFC 8628) — human approves at /device, agent polls for brt_... refresh token valid 90 days
478
+ Feature: TAP Key Recovery — rotate lost keypair using app_secret as recovery anchor
369
479
  Feature: Trusted Agent Protocol (TAP) — cryptographic agent auth with HTTP Message Signatures (RFC 9421)
370
480
  Feature: TAP Capabilities (action + resource scoping for agent sessions)
371
481
  Feature: TAP Trust Levels (basic, verified, enterprise)
@@ -421,6 +531,21 @@ Endpoint: POST https://botcha.ai/gate - Submit code form, redirects to /go/:code
421
531
  Endpoint: POST https://botcha.ai/v1/agents/register - Register agent identity — requires app_id
422
532
  Endpoint: GET https://botcha.ai/v1/agents/:id - Get agent by ID (public, no auth) — requires app_id
423
533
  Endpoint: GET https://botcha.ai/v1/agents - List all agents for authenticated app — requires app_id
534
+ Endpoint: DELETE https://botcha.ai/v1/agents/:id - Delete agent — requires dashboard session
535
+
536
+ # Agent Re-identification (PUBLIC — no auth needed, proves same agent across sessions)
537
+ Endpoint: POST https://botcha.ai/v1/agents/auth - Step 1 keypair auth: { agent_id } → { challenge_id, nonce } — PUBLIC
538
+ Endpoint: POST https://botcha.ai/v1/agents/auth/verify - Step 2 keypair auth: { challenge_id, agent_id, signature } → { access_token } — PUBLIC
539
+ Endpoint: POST https://botcha.ai/v1/agents/auth/provider - Provider key auth: { provider, api_key, app_id } → { access_token } — PUBLIC
540
+ Endpoint: POST https://botcha.ai/v1/agents/auth/refresh - OAuth refresh: { refresh_token: "brt_..." } → { access_token } — PUBLIC
541
+
542
+ # Agent OAuth — Device Authorization Grant (RFC 8628)
543
+ Endpoint: POST https://botcha.ai/v1/oauth/device - Start device auth: { agent_id, app_id } → { device_code, user_code, verification_url, expires_in: 600, interval: 5 } — PUBLIC
544
+ Endpoint: POST https://botcha.ai/v1/oauth/token - Poll for token: { device_code, grant_type } → { access_token, refresh_token: "brt_..." } — PUBLIC
545
+ Endpoint: POST https://botcha.ai/v1/oauth/approve - Human approval: { user_code, action: "approve"|"deny" } — PUBLIC
546
+ Endpoint: POST https://botcha.ai/v1/oauth/revoke - Revoke refresh token: { agent_id, app_id } — PUBLIC
547
+ Endpoint: GET https://botcha.ai/v1/oauth/lookup - Agent info for approval UI: ?user_code=BOTCHA-XXXX → { agent_id, name, operator } — PUBLIC
548
+ Endpoint: GET https://botcha.ai/device - Human-facing OAuth approval page (requires dashboard login)
424
549
 
425
550
  # TAP (Trusted Agent Protocol) Endpoints (app_id required)
426
551
  Endpoint: POST https://botcha.ai/v1/agents/register/tap - Register TAP agent with public key + capabilities — requires app_id
@@ -433,7 +558,7 @@ Endpoint: GET https://botcha.ai/v1/sessions/:id/tap - Get TAP session info — r
433
558
  Endpoint: GET https://botcha.ai/.well-known/jwks - JWK Set for app's TAP agents (Visa spec standard) — requires app_id
434
559
  Endpoint: GET https://botcha.ai/v1/keys - List keys (supports ?keyID= query for Visa compatibility) — requires app_id
435
560
  Endpoint: GET https://botcha.ai/v1/keys/:keyId - Get specific key by ID — requires app_id
436
- Endpoint: POST https://botcha.ai/v1/agents/:id/tap/rotate-key - Rotate agent's key pair — requires app_id
561
+ Endpoint: POST https://botcha.ai/v1/agents/:id/tap/rotate-key - Rotate agent's TAP keypair (accepts Bearer JWT or x-app-secret header for recovery) — requires app_id or app_secret
437
562
 
438
563
  # TAP Full Spec — 402 Micropayments (v0.16.0) (app_id required)
439
564
  Endpoint: POST https://botcha.ai/v1/invoices - Create invoice for gated content (402 flow) — requires app_id
@@ -444,6 +569,16 @@ Endpoint: POST https://botcha.ai/v1/invoices/:id/verify-iou - Verify Browsing IO
444
569
  Endpoint: POST https://botcha.ai/v1/verify/consumer - Verify Agentic Consumer object (Layer 2) — requires app_id
445
570
  Endpoint: POST https://botcha.ai/v1/verify/payment - Verify Agentic Payment Container (Layer 3) — requires app_id
446
571
 
572
+ # Webhooks (v0.22.0) (Bearer token with app_id claim required)
573
+ Endpoint: POST https://botcha.ai/v1/webhooks - Register webhook endpoint (returns signing secret once)
574
+ Endpoint: GET https://botcha.ai/v1/webhooks - List webhooks for authenticated app
575
+ Endpoint: GET https://botcha.ai/v1/webhooks/:id - Get webhook details
576
+ Endpoint: PUT https://botcha.ai/v1/webhooks/:id - Update url/events/enabled state
577
+ Endpoint: DELETE https://botcha.ai/v1/webhooks/:id - Delete webhook config + secret + delivery logs
578
+ Endpoint: POST https://botcha.ai/v1/webhooks/:id/test - Send signed test event
579
+ Endpoint: GET https://botcha.ai/v1/webhooks/:id/deliveries - List last 100 delivery attempts
580
+ Events: agent.tap.registered, token.created, token.revoked, tap.session.created, delegation.created, delegation.revoked
581
+
447
582
  # TAP Delegation Chains (v0.17.0) (app_id required)
448
583
  Endpoint: POST https://botcha.ai/v1/delegations - Create delegation (grantor→grantee with capability subset) — requires app_id
449
584
  Endpoint: GET https://botcha.ai/v1/delegations/:id - Get delegation details — requires app_id
@@ -470,8 +605,71 @@ Endpoint: POST https://botcha.ai/api/challenge - Verify standard challenge
470
605
  Endpoint: GET https://botcha.ai/api/speed-challenge - Generate speed challenge (500ms limit)
471
606
  Endpoint: POST https://botcha.ai/api/speed-challenge - Verify speed challenge
472
607
 
608
+ # x402 Payment Gating (Epic 3 — agents pay USDC, skip the challenge)
609
+ # Payment IS the credential on these endpoints — no app_id required
610
+ Feature: x402 HTTP Payment Required protocol — verified agents pay $0.001 USDC on Base and receive a BOTCHA token
611
+ Feature: Pay-for-verification — agents that don't want to solve a challenge can pay instead
612
+ Feature: Double-gated resources — requires BOTH BOTCHA token AND x402 micropayment
613
+ Feature: Webhook settlement — x402 facilitators notify BOTCHA of on-chain payments
614
+ Feature: Cryptographic EIP-712 signature verification (ERC-3009 transferWithAuthorization)
615
+ Endpoint: GET https://botcha.ai/v1/x402/info - x402 payment configuration (wallet, amount, network) — PUBLIC
616
+ Endpoint: GET https://botcha.ai/v1/x402/challenge - Pay $0.001 USDC → receive BOTCHA access_token — PUBLIC (x402 auth)
617
+ Without X-Payment header: 402 + X-Payment-Required: { scheme, network, maxAmountRequired, payTo, asset }
618
+ With valid X-Payment header: 200 + { access_token, refresh_token, payment: { txHash, payer, amount } }
619
+ Endpoint: POST https://botcha.ai/v1/x402/verify-payment - Verify a raw x402 payment proof — PUBLIC (facilitator utility)
620
+ Endpoint: POST https://botcha.ai/v1/x402/webhook - Settlement notifications from x402 facilitators — PUBLIC
621
+ Endpoint: GET https://botcha.ai/agent-only/x402 - Double-gated resource (BOTCHA token + x402 payment) — DEMO
622
+
623
+ # x402 Payment Details
624
+ x402-scheme: exact
625
+ x402-network: eip155:8453 (Base mainnet)
626
+ x402-asset: 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 (USDC on Base)
627
+ x402-price-units: 1000 (USDC atomic units, 6 decimals = $0.001)
628
+ x402-payment-method: ERC-3009 transferWithAuthorization (EIP-712 signed)
629
+ x402-header: X-Payment: <base64-encoded X402PaymentProof JSON>
630
+ x402-response-header: X-Payment-Response: { success, txHash, networkId }
631
+ x402-spec: https://x402.org
632
+
633
+ # ANS (Agent Name Service)
634
+ Feature: ANS resolution + BOTCHA-issued ANS verification badges
635
+ Endpoint: GET https://botcha.ai/v1/ans/botcha - BOTCHA ANS identity record — PUBLIC
636
+ Endpoint: GET https://botcha.ai/v1/ans/resolve/:name - Resolve ANS DNS TXT metadata — PUBLIC
637
+ Endpoint: GET https://botcha.ai/v1/ans/resolve/lookup?name=... - Resolve ANS name via query param — PUBLIC
638
+ Endpoint: GET https://botcha.ai/v1/ans/discover - List BOTCHA-verified ANS agents — PUBLIC
639
+ Endpoint: GET https://botcha.ai/v1/ans/nonce/:name - Get ownership nonce for key proof — AUTH REQUIRED
640
+ Endpoint: POST https://botcha.ai/v1/ans/verify - Verify ownership + issue BOTCHA-ANS badge — AUTH REQUIRED
641
+
642
+ # DID / Verifiable Credentials
643
+ Feature: W3C DID + VC issuance for portable BOTCHA trust assertions
644
+ Endpoint: GET https://botcha.ai/.well-known/did.json - BOTCHA DID document (did:web:botcha.ai) — PUBLIC
645
+ Endpoint: GET https://botcha.ai/.well-known/jwks.json - JWKS alias for DID/VC resolvers — PUBLIC
646
+ Endpoint: POST https://botcha.ai/v1/credentials/issue - Exchange BOTCHA access token for VC JWT — AUTH REQUIRED
647
+ Endpoint: POST https://botcha.ai/v1/credentials/verify - Verify BOTCHA VC JWT — PUBLIC
648
+ Endpoint: GET https://botcha.ai/v1/dids/:did/resolve - Resolve did:web DID documents — PUBLIC
649
+
650
+ # A2A Agent Card Attestation
651
+ Feature: BOTCHA as trust oracle for Google's A2A protocol
652
+ Endpoint: GET https://botcha.ai/.well-known/agent.json - BOTCHA A2A Agent Card discovery document — PUBLIC
653
+ Endpoint: GET https://botcha.ai/v1/a2a/agent-card - BOTCHA A2A Agent Card alias — PUBLIC
654
+ Endpoint: POST https://botcha.ai/v1/a2a/attest - Attest an A2A Agent Card (embed JWT in extensions.botcha_attestation) — AUTH REQUIRED
655
+ Endpoint: POST https://botcha.ai/v1/a2a/verify-card - Verify an attested A2A Agent Card — PUBLIC
656
+ Endpoint: POST https://botcha.ai/v1/a2a/verify-agent - Verify by full card or by { agent_url } shorthand — PUBLIC
657
+ Endpoint: GET https://botcha.ai/v1/a2a/trust-level/:agent_url - Get trust level by URL-encoded agent URL — PUBLIC
658
+ Endpoint: GET https://botcha.ai/v1/a2a/cards - List BOTCHA-attested A2A cards — PUBLIC
659
+ Endpoint: GET https://botcha.ai/v1/a2a/cards/:id - Get specific A2A attestation record — PUBLIC
660
+
661
+ # OIDC-A Attestation
662
+ Feature: Enterprise OIDC/OAuth2 attestation chain for agents (EAT + OIDC-A claims + grant workflow)
663
+ Endpoint: GET https://botcha.ai/.well-known/oauth-authorization-server - OAuth/OIDC-A metadata discovery — PUBLIC
664
+ Endpoint: POST https://botcha.ai/v1/attestation/eat - Issue Entity Attestation Token (EAT) — AUTH REQUIRED
665
+ Endpoint: POST https://botcha.ai/v1/attestation/oidc-agent-claims - Issue OIDC-A claims JWT + decoded claims — AUTH REQUIRED
666
+ Endpoint: POST https://botcha.ai/v1/auth/agent-grant - Request agent grant (supports HITL oversight) — AUTH REQUIRED
667
+ Endpoint: GET https://botcha.ai/v1/auth/agent-grant/:id/status - Poll grant status (pending/approved/denied) — AUTH REQUIRED
668
+ Endpoint: POST https://botcha.ai/v1/auth/agent-grant/:id/resolve - Resolve pending grant (approved/denied) — AUTH REQUIRED
669
+ Endpoint: GET https://botcha.ai/v1/oidc/userinfo - OIDC-A UserInfo endpoint (BOTCHA or EAT bearer token) — AUTH REQUIRED
670
+
473
671
  # Protected Resources
474
- Endpoint: GET https://botcha.ai/agent-only - Protected AI-only resource
672
+ Endpoint: GET https://botcha.ai/agent-only - Protected AI-only resource (BOTCHA token required)
475
673
 
476
674
  # Usage
477
675
  Install-NPM: npm install @dupecom/botcha
@@ -535,6 +733,14 @@ SDK-App-Lifecycle-Python: create_app(email), verify_email(code, app_id?, app_sec
535
733
  Multi-Tenant-Rate-Limit: Each app gets isolated rate limit bucket
536
734
  Multi-Tenant-Token-Claim: Tokens include app_id claim when app_id provided
537
735
 
736
+ # AGENT RE-IDENTIFICATION
737
+ ReIdentification-Description: Prove you are the same agent across sessions without solving a new challenge. Three methods available.
738
+ ReIdentification-Method-A: OAuth device grant (RFC 8628) — RECOMMENDED. POST /v1/oauth/device {agent_id, app_id} → {device_code, user_code: "BOTCHA-XXXX", verification_url}. Human visits /device, approves. Agent polls POST /v1/oauth/token → {access_token, refresh_token: "brt_..."}. Future sessions: POST /v1/agents/auth/refresh {refresh_token} → {access_token}.
739
+ ReIdentification-Method-B: Provider API key hash. POST /v1/agents/auth/provider {provider: "anthropic", api_key, app_id} → {access_token}. Works if agent was registered with provider binding.
740
+ ReIdentification-Method-C: TAP keypair challenge-response. POST /v1/agents/auth {agent_id} → {challenge_id, nonce}. Sign nonce with Ed25519 private key. POST /v1/agents/auth/verify {challenge_id, agent_id, signature} → {access_token}.
741
+ ReIdentification-KeyRecovery: Lost tapk_ key? POST /v1/agents/:id/tap/rotate-key with x-app-secret header → provide new public_key → old key invalidated, agent_id and reputation preserved.
742
+ ReIdentification-TokenLifetime: access_token = 1 hour (botcha-agent-identity JWT). brt_ refresh_token = 90 days.
743
+
538
744
  # TRUSTED AGENT PROTOCOL (TAP)
539
745
  TAP-Description: Enterprise-grade cryptographic agent auth using HTTP Message Signatures (RFC 9421)
540
746
  TAP-Register: POST /v1/agents/register/tap with {name, public_key, signature_algorithm, capabilities, trust_level}
@@ -1501,6 +1707,444 @@ export function getOpenApiSpec(version) {
1501
1707
  }
1502
1708
  }
1503
1709
  },
1710
+ "/v1/webhooks": {
1711
+ post: {
1712
+ summary: "Register webhook endpoint",
1713
+ description: "Create a webhook for the authenticated app. Returns signing secret once at creation.",
1714
+ operationId: "createWebhook",
1715
+ requestBody: {
1716
+ required: true,
1717
+ content: {
1718
+ "application/json": {
1719
+ schema: {
1720
+ type: "object",
1721
+ required: ["url"],
1722
+ properties: {
1723
+ "url": { type: "string", description: "HTTPS destination URL" },
1724
+ "events": {
1725
+ type: "array",
1726
+ description: "Optional event filter. Defaults to all supported events.",
1727
+ items: {
1728
+ type: "string",
1729
+ enum: [
1730
+ "agent.tap.registered",
1731
+ "token.created",
1732
+ "token.revoked",
1733
+ "tap.session.created",
1734
+ "delegation.created",
1735
+ "delegation.revoked"
1736
+ ]
1737
+ }
1738
+ }
1739
+ }
1740
+ }
1741
+ }
1742
+ }
1743
+ },
1744
+ responses: {
1745
+ "201": { description: "Webhook created (includes one-time secret)" },
1746
+ "400": { description: "Invalid url/events or webhook limit reached" },
1747
+ "401": { description: "Unauthorized" },
1748
+ "403": { description: "Token missing app_id" }
1749
+ }
1750
+ },
1751
+ get: {
1752
+ summary: "List webhooks",
1753
+ description: "List all webhook configurations for the authenticated app.",
1754
+ operationId: "listWebhooks",
1755
+ responses: {
1756
+ "200": { description: "Webhook list" },
1757
+ "401": { description: "Unauthorized" },
1758
+ "403": { description: "Token missing app_id" }
1759
+ }
1760
+ }
1761
+ },
1762
+ "/v1/webhooks/{id}": {
1763
+ get: {
1764
+ summary: "Get webhook",
1765
+ operationId: "getWebhook",
1766
+ parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
1767
+ responses: {
1768
+ "200": { description: "Webhook details" },
1769
+ "401": { description: "Unauthorized" },
1770
+ "403": { description: "Forbidden" },
1771
+ "404": { description: "Webhook not found" }
1772
+ }
1773
+ },
1774
+ put: {
1775
+ summary: "Update webhook",
1776
+ operationId: "updateWebhook",
1777
+ parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
1778
+ requestBody: {
1779
+ required: true,
1780
+ content: {
1781
+ "application/json": {
1782
+ schema: {
1783
+ type: "object",
1784
+ properties: {
1785
+ "url": { type: "string", description: "Updated HTTPS destination URL" },
1786
+ "enabled": { type: "boolean", description: "Enable/disable webhook delivery" },
1787
+ "events": {
1788
+ type: "array",
1789
+ items: {
1790
+ type: "string",
1791
+ enum: [
1792
+ "agent.tap.registered",
1793
+ "token.created",
1794
+ "token.revoked",
1795
+ "tap.session.created",
1796
+ "delegation.created",
1797
+ "delegation.revoked"
1798
+ ]
1799
+ }
1800
+ }
1801
+ }
1802
+ }
1803
+ }
1804
+ }
1805
+ },
1806
+ responses: {
1807
+ "200": { description: "Webhook updated" },
1808
+ "400": { description: "Invalid request body" },
1809
+ "401": { description: "Unauthorized" },
1810
+ "403": { description: "Forbidden" },
1811
+ "404": { description: "Webhook not found" }
1812
+ }
1813
+ },
1814
+ delete: {
1815
+ summary: "Delete webhook",
1816
+ operationId: "deleteWebhook",
1817
+ parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
1818
+ responses: {
1819
+ "200": { description: "Webhook deleted" },
1820
+ "401": { description: "Unauthorized" },
1821
+ "403": { description: "Forbidden" },
1822
+ "404": { description: "Webhook not found" }
1823
+ }
1824
+ }
1825
+ },
1826
+ "/v1/webhooks/{id}/test": {
1827
+ post: {
1828
+ summary: "Send test webhook event",
1829
+ operationId: "testWebhook",
1830
+ parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
1831
+ responses: {
1832
+ "200": { description: "Test delivery attempt response" },
1833
+ "401": { description: "Unauthorized" },
1834
+ "403": { description: "Forbidden" },
1835
+ "404": { description: "Webhook not found" }
1836
+ }
1837
+ }
1838
+ },
1839
+ "/v1/webhooks/{id}/deliveries": {
1840
+ get: {
1841
+ summary: "List webhook delivery attempts",
1842
+ operationId: "listWebhookDeliveries",
1843
+ parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
1844
+ responses: {
1845
+ "200": { description: "Recent delivery attempts" },
1846
+ "401": { description: "Unauthorized" },
1847
+ "403": { description: "Forbidden" },
1848
+ "404": { description: "Webhook not found" }
1849
+ }
1850
+ }
1851
+ },
1852
+ "/.well-known/agent.json": {
1853
+ get: {
1854
+ summary: "BOTCHA A2A Agent Card",
1855
+ description: "Public A2A discovery document for BOTCHA.",
1856
+ operationId: "getBotchaA2ACard",
1857
+ responses: {
1858
+ "200": { description: "A2A Agent Card JSON" }
1859
+ }
1860
+ }
1861
+ },
1862
+ "/v1/a2a/agent-card": {
1863
+ get: {
1864
+ summary: "BOTCHA A2A Agent Card alias",
1865
+ description: "Alias for /.well-known/agent.json.",
1866
+ operationId: "getBotchaA2ACardAlias",
1867
+ responses: {
1868
+ "200": { description: "A2A Agent Card JSON" }
1869
+ }
1870
+ }
1871
+ },
1872
+ "/v1/a2a/attest": {
1873
+ post: {
1874
+ summary: "Attest an A2A Agent Card",
1875
+ description: "Issue a BOTCHA attestation and embed it in extensions.botcha_attestation.",
1876
+ operationId: "attestA2ACard",
1877
+ requestBody: {
1878
+ required: true,
1879
+ content: {
1880
+ "application/json": {
1881
+ schema: {
1882
+ type: "object",
1883
+ required: ["card"],
1884
+ properties: {
1885
+ "card": { type: "object", description: "A2A Agent Card JSON" },
1886
+ "duration_seconds": { type: "integer", description: "TTL in seconds (default 86400, max 2592000)" },
1887
+ "trust_level": { type: "string", enum: ["basic", "verified", "enterprise"], description: "Trust level label" }
1888
+ }
1889
+ }
1890
+ }
1891
+ }
1892
+ },
1893
+ responses: {
1894
+ "201": { description: "Card attested successfully" },
1895
+ "400": { description: "Invalid card payload" },
1896
+ "401": { description: "Unauthorized" },
1897
+ "403": { description: "Token missing app_id" }
1898
+ }
1899
+ }
1900
+ },
1901
+ "/v1/a2a/verify-card": {
1902
+ post: {
1903
+ summary: "Verify an attested A2A Agent Card",
1904
+ operationId: "verifyA2ACard",
1905
+ requestBody: {
1906
+ required: true,
1907
+ content: {
1908
+ "application/json": {
1909
+ schema: {
1910
+ type: "object",
1911
+ required: ["card"],
1912
+ properties: {
1913
+ "card": { type: "object", description: "A2A Agent Card with extensions.botcha_attestation" }
1914
+ }
1915
+ }
1916
+ }
1917
+ }
1918
+ },
1919
+ responses: {
1920
+ "200": { description: "Verification result (valid true/false)" },
1921
+ "400": { description: "Missing card payload" }
1922
+ }
1923
+ }
1924
+ },
1925
+ "/v1/a2a/verify-agent": {
1926
+ post: {
1927
+ summary: "Verify agent by card or URL",
1928
+ description: "Verify by full agent_card payload or by agent_url shorthand lookup.",
1929
+ operationId: "verifyA2AAgent",
1930
+ requestBody: {
1931
+ required: true,
1932
+ content: {
1933
+ "application/json": {
1934
+ schema: {
1935
+ type: "object",
1936
+ properties: {
1937
+ "agent_card": { type: "object", description: "A2A Agent Card with embedded attestation" },
1938
+ "agent_url": { type: "string", description: "Agent URL shorthand for latest active attestation lookup" }
1939
+ }
1940
+ }
1941
+ }
1942
+ }
1943
+ },
1944
+ responses: {
1945
+ "200": { description: "Verification result" },
1946
+ "400": { description: "Missing agent_card or agent_url" },
1947
+ "404": { description: "No active attestation found for agent_url" }
1948
+ }
1949
+ }
1950
+ },
1951
+ "/v1/a2a/trust-level/{agent_url}": {
1952
+ get: {
1953
+ summary: "Get trust level for agent URL",
1954
+ operationId: "getA2ATrustLevel",
1955
+ parameters: [
1956
+ { name: "agent_url", in: "path", required: true, schema: { type: "string" }, description: "URL-encoded agent URL" }
1957
+ ],
1958
+ responses: {
1959
+ "200": { description: "Trust level result" },
1960
+ "400": { description: "Missing agent_url" }
1961
+ }
1962
+ }
1963
+ },
1964
+ "/v1/a2a/cards": {
1965
+ get: {
1966
+ summary: "List attested A2A cards",
1967
+ operationId: "listA2ACards",
1968
+ parameters: [
1969
+ { name: "verified", in: "query", schema: { type: "boolean" }, description: "Set false to include revoked records" },
1970
+ { name: "agent_url", in: "query", schema: { type: "string" }, description: "Filter by agent URL" },
1971
+ { name: "limit", in: "query", schema: { type: "integer", maximum: 200 }, description: "Max records (default 50)" }
1972
+ ],
1973
+ responses: {
1974
+ "200": { description: "A2A attestation registry list" }
1975
+ }
1976
+ }
1977
+ },
1978
+ "/v1/a2a/cards/{id}": {
1979
+ get: {
1980
+ summary: "Get A2A attestation by ID",
1981
+ operationId: "getA2ACardAttestation",
1982
+ parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
1983
+ responses: {
1984
+ "200": { description: "A2A attestation record" },
1985
+ "404": { description: "Attestation not found or expired" }
1986
+ }
1987
+ }
1988
+ },
1989
+ "/.well-known/oauth-authorization-server": {
1990
+ get: {
1991
+ summary: "OIDC/OAuth authorization server metadata",
1992
+ description: "RFC 8414 authorization server metadata with OIDC-A specific endpoints.",
1993
+ operationId: "getOIDCAuthorizationServerMetadata",
1994
+ responses: {
1995
+ "200": { description: "Authorization server metadata" }
1996
+ }
1997
+ }
1998
+ },
1999
+ "/v1/attestation/eat": {
2000
+ post: {
2001
+ summary: "Issue Entity Attestation Token (EAT)",
2002
+ description: "Issue a signed EAT token from a verified BOTCHA bearer token.",
2003
+ operationId: "issueEAT",
2004
+ requestBody: {
2005
+ content: {
2006
+ "application/json": {
2007
+ schema: {
2008
+ type: "object",
2009
+ properties: {
2010
+ "nonce": { type: "string", description: "Optional nonce for freshness binding" },
2011
+ "agent_model": { type: "string", description: "Optional agent model label" },
2012
+ "ttl_seconds": { type: "integer", description: "Optional TTL in seconds (max 3600)" },
2013
+ "verification_method": { type: "string", description: "Verification method label override" }
2014
+ }
2015
+ }
2016
+ }
2017
+ }
2018
+ },
2019
+ responses: {
2020
+ "200": { description: "EAT token issued" },
2021
+ "400": { description: "Invalid request (e.g., ttl_seconds)" },
2022
+ "401": { description: "Unauthorized" },
2023
+ "503": { description: "Signing key not configured" }
2024
+ }
2025
+ }
2026
+ },
2027
+ "/v1/attestation/oidc-agent-claims": {
2028
+ post: {
2029
+ summary: "Issue OIDC-A claims block",
2030
+ description: "Issue OIDC-A claims JWT and decoded claims object for embedding in ID tokens.",
2031
+ operationId: "issueOIDCAgentClaims",
2032
+ requestBody: {
2033
+ content: {
2034
+ "application/json": {
2035
+ schema: {
2036
+ type: "object",
2037
+ properties: {
2038
+ "agent_model": { type: "string" },
2039
+ "agent_version": { type: "string" },
2040
+ "agent_capabilities": { type: "array", items: { type: "string" } },
2041
+ "agent_operator": { type: "string" },
2042
+ "delegation_chain": { type: "array", items: { type: "string" } },
2043
+ "human_oversight_required": { type: "boolean" },
2044
+ "oversight_contact": { type: "string" },
2045
+ "task_id": { type: "string" },
2046
+ "task_purpose": { type: "string" },
2047
+ "scope": { type: "string" },
2048
+ "nonce": { type: "string" }
2049
+ }
2050
+ }
2051
+ }
2052
+ }
2053
+ },
2054
+ responses: {
2055
+ "200": { description: "OIDC-A claims issued" },
2056
+ "401": { description: "Unauthorized" },
2057
+ "503": { description: "Signing key not configured" }
2058
+ }
2059
+ }
2060
+ },
2061
+ "/v1/auth/agent-grant": {
2062
+ post: {
2063
+ summary: "Create agent authorization grant",
2064
+ description: "Issue an OAuth-style agent grant with optional human-in-the-loop status flow.",
2065
+ operationId: "createAgentGrant",
2066
+ requestBody: {
2067
+ content: {
2068
+ "application/json": {
2069
+ schema: {
2070
+ type: "object",
2071
+ properties: {
2072
+ "scope": { type: "string", description: "Space-separated requested scope string" },
2073
+ "human_oversight_required": { type: "boolean" },
2074
+ "agent_model": { type: "string" },
2075
+ "agent_version": { type: "string" },
2076
+ "agent_capabilities": { type: "array", items: { type: "string" } },
2077
+ "agent_operator": { type: "string" },
2078
+ "task_id": { type: "string" },
2079
+ "task_purpose": { type: "string" },
2080
+ "delegation_chain": { type: "array", items: { type: "string" } },
2081
+ "constraints": { type: "object" }
2082
+ }
2083
+ }
2084
+ }
2085
+ }
2086
+ },
2087
+ responses: {
2088
+ "200": { description: "Grant issued (or pending human approval)" },
2089
+ "401": { description: "Unauthorized" },
2090
+ "503": { description: "Signing key not configured" }
2091
+ }
2092
+ }
2093
+ },
2094
+ "/v1/auth/agent-grant/{id}/status": {
2095
+ get: {
2096
+ summary: "Get agent grant status",
2097
+ operationId: "getAgentGrantStatus",
2098
+ parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
2099
+ responses: {
2100
+ "200": { description: "Grant status payload" },
2101
+ "401": { description: "Unauthorized" },
2102
+ "403": { description: "Forbidden (app ownership required)" },
2103
+ "404": { description: "Grant not found or expired" }
2104
+ }
2105
+ }
2106
+ },
2107
+ "/v1/auth/agent-grant/{id}/resolve": {
2108
+ post: {
2109
+ summary: "Resolve pending agent grant",
2110
+ description: "Approve or deny a pending human-in-the-loop grant.",
2111
+ operationId: "resolveAgentGrant",
2112
+ parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
2113
+ requestBody: {
2114
+ required: true,
2115
+ content: {
2116
+ "application/json": {
2117
+ schema: {
2118
+ type: "object",
2119
+ required: ["decision"],
2120
+ properties: {
2121
+ "decision": { type: "string", enum: ["approved", "denied"] },
2122
+ "reason": { type: "string", description: "Required when decision is denied" }
2123
+ }
2124
+ }
2125
+ }
2126
+ }
2127
+ },
2128
+ responses: {
2129
+ "200": { description: "Grant resolved" },
2130
+ "400": { description: "Invalid decision or missing reason" },
2131
+ "401": { description: "Unauthorized" },
2132
+ "403": { description: "Forbidden (app ownership required)" },
2133
+ "404": { description: "Grant not found or expired" }
2134
+ }
2135
+ }
2136
+ },
2137
+ "/v1/oidc/userinfo": {
2138
+ get: {
2139
+ summary: "OIDC-A UserInfo endpoint",
2140
+ description: "Returns OIDC-compatible UserInfo claims for BOTCHA or EAT bearer tokens.",
2141
+ operationId: "getOIDCUserInfo",
2142
+ responses: {
2143
+ "200": { description: "OIDC UserInfo payload" },
2144
+ "401": { description: "Unauthorized" }
2145
+ }
2146
+ }
2147
+ },
1504
2148
  "/v1/agents/register/tap": {
1505
2149
  post: {
1506
2150
  summary: "Register a TAP-enabled agent",