[{"data":1,"prerenderedAt":3105},["ShallowReactive",2],{"navigation":3,"/getting-started/developers":145,"/getting-started/developers-surround":3100},[4,28,49,88,101,127],{"title":5,"path":6,"stem":7,"children":8,"icon":27},"Getting Started","/getting-started","1.getting-started/1.index",[9,11,15,19,23],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Working with Agents","/getting-started/working-with-agents","1.getting-started/2.working-with-agents",{"title":16,"path":17,"stem":18},"Setup a Service Provider","/getting-started/setup-service-provider","1.getting-started/3.setup-service-provider",{"title":20,"path":21,"stem":22},"Setup an Identity Provider","/getting-started/setup-identity-provider","1.getting-started/4.setup-identity-provider",{"title":24,"path":25,"stem":26},"Developers","/getting-started/developers","1.getting-started/5.developers",false,{"title":29,"icon":27,"path":30,"stem":31,"children":32,"page":27},"Guides","/guides","2.guides",[33,37,41,45],{"title":34,"path":35,"stem":36},"How It Works","/guides/how-it-works","2.guides/1.how-it-works",{"title":38,"path":39,"stem":40},"Capabilities Guide","/guides/capabilities-guide","2.guides/2.capabilities-guide",{"title":42,"path":43,"stem":44},"End-to-End Tutorial","/guides/end-to-end-tutorial","2.guides/3.end-to-end-tutorial",{"title":46,"path":47,"stem":48},"Delegation Guide","/guides/delegation-guide","2.guides/4.delegation-guide",{"title":50,"path":51,"stem":52,"children":53,"icon":27},"Ecosystem","/ecosystem","3.ecosystem/1.index",[54,56,60,64,68,72,76,80,84],{"title":55,"path":51,"stem":52},"Overview",{"title":57,"path":58,"stem":59},"grapes CLI","/ecosystem/grapes","3.ecosystem/2.grapes",{"title":61,"path":62,"stem":63},"shapes CLI","/ecosystem/shapes","3.ecosystem/3.shapes",{"title":65,"path":66,"stem":67},"escapes","/ecosystem/escapes","3.ecosystem/4.escapes",{"title":69,"path":70,"stem":71},"OpenApe Proxy","/ecosystem/proxy","3.ecosystem/5.proxy",{"title":73,"path":74,"stem":75},"OpenApe Browser","/ecosystem/browser","3.ecosystem/6.browser",{"title":77,"path":78,"stem":79},"OpenApe Auth","/ecosystem/auth","3.ecosystem/7.auth",{"title":81,"path":82,"stem":83},"OpenApe Grants","/ecosystem/grants","3.ecosystem/8.grants",{"title":85,"path":86,"stem":87},"nuxt-auth-sp","/ecosystem/nuxt-auth-sp","3.ecosystem/9.nuxt-auth-sp",{"title":89,"icon":27,"path":90,"stem":91,"children":92,"page":27},"Security","/security","4.security",[93,97],{"title":94,"path":95,"stem":96},"Compliance","/security/compliance","4.security/1.compliance",{"title":98,"path":99,"stem":100},"Threat Model","/security/threat-model","4.security/2.threat-model",{"title":102,"path":103,"stem":104,"children":105,"icon":27},"Reference","/reference","5.reference/1.index",[106,107,111,115,119,123],{"title":102,"path":103,"stem":104},{"title":108,"path":109,"stem":110},"IdP Configuration","/reference/idp-configuration","5.reference/2.idp-configuration",{"title":112,"path":113,"stem":114},"SP Configuration","/reference/sp-configuration","5.reference/3.sp-configuration",{"title":116,"path":117,"stem":118},"API Endpoints","/reference/api-endpoints","5.reference/4.api-endpoints",{"title":120,"path":121,"stem":122},"escapes Config","/reference/escapes-config","5.reference/5.escapes-config",{"title":124,"path":125,"stem":126},"Proxy Config","/reference/proxy-config","5.reference/6.proxy-config",{"title":128,"path":129,"stem":130,"children":131,"icon":27},"Operations","/operations","6.operations/1.index",[132,133,137,141],{"title":128,"path":129,"stem":130},{"title":134,"path":135,"stem":136},"Deployment","/operations/deployment","6.operations/2.deployment",{"title":138,"path":139,"stem":140},"Troubleshooting","/operations/troubleshooting","6.operations/3.troubleshooting",{"title":142,"path":143,"stem":144},"Monitoring","/operations/monitoring","6.operations/4.monitoring",{"id":146,"title":24,"body":147,"description":3094,"extension":3095,"links":3096,"meta":3097,"navigation":254,"path":25,"seo":3098,"stem":26,"__hash__":3099},"docs/1.getting-started/5.developers.md",{"type":148,"value":149,"toc":3065},"minimark",[150,154,162,167,194,198,204,473,481,484,488,505,509,512,559,563,566,695,698,829,848,852,855,860,903,905,936,945,949,1180,1182,1284,1290,1294,1297,1404,1406,1668,1672,1747,1757,1800,1804,1810,1837,1865,1867,1999,2011,2015,2018,2083,2085,2162,2166,2169,2430,2434,2438,2444,2492,2497,2501,2504,2557,2559,2710,2715,2745,2749,2754,2758,2806,2810,2887,2891,2981,2985,3008,3012,3061],[151,152,24],"h1",{"id":153},"developers",[155,156,157,158,161],"p",{},"This page documents the raw HTTP API for building custom integrations with OpenApe. For most use cases, use the ",[159,160,57],"a",{"href":58}," instead.",[163,164,166],"h2",{"id":165},"prerequisites","Prerequisites",[168,169,170,178,185],"ul",{},[171,172,173,174,177],"li",{},"A running OpenApe IdP (see ",[159,175,176],{"href":21},"Quick Start",")",[171,179,180,181,177],{},"The IdP's Management Token (set via ",[182,183,184],"code",{},"NUXT_OPENAPE_IDP_MANAGEMENT_TOKEN",[171,186,187,190,191],{},[182,188,189],{},"grapes"," CLI installed: ",[182,192,193],{},"npm i -g @openape/grapes",[163,195,197],{"id":196},"the-quick-way-grapes-cli","The Quick Way (grapes CLI)",[155,199,200,201,203],{},"For most use cases, the ",[182,202,189],{}," CLI handles the entire flow:",[205,206,211],"pre",{"className":207,"code":208,"language":209,"meta":210,"style":210},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# 1. Generate agent key\nssh-keygen -t ed25519 -f ~/.ssh/agent_key -N \"\"\n\n# 2. Enroll (admin operation — still requires curl or the IdP admin UI)\ncurl -X POST https://id.example.com/api/agent/enroll \\\n  -H \"Authorization: Bearer \u003Cmanagement-token>\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"email\\\":\\\"agent+deploy@example.com\\\",\\\"name\\\":\\\"deploy-bot\\\",\\\"publicKey\\\":\\\"$(cat ~/.ssh/agent_key.pub)\\\"}\"\n\n# 3. Login as agent\ngrapes login --idp https://id.example.com --key ~/.ssh/agent_key --email agent+deploy@example.com\n\n# 4. Request a grant and execute\ngrapes run escapes \"systemctl restart nginx\" --reason \"Deploy hotfix #42\"\n# → Requests grant... waiting for approval... approved! Executing.\n","bash","",[182,212,213,222,249,256,262,281,298,312,392,397,403,428,433,439,467],{"__ignoreMap":210},[214,215,218],"span",{"class":216,"line":217},"line",1,[214,219,221],{"class":220},"sHwdD","# 1. Generate agent key\n",[214,223,225,229,233,236,239,242,245],{"class":216,"line":224},2,[214,226,228],{"class":227},"sBMFI","ssh-keygen",[214,230,232],{"class":231},"sfazB"," -t",[214,234,235],{"class":231}," ed25519",[214,237,238],{"class":231}," -f",[214,240,241],{"class":231}," ~/.ssh/agent_key",[214,243,244],{"class":231}," -N",[214,246,248],{"class":247},"sMK4o"," \"\"\n",[214,250,252],{"class":216,"line":251},3,[214,253,255],{"emptyLinePlaceholder":254},true,"\n",[214,257,259],{"class":216,"line":258},4,[214,260,261],{"class":220},"# 2. Enroll (admin operation — still requires curl or the IdP admin UI)\n",[214,263,265,268,271,274,277],{"class":216,"line":264},5,[214,266,267],{"class":227},"curl",[214,269,270],{"class":231}," -X",[214,272,273],{"class":231}," POST",[214,275,276],{"class":231}," https://id.example.com/api/agent/enroll",[214,278,280],{"class":279},"sTEyZ"," \\\n",[214,282,284,287,290,293,296],{"class":216,"line":283},6,[214,285,286],{"class":231},"  -H",[214,288,289],{"class":247}," \"",[214,291,292],{"class":231},"Authorization: Bearer \u003Cmanagement-token>",[214,294,295],{"class":247},"\"",[214,297,280],{"class":279},[214,299,301,303,305,308,310],{"class":216,"line":300},7,[214,302,286],{"class":231},[214,304,289],{"class":247},[214,306,307],{"class":231},"Content-Type: application/json",[214,309,295],{"class":247},[214,311,280],{"class":279},[214,313,315,318,320,323,326,329,331,334,336,339,341,344,346,349,351,353,355,358,360,362,364,367,369,371,373,376,379,382,384,386,389],{"class":216,"line":314},8,[214,316,317],{"class":231},"  -d",[214,319,289],{"class":247},[214,321,322],{"class":231},"{",[214,324,325],{"class":279},"\\\"",[214,327,328],{"class":231},"email",[214,330,325],{"class":279},[214,332,333],{"class":231},":",[214,335,325],{"class":279},[214,337,338],{"class":231},"agent+deploy@example.com",[214,340,325],{"class":279},[214,342,343],{"class":231},",",[214,345,325],{"class":279},[214,347,348],{"class":231},"name",[214,350,325],{"class":279},[214,352,333],{"class":231},[214,354,325],{"class":279},[214,356,357],{"class":231},"deploy-bot",[214,359,325],{"class":279},[214,361,343],{"class":231},[214,363,325],{"class":279},[214,365,366],{"class":231},"publicKey",[214,368,325],{"class":279},[214,370,333],{"class":231},[214,372,325],{"class":279},[214,374,375],{"class":247},"$(",[214,377,378],{"class":227},"cat",[214,380,381],{"class":231}," ~/.ssh/agent_key.pub",[214,383,177],{"class":247},[214,385,325],{"class":279},[214,387,388],{"class":231},"}",[214,390,391],{"class":247},"\"\n",[214,393,395],{"class":216,"line":394},9,[214,396,255],{"emptyLinePlaceholder":254},[214,398,400],{"class":216,"line":399},10,[214,401,402],{"class":220},"# 3. Login as agent\n",[214,404,406,408,411,414,417,420,422,425],{"class":216,"line":405},11,[214,407,189],{"class":227},[214,409,410],{"class":231}," login",[214,412,413],{"class":231}," --idp",[214,415,416],{"class":231}," https://id.example.com",[214,418,419],{"class":231}," --key",[214,421,241],{"class":231},[214,423,424],{"class":231}," --email",[214,426,427],{"class":231}," agent+deploy@example.com\n",[214,429,431],{"class":216,"line":430},12,[214,432,255],{"emptyLinePlaceholder":254},[214,434,436],{"class":216,"line":435},13,[214,437,438],{"class":220},"# 4. Request a grant and execute\n",[214,440,442,444,447,450,452,455,457,460,462,465],{"class":216,"line":441},14,[214,443,189],{"class":227},[214,445,446],{"class":231}," run",[214,448,449],{"class":231}," escapes",[214,451,289],{"class":247},[214,453,454],{"class":231},"systemctl restart nginx",[214,456,295],{"class":247},[214,458,459],{"class":231}," --reason",[214,461,289],{"class":247},[214,463,464],{"class":231},"Deploy hotfix #42",[214,466,391],{"class":247},[214,468,470],{"class":216,"line":469},15,[214,471,472],{"class":220},"# → Requests grant... waiting for approval... approved! Executing.\n",[155,474,475,476,480],{},"That's it. The rest of this page documents the ",[477,478,479],"strong",{},"raw API"," for advanced integrations.",[482,483],"hr",{},[163,485,487],{"id":486},"raw-api-reference","Raw API Reference",[489,490,492],"callout",{"type":491},"info",[155,493,494,495,497,498,500,501,504],{},"The following sections use ",[182,496,267],{}," to show the raw HTTP API. Use these when building your own integration or when ",[182,499,189],{}," doesn't fit your workflow. All examples use ",[182,502,503],{},"https://id.example.com"," as the IdP URL.",[163,506,508],{"id":507},"step-1-generate-an-ed25519-key-pair","Step 1: Generate an Ed25519 Key Pair",[155,510,511],{},"The agent needs an Ed25519 key pair for authentication. The public key is registered with the IdP, the private key stays with the agent.",[205,513,515],{"className":207,"code":514,"language":209,"meta":210,"style":210},"# Generate a new Ed25519 key pair (no passphrase for automation)\nssh-keygen -t ed25519 -f ~/.ssh/agent_key -N \"\"\n\n# View the public key (this is what you register with the IdP)\ncat ~/.ssh/agent_key.pub\n# Output: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... user@host\n",[182,516,517,522,538,542,547,554],{"__ignoreMap":210},[214,518,519],{"class":216,"line":217},[214,520,521],{"class":220},"# Generate a new Ed25519 key pair (no passphrase for automation)\n",[214,523,524,526,528,530,532,534,536],{"class":216,"line":224},[214,525,228],{"class":227},[214,527,232],{"class":231},[214,529,235],{"class":231},[214,531,238],{"class":231},[214,533,241],{"class":231},[214,535,244],{"class":231},[214,537,248],{"class":247},[214,539,540],{"class":216,"line":251},[214,541,255],{"emptyLinePlaceholder":254},[214,543,544],{"class":216,"line":258},[214,545,546],{"class":220},"# View the public key (this is what you register with the IdP)\n",[214,548,549,551],{"class":216,"line":264},[214,550,378],{"class":227},[214,552,553],{"class":231}," ~/.ssh/agent_key.pub\n",[214,555,556],{"class":216,"line":283},[214,557,558],{"class":220},"# Output: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... user@host\n",[163,560,562],{"id":561},"step-2-enroll-the-agent","Step 2: Enroll the Agent",[155,564,565],{},"Register the agent with the IdP using the Management Token.",[205,567,569],{"className":207,"code":568,"language":209,"meta":210,"style":210},"PUBLIC_KEY=$(cat ~/.ssh/agent_key.pub)\n\ncurl -X POST https://id.example.com/api/agent/enroll \\\n  -H \"Authorization: Bearer my-secret-management-token\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\n    \\\"email\\\": \\\"agent+deploy@example.com\\\",\n    \\\"name\\\": \\\"deploy-bot\\\",\n    \\\"publicKey\\\": \\\"$PUBLIC_KEY\\\"\n  }\"\n",[182,570,571,586,590,602,615,627,636,657,675,688],{"__ignoreMap":210},[214,572,573,576,579,581,583],{"class":216,"line":217},[214,574,575],{"class":279},"PUBLIC_KEY",[214,577,578],{"class":247},"=$(",[214,580,378],{"class":227},[214,582,381],{"class":231},[214,584,585],{"class":247},")\n",[214,587,588],{"class":216,"line":224},[214,589,255],{"emptyLinePlaceholder":254},[214,591,592,594,596,598,600],{"class":216,"line":251},[214,593,267],{"class":227},[214,595,270],{"class":231},[214,597,273],{"class":231},[214,599,276],{"class":231},[214,601,280],{"class":279},[214,603,604,606,608,611,613],{"class":216,"line":258},[214,605,286],{"class":231},[214,607,289],{"class":247},[214,609,610],{"class":231},"Authorization: Bearer my-secret-management-token",[214,612,295],{"class":247},[214,614,280],{"class":279},[214,616,617,619,621,623,625],{"class":216,"line":264},[214,618,286],{"class":231},[214,620,289],{"class":247},[214,622,307],{"class":231},[214,624,295],{"class":247},[214,626,280],{"class":279},[214,628,629,631,633],{"class":216,"line":283},[214,630,317],{"class":231},[214,632,289],{"class":247},[214,634,635],{"class":231},"{\n",[214,637,638,641,643,645,648,650,652,654],{"class":216,"line":300},[214,639,640],{"class":279},"    \\\"",[214,642,328],{"class":231},[214,644,325],{"class":279},[214,646,647],{"class":231},": ",[214,649,325],{"class":279},[214,651,338],{"class":231},[214,653,325],{"class":279},[214,655,656],{"class":231},",\n",[214,658,659,661,663,665,667,669,671,673],{"class":216,"line":314},[214,660,640],{"class":279},[214,662,348],{"class":231},[214,664,325],{"class":279},[214,666,647],{"class":231},[214,668,325],{"class":279},[214,670,357],{"class":231},[214,672,325],{"class":279},[214,674,656],{"class":231},[214,676,677,679,681,683,685],{"class":216,"line":394},[214,678,640],{"class":279},[214,680,366],{"class":231},[214,682,325],{"class":279},[214,684,647],{"class":231},[214,686,687],{"class":279},"\\\"$PUBLIC_KEY\\\"\n",[214,689,690,693],{"class":216,"line":399},[214,691,692],{"class":231},"  }",[214,694,391],{"class":247},[155,696,697],{},"Response:",[205,699,703],{"className":700,"code":701,"language":702,"meta":210,"style":210},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","{\n  \"agent_id\": \"a1b2c3d4-...\",\n  \"email\": \"agent+deploy@example.com\",\n  \"name\": \"deploy-bot\",\n  \"owner\": \"admin@example.com\",\n  \"approver\": \"admin@example.com\",\n  \"status\": \"active\"\n}\n","json",[182,704,705,709,731,749,767,787,806,824],{"__ignoreMap":210},[214,706,707],{"class":216,"line":217},[214,708,635],{"class":247},[214,710,711,714,718,720,722,724,727,729],{"class":216,"line":224},[214,712,713],{"class":247},"  \"",[214,715,717],{"class":716},"spNyl","agent_id",[214,719,295],{"class":247},[214,721,333],{"class":247},[214,723,289],{"class":247},[214,725,726],{"class":231},"a1b2c3d4-...",[214,728,295],{"class":247},[214,730,656],{"class":247},[214,732,733,735,737,739,741,743,745,747],{"class":216,"line":251},[214,734,713],{"class":247},[214,736,328],{"class":716},[214,738,295],{"class":247},[214,740,333],{"class":247},[214,742,289],{"class":247},[214,744,338],{"class":231},[214,746,295],{"class":247},[214,748,656],{"class":247},[214,750,751,753,755,757,759,761,763,765],{"class":216,"line":258},[214,752,713],{"class":247},[214,754,348],{"class":716},[214,756,295],{"class":247},[214,758,333],{"class":247},[214,760,289],{"class":247},[214,762,357],{"class":231},[214,764,295],{"class":247},[214,766,656],{"class":247},[214,768,769,771,774,776,778,780,783,785],{"class":216,"line":264},[214,770,713],{"class":247},[214,772,773],{"class":716},"owner",[214,775,295],{"class":247},[214,777,333],{"class":247},[214,779,289],{"class":247},[214,781,782],{"class":231},"admin@example.com",[214,784,295],{"class":247},[214,786,656],{"class":247},[214,788,789,791,794,796,798,800,802,804],{"class":216,"line":283},[214,790,713],{"class":247},[214,792,793],{"class":716},"approver",[214,795,295],{"class":247},[214,797,333],{"class":247},[214,799,289],{"class":247},[214,801,782],{"class":231},[214,803,295],{"class":247},[214,805,656],{"class":247},[214,807,808,810,813,815,817,819,822],{"class":216,"line":300},[214,809,713],{"class":247},[214,811,812],{"class":716},"status",[214,814,295],{"class":247},[214,816,333],{"class":247},[214,818,289],{"class":247},[214,820,821],{"class":231},"active",[214,823,391],{"class":247},[214,825,826],{"class":216,"line":314},[214,827,828],{"class":247},"}\n",[489,830,832],{"type":831},"warning",[155,833,834,835,837,838,841,842,844,845,847],{},"The ",[182,836,366],{}," must be in SSH format, starting with ",[182,839,840],{},"ssh-ed25519",". The ",[182,843,773],{}," and ",[182,846,793],{}," default to the admin — these are the humans who can approve grants for this agent.",[163,849,851],{"id":850},"step-3-authenticate-the-agent","Step 3: Authenticate the Agent",[155,853,854],{},"Authentication uses a challenge-response flow with Ed25519 signatures.",[856,857,859],"h3",{"id":858},"_3a-request-a-challenge","3a. Request a Challenge",[205,861,863],{"className":207,"code":862,"language":209,"meta":210,"style":210},"curl -X POST https://id.example.com/api/agent/challenge \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"agent_id\": \"agent+deploy@example.com\"}'\n",[182,864,865,878,890],{"__ignoreMap":210},[214,866,867,869,871,873,876],{"class":216,"line":217},[214,868,267],{"class":227},[214,870,270],{"class":231},[214,872,273],{"class":231},[214,874,875],{"class":231}," https://id.example.com/api/agent/challenge",[214,877,280],{"class":279},[214,879,880,882,884,886,888],{"class":216,"line":224},[214,881,286],{"class":231},[214,883,289],{"class":247},[214,885,307],{"class":231},[214,887,295],{"class":247},[214,889,280],{"class":279},[214,891,892,894,897,900],{"class":216,"line":251},[214,893,317],{"class":231},[214,895,896],{"class":247}," '",[214,898,899],{"class":231},"{\"agent_id\": \"agent+deploy@example.com\"}",[214,901,902],{"class":247},"'\n",[155,904,697],{},[205,906,908],{"className":700,"code":907,"language":702,"meta":210,"style":210},"{\n  \"challenge\": \"a3f8b2c1d4e5f6...\"\n}\n",[182,909,910,914,932],{"__ignoreMap":210},[214,911,912],{"class":216,"line":217},[214,913,635],{"class":247},[214,915,916,918,921,923,925,927,930],{"class":216,"line":224},[214,917,713],{"class":247},[214,919,920],{"class":716},"challenge",[214,922,295],{"class":247},[214,924,333],{"class":247},[214,926,289],{"class":247},[214,928,929],{"class":231},"a3f8b2c1d4e5f6...",[214,931,391],{"class":247},[214,933,934],{"class":216,"line":251},[214,935,828],{"class":247},[489,937,938],{"type":491},[155,939,940,941,944],{},"Challenges expire after ",[477,942,943],{},"60 seconds"," and are single-use.",[856,946,948],{"id":947},"_3b-sign-the-challenge-and-authenticate","3b. Sign the Challenge and Authenticate",[205,950,952],{"className":207,"code":951,"language":209,"meta":210,"style":210},"CHALLENGE=\"a3f8b2c1d4e5f6...\"\n\n# Sign the challenge with the agent's private key\nSIGNATURE=$(echo -n \"$CHALLENGE\" | ssh-keygen -Y sign -f ~/.ssh/agent_key -n challenge - 2>/dev/null | base64 -w0)\n\n# Alternative: using openssl\nSIGNATURE=$(echo -n \"$CHALLENGE\" | openssl pkeyutl -sign -inkey ~/.ssh/agent_key -rawin | base64 -w0)\n\ncurl -X POST https://id.example.com/api/agent/authenticate \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\n    \\\"agent_id\\\": \\\"agent+deploy@example.com\\\",\n    \\\"challenge\\\": \\\"$CHALLENGE\\\",\n    \\\"signature\\\": \\\"$SIGNATURE\\\"\n  }\"\n",[182,953,954,968,972,977,1038,1042,1047,1090,1094,1107,1119,1127,1145,1160,1174],{"__ignoreMap":210},[214,955,956,959,962,964,966],{"class":216,"line":217},[214,957,958],{"class":279},"CHALLENGE",[214,960,961],{"class":247},"=",[214,963,295],{"class":247},[214,965,929],{"class":231},[214,967,391],{"class":247},[214,969,970],{"class":216,"line":224},[214,971,255],{"emptyLinePlaceholder":254},[214,973,974],{"class":216,"line":251},[214,975,976],{"class":220},"# Sign the challenge with the agent's private key\n",[214,978,979,982,984,988,991,993,996,998,1001,1004,1007,1010,1012,1014,1016,1019,1022,1025,1028,1030,1033,1036],{"class":216,"line":258},[214,980,981],{"class":279},"SIGNATURE",[214,983,578],{"class":247},[214,985,987],{"class":986},"s2Zo4","echo",[214,989,990],{"class":231}," -n",[214,992,289],{"class":247},[214,994,995],{"class":279},"$CHALLENGE",[214,997,295],{"class":247},[214,999,1000],{"class":247}," |",[214,1002,1003],{"class":227}," ssh-keygen",[214,1005,1006],{"class":231}," -Y",[214,1008,1009],{"class":231}," sign",[214,1011,238],{"class":231},[214,1013,241],{"class":231},[214,1015,990],{"class":231},[214,1017,1018],{"class":231}," challenge",[214,1020,1021],{"class":231}," -",[214,1023,1024],{"class":247}," 2>",[214,1026,1027],{"class":231},"/dev/null",[214,1029,1000],{"class":247},[214,1031,1032],{"class":227}," base64",[214,1034,1035],{"class":231}," -w0",[214,1037,585],{"class":247},[214,1039,1040],{"class":216,"line":264},[214,1041,255],{"emptyLinePlaceholder":254},[214,1043,1044],{"class":216,"line":283},[214,1045,1046],{"class":220},"# Alternative: using openssl\n",[214,1048,1049,1051,1053,1055,1057,1059,1061,1063,1065,1068,1071,1074,1077,1079,1082,1084,1086,1088],{"class":216,"line":300},[214,1050,981],{"class":279},[214,1052,578],{"class":247},[214,1054,987],{"class":986},[214,1056,990],{"class":231},[214,1058,289],{"class":247},[214,1060,995],{"class":279},[214,1062,295],{"class":247},[214,1064,1000],{"class":247},[214,1066,1067],{"class":227}," openssl",[214,1069,1070],{"class":231}," pkeyutl",[214,1072,1073],{"class":231}," -sign",[214,1075,1076],{"class":231}," -inkey",[214,1078,241],{"class":231},[214,1080,1081],{"class":231}," -rawin",[214,1083,1000],{"class":247},[214,1085,1032],{"class":227},[214,1087,1035],{"class":231},[214,1089,585],{"class":247},[214,1091,1092],{"class":216,"line":314},[214,1093,255],{"emptyLinePlaceholder":254},[214,1095,1096,1098,1100,1102,1105],{"class":216,"line":394},[214,1097,267],{"class":227},[214,1099,270],{"class":231},[214,1101,273],{"class":231},[214,1103,1104],{"class":231}," https://id.example.com/api/agent/authenticate",[214,1106,280],{"class":279},[214,1108,1109,1111,1113,1115,1117],{"class":216,"line":399},[214,1110,286],{"class":231},[214,1112,289],{"class":247},[214,1114,307],{"class":231},[214,1116,295],{"class":247},[214,1118,280],{"class":279},[214,1120,1121,1123,1125],{"class":216,"line":405},[214,1122,317],{"class":231},[214,1124,289],{"class":247},[214,1126,635],{"class":231},[214,1128,1129,1131,1133,1135,1137,1139,1141,1143],{"class":216,"line":430},[214,1130,640],{"class":279},[214,1132,717],{"class":231},[214,1134,325],{"class":279},[214,1136,647],{"class":231},[214,1138,325],{"class":279},[214,1140,338],{"class":231},[214,1142,325],{"class":279},[214,1144,656],{"class":231},[214,1146,1147,1149,1151,1153,1155,1158],{"class":216,"line":435},[214,1148,640],{"class":279},[214,1150,920],{"class":231},[214,1152,325],{"class":279},[214,1154,647],{"class":231},[214,1156,1157],{"class":279},"\\\"$CHALLENGE\\\"",[214,1159,656],{"class":231},[214,1161,1162,1164,1167,1169,1171],{"class":216,"line":441},[214,1163,640],{"class":279},[214,1165,1166],{"class":231},"signature",[214,1168,325],{"class":279},[214,1170,647],{"class":231},[214,1172,1173],{"class":279},"\\\"$SIGNATURE\\\"\n",[214,1175,1176,1178],{"class":216,"line":469},[214,1177,692],{"class":231},[214,1179,391],{"class":247},[155,1181,697],{},[205,1183,1185],{"className":700,"code":1184,"language":702,"meta":210,"style":210},"{\n  \"token\": \"eyJhbGciOiJFZERTQSIs...\",\n  \"agent_id\": \"a1b2c3d4-...\",\n  \"email\": \"agent+deploy@example.com\",\n  \"name\": \"deploy-bot\",\n  \"expires_in\": 3600\n}\n",[182,1186,1187,1191,1211,1229,1247,1265,1280],{"__ignoreMap":210},[214,1188,1189],{"class":216,"line":217},[214,1190,635],{"class":247},[214,1192,1193,1195,1198,1200,1202,1204,1207,1209],{"class":216,"line":224},[214,1194,713],{"class":247},[214,1196,1197],{"class":716},"token",[214,1199,295],{"class":247},[214,1201,333],{"class":247},[214,1203,289],{"class":247},[214,1205,1206],{"class":231},"eyJhbGciOiJFZERTQSIs...",[214,1208,295],{"class":247},[214,1210,656],{"class":247},[214,1212,1213,1215,1217,1219,1221,1223,1225,1227],{"class":216,"line":251},[214,1214,713],{"class":247},[214,1216,717],{"class":716},[214,1218,295],{"class":247},[214,1220,333],{"class":247},[214,1222,289],{"class":247},[214,1224,726],{"class":231},[214,1226,295],{"class":247},[214,1228,656],{"class":247},[214,1230,1231,1233,1235,1237,1239,1241,1243,1245],{"class":216,"line":258},[214,1232,713],{"class":247},[214,1234,328],{"class":716},[214,1236,295],{"class":247},[214,1238,333],{"class":247},[214,1240,289],{"class":247},[214,1242,338],{"class":231},[214,1244,295],{"class":247},[214,1246,656],{"class":247},[214,1248,1249,1251,1253,1255,1257,1259,1261,1263],{"class":216,"line":264},[214,1250,713],{"class":247},[214,1252,348],{"class":716},[214,1254,295],{"class":247},[214,1256,333],{"class":247},[214,1258,289],{"class":247},[214,1260,357],{"class":231},[214,1262,295],{"class":247},[214,1264,656],{"class":247},[214,1266,1267,1269,1272,1274,1276],{"class":216,"line":283},[214,1268,713],{"class":247},[214,1270,1271],{"class":716},"expires_in",[214,1273,295],{"class":247},[214,1275,333],{"class":247},[214,1277,1279],{"class":1278},"sbssI"," 3600\n",[214,1281,1282],{"class":216,"line":300},[214,1283,828],{"class":247},[155,1285,1286,1287,1289],{},"Save the ",[182,1288,1197],{}," — this is the agent's identity token (AuthN-JWT) for subsequent API calls.",[163,1291,1293],{"id":1292},"step-4-request-a-grant","Step 4: Request a Grant",[155,1295,1296],{},"With the agent authenticated, request permission to perform an action.",[205,1298,1300],{"className":207,"code":1299,"language":209,"meta":210,"style":210},"AGENT_TOKEN=\"eyJhbGciOiJFZERTQSIs...\"\n\ncurl -X POST https://id.example.com/api/grants \\\n  -H \"Authorization: Bearer $AGENT_TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"requester\": \"agent+deploy@example.com\",\n    \"target_host\": \"prod-server.example.com\",\n    \"audience\": \"escapes\",\n    \"grant_type\": \"once\",\n    \"command\": [\"systemctl\", \"restart\", \"nginx\"],\n    \"reason\": \"Deploy hotfix #42\"\n  }'\n",[182,1301,1302,1315,1319,1332,1348,1360,1368,1373,1378,1383,1388,1393,1398],{"__ignoreMap":210},[214,1303,1304,1307,1309,1311,1313],{"class":216,"line":217},[214,1305,1306],{"class":279},"AGENT_TOKEN",[214,1308,961],{"class":247},[214,1310,295],{"class":247},[214,1312,1206],{"class":231},[214,1314,391],{"class":247},[214,1316,1317],{"class":216,"line":224},[214,1318,255],{"emptyLinePlaceholder":254},[214,1320,1321,1323,1325,1327,1330],{"class":216,"line":251},[214,1322,267],{"class":227},[214,1324,270],{"class":231},[214,1326,273],{"class":231},[214,1328,1329],{"class":231}," https://id.example.com/api/grants",[214,1331,280],{"class":279},[214,1333,1334,1336,1338,1341,1344,1346],{"class":216,"line":258},[214,1335,286],{"class":231},[214,1337,289],{"class":247},[214,1339,1340],{"class":231},"Authorization: Bearer ",[214,1342,1343],{"class":279},"$AGENT_TOKEN",[214,1345,295],{"class":247},[214,1347,280],{"class":279},[214,1349,1350,1352,1354,1356,1358],{"class":216,"line":264},[214,1351,286],{"class":231},[214,1353,289],{"class":247},[214,1355,307],{"class":231},[214,1357,295],{"class":247},[214,1359,280],{"class":279},[214,1361,1362,1364,1366],{"class":216,"line":283},[214,1363,317],{"class":231},[214,1365,896],{"class":247},[214,1367,635],{"class":231},[214,1369,1370],{"class":216,"line":300},[214,1371,1372],{"class":231},"    \"requester\": \"agent+deploy@example.com\",\n",[214,1374,1375],{"class":216,"line":314},[214,1376,1377],{"class":231},"    \"target_host\": \"prod-server.example.com\",\n",[214,1379,1380],{"class":216,"line":394},[214,1381,1382],{"class":231},"    \"audience\": \"escapes\",\n",[214,1384,1385],{"class":216,"line":399},[214,1386,1387],{"class":231},"    \"grant_type\": \"once\",\n",[214,1389,1390],{"class":216,"line":405},[214,1391,1392],{"class":231},"    \"command\": [\"systemctl\", \"restart\", \"nginx\"],\n",[214,1394,1395],{"class":216,"line":430},[214,1396,1397],{"class":231},"    \"reason\": \"Deploy hotfix #42\"\n",[214,1399,1400,1402],{"class":216,"line":435},[214,1401,692],{"class":231},[214,1403,902],{"class":247},[155,1405,697],{},[205,1407,1409],{"className":700,"code":1408,"language":702,"meta":210,"style":210},"{\n  \"id\": \"grant-uuid-...\",\n  \"type\": \"command\",\n  \"request\": {\n    \"requester\": \"agent+deploy@example.com\",\n    \"target_host\": \"prod-server.example.com\",\n    \"audience\": \"escapes\",\n    \"grant_type\": \"once\",\n    \"command\": [\"systemctl\", \"restart\", \"nginx\"],\n    \"cmd_hash\": \"sha256:a1b2c3...\",\n    \"reason\": \"Deploy hotfix #42\"\n  },\n  \"status\": \"pending\",\n  \"created_at\": 1711234567890\n}\n",[182,1410,1411,1415,1435,1455,1469,1489,1509,1528,1548,1589,1609,1626,1631,1650,1664],{"__ignoreMap":210},[214,1412,1413],{"class":216,"line":217},[214,1414,635],{"class":247},[214,1416,1417,1419,1422,1424,1426,1428,1431,1433],{"class":216,"line":224},[214,1418,713],{"class":247},[214,1420,1421],{"class":716},"id",[214,1423,295],{"class":247},[214,1425,333],{"class":247},[214,1427,289],{"class":247},[214,1429,1430],{"class":231},"grant-uuid-...",[214,1432,295],{"class":247},[214,1434,656],{"class":247},[214,1436,1437,1439,1442,1444,1446,1448,1451,1453],{"class":216,"line":251},[214,1438,713],{"class":247},[214,1440,1441],{"class":716},"type",[214,1443,295],{"class":247},[214,1445,333],{"class":247},[214,1447,289],{"class":247},[214,1449,1450],{"class":231},"command",[214,1452,295],{"class":247},[214,1454,656],{"class":247},[214,1456,1457,1459,1462,1464,1466],{"class":216,"line":258},[214,1458,713],{"class":247},[214,1460,1461],{"class":716},"request",[214,1463,295],{"class":247},[214,1465,333],{"class":247},[214,1467,1468],{"class":247}," {\n",[214,1470,1471,1474,1477,1479,1481,1483,1485,1487],{"class":216,"line":264},[214,1472,1473],{"class":247},"    \"",[214,1475,1476],{"class":227},"requester",[214,1478,295],{"class":247},[214,1480,333],{"class":247},[214,1482,289],{"class":247},[214,1484,338],{"class":231},[214,1486,295],{"class":247},[214,1488,656],{"class":247},[214,1490,1491,1493,1496,1498,1500,1502,1505,1507],{"class":216,"line":283},[214,1492,1473],{"class":247},[214,1494,1495],{"class":227},"target_host",[214,1497,295],{"class":247},[214,1499,333],{"class":247},[214,1501,289],{"class":247},[214,1503,1504],{"class":231},"prod-server.example.com",[214,1506,295],{"class":247},[214,1508,656],{"class":247},[214,1510,1511,1513,1516,1518,1520,1522,1524,1526],{"class":216,"line":300},[214,1512,1473],{"class":247},[214,1514,1515],{"class":227},"audience",[214,1517,295],{"class":247},[214,1519,333],{"class":247},[214,1521,289],{"class":247},[214,1523,65],{"class":231},[214,1525,295],{"class":247},[214,1527,656],{"class":247},[214,1529,1530,1532,1535,1537,1539,1541,1544,1546],{"class":216,"line":314},[214,1531,1473],{"class":247},[214,1533,1534],{"class":227},"grant_type",[214,1536,295],{"class":247},[214,1538,333],{"class":247},[214,1540,289],{"class":247},[214,1542,1543],{"class":231},"once",[214,1545,295],{"class":247},[214,1547,656],{"class":247},[214,1549,1550,1552,1554,1556,1558,1561,1563,1566,1568,1570,1572,1575,1577,1579,1581,1584,1586],{"class":216,"line":394},[214,1551,1473],{"class":247},[214,1553,1450],{"class":227},[214,1555,295],{"class":247},[214,1557,333],{"class":247},[214,1559,1560],{"class":247}," [",[214,1562,295],{"class":247},[214,1564,1565],{"class":231},"systemctl",[214,1567,295],{"class":247},[214,1569,343],{"class":247},[214,1571,289],{"class":247},[214,1573,1574],{"class":231},"restart",[214,1576,295],{"class":247},[214,1578,343],{"class":247},[214,1580,289],{"class":247},[214,1582,1583],{"class":231},"nginx",[214,1585,295],{"class":247},[214,1587,1588],{"class":247},"],\n",[214,1590,1591,1593,1596,1598,1600,1602,1605,1607],{"class":216,"line":399},[214,1592,1473],{"class":247},[214,1594,1595],{"class":227},"cmd_hash",[214,1597,295],{"class":247},[214,1599,333],{"class":247},[214,1601,289],{"class":247},[214,1603,1604],{"class":231},"sha256:a1b2c3...",[214,1606,295],{"class":247},[214,1608,656],{"class":247},[214,1610,1611,1613,1616,1618,1620,1622,1624],{"class":216,"line":405},[214,1612,1473],{"class":247},[214,1614,1615],{"class":227},"reason",[214,1617,295],{"class":247},[214,1619,333],{"class":247},[214,1621,289],{"class":247},[214,1623,464],{"class":231},[214,1625,391],{"class":247},[214,1627,1628],{"class":216,"line":430},[214,1629,1630],{"class":247},"  },\n",[214,1632,1633,1635,1637,1639,1641,1643,1646,1648],{"class":216,"line":435},[214,1634,713],{"class":247},[214,1636,812],{"class":716},[214,1638,295],{"class":247},[214,1640,333],{"class":247},[214,1642,289],{"class":247},[214,1644,1645],{"class":231},"pending",[214,1647,295],{"class":247},[214,1649,656],{"class":247},[214,1651,1652,1654,1657,1659,1661],{"class":216,"line":441},[214,1653,713],{"class":247},[214,1655,1656],{"class":716},"created_at",[214,1658,295],{"class":247},[214,1660,333],{"class":247},[214,1662,1663],{"class":1278}," 1711234567890\n",[214,1665,1666],{"class":216,"line":469},[214,1667,828],{"class":247},[856,1669,1671],{"id":1670},"grant-types","Grant Types",[1673,1674,1675,1694],"table",{},[1676,1677,1678],"thead",{},[1679,1680,1681,1685,1688,1691],"tr",{},[1682,1683,1684],"th",{},"Type",[1682,1686,1687],{},"Behavior",[1682,1689,1690],{},"AuthZ-JWT Lifetime",[1682,1692,1693],{},"Reusable?",[1695,1696,1697,1713,1732],"tbody",{},[1679,1698,1699,1704,1707,1710],{},[1700,1701,1702],"td",{},[182,1703,1543],{},[1700,1705,1706],{},"Single use — consumed after first use",[1700,1708,1709],{},"5 minutes",[1700,1711,1712],{},"No",[1679,1714,1715,1720,1723,1729],{},[1700,1716,1717],{},[182,1718,1719],{},"timed",[1700,1721,1722],{},"Valid for a time window",[1700,1724,1725,1726],{},"Until ",[182,1727,1728],{},"expires_at",[1700,1730,1731],{},"Yes",[1679,1733,1734,1739,1742,1745],{},[1700,1735,1736],{},[182,1737,1738],{},"always",[1700,1740,1741],{},"Standing permission until revoked",[1700,1743,1744],{},"1 hour (renewable)",[1700,1746,1731],{},[155,1748,1749,1750,1752,1753,1756],{},"For ",[182,1751,1719],{}," grants, include a ",[182,1754,1755],{},"duration"," field (in seconds):",[205,1758,1760],{"className":700,"code":1759,"language":702,"meta":210,"style":210},"{\n  \"grant_type\": \"timed\",\n  \"duration\": 3600\n}\n",[182,1761,1762,1766,1784,1796],{"__ignoreMap":210},[214,1763,1764],{"class":216,"line":217},[214,1765,635],{"class":247},[214,1767,1768,1770,1772,1774,1776,1778,1780,1782],{"class":216,"line":224},[214,1769,713],{"class":247},[214,1771,1534],{"class":716},[214,1773,295],{"class":247},[214,1775,333],{"class":247},[214,1777,289],{"class":247},[214,1779,1719],{"class":231},[214,1781,295],{"class":247},[214,1783,656],{"class":247},[214,1785,1786,1788,1790,1792,1794],{"class":216,"line":251},[214,1787,713],{"class":247},[214,1789,1755],{"class":716},[214,1791,295],{"class":247},[214,1793,333],{"class":247},[214,1795,1279],{"class":1278},[214,1797,1798],{"class":216,"line":258},[214,1799,828],{"class":247},[163,1801,1803],{"id":1802},"step-5-human-approves-the-grant","Step 5: Human Approves the Grant",[155,1805,1806,1807,1809],{},"The grant is now ",[182,1808,1645],{},". A human must approve it. This can happen through:",[1811,1812,1813,1823,1831],"ol",{},[171,1814,1815,1818,1819,1822],{},[477,1816,1817],{},"Web UI"," — The owner/approver visits ",[182,1820,1821],{},"/grant-approval?id=grant-uuid-..."," on the IdP",[171,1824,1825,1827,1828],{},[477,1826,57],{}," — ",[182,1829,1830],{},"grapes approve grant-uuid-...",[171,1832,1833,1836],{},[477,1834,1835],{},"API"," — Using the Management Token or an authenticated session:",[205,1838,1840],{"className":207,"code":1839,"language":209,"meta":210,"style":210},"curl -X POST https://id.example.com/api/grants/grant-uuid-.../approve \\\n  -H \"Authorization: Bearer my-secret-management-token\"\n",[182,1841,1842,1855],{"__ignoreMap":210},[214,1843,1844,1846,1848,1850,1853],{"class":216,"line":217},[214,1845,267],{"class":227},[214,1847,270],{"class":231},[214,1849,273],{"class":231},[214,1851,1852],{"class":231}," https://id.example.com/api/grants/grant-uuid-.../approve",[214,1854,280],{"class":279},[214,1856,1857,1859,1861,1863],{"class":216,"line":224},[214,1858,286],{"class":231},[214,1860,289],{"class":247},[214,1862,610],{"class":231},[214,1864,391],{"class":247},[155,1866,697],{},[205,1868,1870],{"className":700,"code":1869,"language":702,"meta":210,"style":210},"{\n  \"grant\": {\n    \"id\": \"grant-uuid-...\",\n    \"status\": \"approved\",\n    \"decided_by\": \"admin@example.com\",\n    \"decided_at\": 1711234568000,\n    \"expires_at\": 1711234868000\n  },\n  \"authz_jwt\": \"eyJhbGciOiJFZERTQSIs...\"\n}\n",[182,1871,1872,1876,1889,1907,1926,1945,1961,1974,1978,1995],{"__ignoreMap":210},[214,1873,1874],{"class":216,"line":217},[214,1875,635],{"class":247},[214,1877,1878,1880,1883,1885,1887],{"class":216,"line":224},[214,1879,713],{"class":247},[214,1881,1882],{"class":716},"grant",[214,1884,295],{"class":247},[214,1886,333],{"class":247},[214,1888,1468],{"class":247},[214,1890,1891,1893,1895,1897,1899,1901,1903,1905],{"class":216,"line":251},[214,1892,1473],{"class":247},[214,1894,1421],{"class":227},[214,1896,295],{"class":247},[214,1898,333],{"class":247},[214,1900,289],{"class":247},[214,1902,1430],{"class":231},[214,1904,295],{"class":247},[214,1906,656],{"class":247},[214,1908,1909,1911,1913,1915,1917,1919,1922,1924],{"class":216,"line":258},[214,1910,1473],{"class":247},[214,1912,812],{"class":227},[214,1914,295],{"class":247},[214,1916,333],{"class":247},[214,1918,289],{"class":247},[214,1920,1921],{"class":231},"approved",[214,1923,295],{"class":247},[214,1925,656],{"class":247},[214,1927,1928,1930,1933,1935,1937,1939,1941,1943],{"class":216,"line":264},[214,1929,1473],{"class":247},[214,1931,1932],{"class":227},"decided_by",[214,1934,295],{"class":247},[214,1936,333],{"class":247},[214,1938,289],{"class":247},[214,1940,782],{"class":231},[214,1942,295],{"class":247},[214,1944,656],{"class":247},[214,1946,1947,1949,1952,1954,1956,1959],{"class":216,"line":283},[214,1948,1473],{"class":247},[214,1950,1951],{"class":227},"decided_at",[214,1953,295],{"class":247},[214,1955,333],{"class":247},[214,1957,1958],{"class":1278}," 1711234568000",[214,1960,656],{"class":247},[214,1962,1963,1965,1967,1969,1971],{"class":216,"line":300},[214,1964,1473],{"class":247},[214,1966,1728],{"class":227},[214,1968,295],{"class":247},[214,1970,333],{"class":247},[214,1972,1973],{"class":1278}," 1711234868000\n",[214,1975,1976],{"class":216,"line":314},[214,1977,1630],{"class":247},[214,1979,1980,1982,1985,1987,1989,1991,1993],{"class":216,"line":394},[214,1981,713],{"class":247},[214,1983,1984],{"class":716},"authz_jwt",[214,1986,295],{"class":247},[214,1988,333],{"class":247},[214,1990,289],{"class":247},[214,1992,1206],{"class":231},[214,1994,391],{"class":247},[214,1996,1997],{"class":216,"line":399},[214,1998,828],{"class":247},[489,2000,2001],{"type":491},[155,2002,2003,2004,2006,2007,2010],{},"The approve response already includes the ",[182,2005,1984],{},". You can also fetch it separately via ",[182,2008,2009],{},"/api/grants/:id/token",".",[163,2012,2014],{"id":2013},"step-6-agent-retrieves-the-authz-jwt","Step 6: Agent Retrieves the AuthZ-JWT",[155,2016,2017],{},"If the agent is polling for approval (rather than receiving the JWT from the approve response), it can fetch the token:",[205,2019,2021],{"className":207,"code":2020,"language":209,"meta":210,"style":210},"# Poll grant status until approved\ncurl https://id.example.com/api/grants/grant-uuid-... \\\n  -H \"Authorization: Bearer $AGENT_TOKEN\"\n\n# Once approved, get the AuthZ-JWT\ncurl -X POST https://id.example.com/api/grants/grant-uuid-.../token \\\n  -H \"Authorization: Bearer $AGENT_TOKEN\"\n",[182,2022,2023,2028,2037,2049,2053,2058,2071],{"__ignoreMap":210},[214,2024,2025],{"class":216,"line":217},[214,2026,2027],{"class":220},"# Poll grant status until approved\n",[214,2029,2030,2032,2035],{"class":216,"line":224},[214,2031,267],{"class":227},[214,2033,2034],{"class":231}," https://id.example.com/api/grants/grant-uuid-...",[214,2036,280],{"class":279},[214,2038,2039,2041,2043,2045,2047],{"class":216,"line":251},[214,2040,286],{"class":231},[214,2042,289],{"class":247},[214,2044,1340],{"class":231},[214,2046,1343],{"class":279},[214,2048,391],{"class":247},[214,2050,2051],{"class":216,"line":258},[214,2052,255],{"emptyLinePlaceholder":254},[214,2054,2055],{"class":216,"line":264},[214,2056,2057],{"class":220},"# Once approved, get the AuthZ-JWT\n",[214,2059,2060,2062,2064,2066,2069],{"class":216,"line":283},[214,2061,267],{"class":227},[214,2063,270],{"class":231},[214,2065,273],{"class":231},[214,2067,2068],{"class":231}," https://id.example.com/api/grants/grant-uuid-.../token",[214,2070,280],{"class":279},[214,2072,2073,2075,2077,2079,2081],{"class":216,"line":300},[214,2074,286],{"class":231},[214,2076,289],{"class":247},[214,2078,1340],{"class":231},[214,2080,1343],{"class":279},[214,2082,391],{"class":247},[155,2084,697],{},[205,2086,2088],{"className":700,"code":2087,"language":702,"meta":210,"style":210},"{\n  \"authz_jwt\": \"eyJhbGciOiJFZERTQSIs...\",\n  \"grant\": { \"id\": \"grant-uuid-...\", \"status\": \"approved\" }\n}\n",[182,2089,2090,2094,2112,2158],{"__ignoreMap":210},[214,2091,2092],{"class":216,"line":217},[214,2093,635],{"class":247},[214,2095,2096,2098,2100,2102,2104,2106,2108,2110],{"class":216,"line":224},[214,2097,713],{"class":247},[214,2099,1984],{"class":716},[214,2101,295],{"class":247},[214,2103,333],{"class":247},[214,2105,289],{"class":247},[214,2107,1206],{"class":231},[214,2109,295],{"class":247},[214,2111,656],{"class":247},[214,2113,2114,2116,2118,2120,2122,2125,2127,2129,2131,2133,2135,2137,2139,2141,2143,2145,2147,2149,2151,2153,2155],{"class":216,"line":251},[214,2115,713],{"class":247},[214,2117,1882],{"class":716},[214,2119,295],{"class":247},[214,2121,333],{"class":247},[214,2123,2124],{"class":247}," {",[214,2126,289],{"class":247},[214,2128,1421],{"class":227},[214,2130,295],{"class":247},[214,2132,333],{"class":247},[214,2134,289],{"class":247},[214,2136,1430],{"class":231},[214,2138,295],{"class":247},[214,2140,343],{"class":247},[214,2142,289],{"class":247},[214,2144,812],{"class":227},[214,2146,295],{"class":247},[214,2148,333],{"class":247},[214,2150,289],{"class":247},[214,2152,1921],{"class":231},[214,2154,295],{"class":247},[214,2156,2157],{"class":247}," }\n",[214,2159,2160],{"class":216,"line":258},[214,2161,828],{"class":247},[856,2163,2165],{"id":2164},"authz-jwt-claims","AuthZ-JWT Claims",[155,2167,2168],{},"The AuthZ-JWT contains everything the target system needs to validate the action:",[205,2170,2172],{"className":700,"code":2171,"language":702,"meta":210,"style":210},"{\n  \"iss\": \"https://id.example.com\",\n  \"sub\": \"agent+deploy@example.com\",\n  \"aud\": \"escapes\",\n  \"target_host\": \"prod-server.example.com\",\n  \"grant_id\": \"grant-uuid-...\",\n  \"grant_type\": \"once\",\n  \"permissions\": [],\n  \"command\": [\"systemctl\", \"restart\", \"nginx\"],\n  \"cmd_hash\": \"sha256:a1b2c3...\",\n  \"decided_by\": \"admin@example.com\",\n  \"iat\": 1711234568,\n  \"exp\": 1711234868,\n  \"jti\": \"unique-token-id\"\n}\n",[182,2173,2174,2178,2197,2216,2235,2253,2272,2290,2304,2340,2358,2376,2392,2408,2426],{"__ignoreMap":210},[214,2175,2176],{"class":216,"line":217},[214,2177,635],{"class":247},[214,2179,2180,2182,2185,2187,2189,2191,2193,2195],{"class":216,"line":224},[214,2181,713],{"class":247},[214,2183,2184],{"class":716},"iss",[214,2186,295],{"class":247},[214,2188,333],{"class":247},[214,2190,289],{"class":247},[214,2192,503],{"class":231},[214,2194,295],{"class":247},[214,2196,656],{"class":247},[214,2198,2199,2201,2204,2206,2208,2210,2212,2214],{"class":216,"line":251},[214,2200,713],{"class":247},[214,2202,2203],{"class":716},"sub",[214,2205,295],{"class":247},[214,2207,333],{"class":247},[214,2209,289],{"class":247},[214,2211,338],{"class":231},[214,2213,295],{"class":247},[214,2215,656],{"class":247},[214,2217,2218,2220,2223,2225,2227,2229,2231,2233],{"class":216,"line":258},[214,2219,713],{"class":247},[214,2221,2222],{"class":716},"aud",[214,2224,295],{"class":247},[214,2226,333],{"class":247},[214,2228,289],{"class":247},[214,2230,65],{"class":231},[214,2232,295],{"class":247},[214,2234,656],{"class":247},[214,2236,2237,2239,2241,2243,2245,2247,2249,2251],{"class":216,"line":264},[214,2238,713],{"class":247},[214,2240,1495],{"class":716},[214,2242,295],{"class":247},[214,2244,333],{"class":247},[214,2246,289],{"class":247},[214,2248,1504],{"class":231},[214,2250,295],{"class":247},[214,2252,656],{"class":247},[214,2254,2255,2257,2260,2262,2264,2266,2268,2270],{"class":216,"line":283},[214,2256,713],{"class":247},[214,2258,2259],{"class":716},"grant_id",[214,2261,295],{"class":247},[214,2263,333],{"class":247},[214,2265,289],{"class":247},[214,2267,1430],{"class":231},[214,2269,295],{"class":247},[214,2271,656],{"class":247},[214,2273,2274,2276,2278,2280,2282,2284,2286,2288],{"class":216,"line":300},[214,2275,713],{"class":247},[214,2277,1534],{"class":716},[214,2279,295],{"class":247},[214,2281,333],{"class":247},[214,2283,289],{"class":247},[214,2285,1543],{"class":231},[214,2287,295],{"class":247},[214,2289,656],{"class":247},[214,2291,2292,2294,2297,2299,2301],{"class":216,"line":314},[214,2293,713],{"class":247},[214,2295,2296],{"class":716},"permissions",[214,2298,295],{"class":247},[214,2300,333],{"class":247},[214,2302,2303],{"class":247}," [],\n",[214,2305,2306,2308,2310,2312,2314,2316,2318,2320,2322,2324,2326,2328,2330,2332,2334,2336,2338],{"class":216,"line":394},[214,2307,713],{"class":247},[214,2309,1450],{"class":716},[214,2311,295],{"class":247},[214,2313,333],{"class":247},[214,2315,1560],{"class":247},[214,2317,295],{"class":247},[214,2319,1565],{"class":231},[214,2321,295],{"class":247},[214,2323,343],{"class":247},[214,2325,289],{"class":247},[214,2327,1574],{"class":231},[214,2329,295],{"class":247},[214,2331,343],{"class":247},[214,2333,289],{"class":247},[214,2335,1583],{"class":231},[214,2337,295],{"class":247},[214,2339,1588],{"class":247},[214,2341,2342,2344,2346,2348,2350,2352,2354,2356],{"class":216,"line":399},[214,2343,713],{"class":247},[214,2345,1595],{"class":716},[214,2347,295],{"class":247},[214,2349,333],{"class":247},[214,2351,289],{"class":247},[214,2353,1604],{"class":231},[214,2355,295],{"class":247},[214,2357,656],{"class":247},[214,2359,2360,2362,2364,2366,2368,2370,2372,2374],{"class":216,"line":405},[214,2361,713],{"class":247},[214,2363,1932],{"class":716},[214,2365,295],{"class":247},[214,2367,333],{"class":247},[214,2369,289],{"class":247},[214,2371,782],{"class":231},[214,2373,295],{"class":247},[214,2375,656],{"class":247},[214,2377,2378,2380,2383,2385,2387,2390],{"class":216,"line":430},[214,2379,713],{"class":247},[214,2381,2382],{"class":716},"iat",[214,2384,295],{"class":247},[214,2386,333],{"class":247},[214,2388,2389],{"class":1278}," 1711234568",[214,2391,656],{"class":247},[214,2393,2394,2396,2399,2401,2403,2406],{"class":216,"line":435},[214,2395,713],{"class":247},[214,2397,2398],{"class":716},"exp",[214,2400,295],{"class":247},[214,2402,333],{"class":247},[214,2404,2405],{"class":1278}," 1711234868",[214,2407,656],{"class":247},[214,2409,2410,2412,2415,2417,2419,2421,2424],{"class":216,"line":441},[214,2411,713],{"class":247},[214,2413,2414],{"class":716},"jti",[214,2416,295],{"class":247},[214,2418,333],{"class":247},[214,2420,289],{"class":247},[214,2422,2423],{"class":231},"unique-token-id",[214,2425,391],{"class":247},[214,2427,2428],{"class":216,"line":469},[214,2429,828],{"class":247},[163,2431,2433],{"id":2432},"step-7-use-the-grant","Step 7: Use the Grant",[856,2435,2437],{"id":2436},"with-escapes-privilege-elevation","With escapes (privilege elevation)",[155,2439,2440,2441,2443],{},"Pass the AuthZ-JWT to ",[182,2442,65],{}," for local command execution:",[205,2445,2447],{"className":207,"code":2446,"language":209,"meta":210,"style":210},"AUTHZ_JWT=\"eyJhbGciOiJFZERTQSIs...\"\n\nescapes --grant \"$AUTHZ_JWT\" -- systemctl restart nginx\n",[182,2448,2449,2462,2466],{"__ignoreMap":210},[214,2450,2451,2454,2456,2458,2460],{"class":216,"line":217},[214,2452,2453],{"class":279},"AUTHZ_JWT",[214,2455,961],{"class":247},[214,2457,295],{"class":247},[214,2459,1206],{"class":231},[214,2461,391],{"class":247},[214,2463,2464],{"class":216,"line":224},[214,2465,255],{"emptyLinePlaceholder":254},[214,2467,2468,2470,2473,2475,2478,2480,2483,2486,2489],{"class":216,"line":251},[214,2469,65],{"class":227},[214,2471,2472],{"class":231}," --grant",[214,2474,289],{"class":247},[214,2476,2477],{"class":279},"$AUTHZ_JWT",[214,2479,295],{"class":247},[214,2481,2482],{"class":231}," --",[214,2484,2485],{"class":231}," systemctl",[214,2487,2488],{"class":231}," restart",[214,2490,2491],{"class":231}," nginx\n",[155,2493,2494,2496],{},[182,2495,65],{}," verifies the JWT (issuer, signature, audience, target_host, cmd_hash), then executes the command as root.",[856,2498,2500],{"id":2499},"with-any-target-system","With any target system",[155,2502,2503],{},"Any system can verify the AuthZ-JWT:",[205,2505,2507],{"className":207,"code":2506,"language":209,"meta":210,"style":210},"curl -X POST https://id.example.com/api/grants/verify \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"token\\\": \\\"$AUTHZ_JWT\\\"}\"\n",[182,2508,2509,2522,2534],{"__ignoreMap":210},[214,2510,2511,2513,2515,2517,2520],{"class":216,"line":217},[214,2512,267],{"class":227},[214,2514,270],{"class":231},[214,2516,273],{"class":231},[214,2518,2519],{"class":231}," https://id.example.com/api/grants/verify",[214,2521,280],{"class":279},[214,2523,2524,2526,2528,2530,2532],{"class":216,"line":224},[214,2525,286],{"class":231},[214,2527,289],{"class":247},[214,2529,307],{"class":231},[214,2531,295],{"class":247},[214,2533,280],{"class":279},[214,2535,2536,2538,2540,2542,2544,2546,2548,2550,2553,2555],{"class":216,"line":251},[214,2537,317],{"class":231},[214,2539,289],{"class":247},[214,2541,322],{"class":231},[214,2543,325],{"class":279},[214,2545,1197],{"class":231},[214,2547,325],{"class":279},[214,2549,647],{"class":231},[214,2551,2552],{"class":279},"\\\"$AUTHZ_JWT\\\"",[214,2554,388],{"class":231},[214,2556,391],{"class":247},[155,2558,697],{},[205,2560,2562],{"className":700,"code":2561,"language":702,"meta":210,"style":210},"{\n  \"valid\": true,\n  \"claims\": {\n    \"sub\": \"agent+deploy@example.com\",\n    \"aud\": \"escapes\",\n    \"target_host\": \"prod-server.example.com\",\n    \"grant_type\": \"once\",\n    \"cmd_hash\": \"sha256:a1b2c3...\",\n    \"decided_by\": \"admin@example.com\"\n  }\n}\n",[182,2563,2564,2568,2582,2595,2613,2631,2649,2667,2685,2701,2706],{"__ignoreMap":210},[214,2565,2566],{"class":216,"line":217},[214,2567,635],{"class":247},[214,2569,2570,2572,2575,2577,2579],{"class":216,"line":224},[214,2571,713],{"class":247},[214,2573,2574],{"class":716},"valid",[214,2576,295],{"class":247},[214,2578,333],{"class":247},[214,2580,2581],{"class":247}," true,\n",[214,2583,2584,2586,2589,2591,2593],{"class":216,"line":251},[214,2585,713],{"class":247},[214,2587,2588],{"class":716},"claims",[214,2590,295],{"class":247},[214,2592,333],{"class":247},[214,2594,1468],{"class":247},[214,2596,2597,2599,2601,2603,2605,2607,2609,2611],{"class":216,"line":258},[214,2598,1473],{"class":247},[214,2600,2203],{"class":227},[214,2602,295],{"class":247},[214,2604,333],{"class":247},[214,2606,289],{"class":247},[214,2608,338],{"class":231},[214,2610,295],{"class":247},[214,2612,656],{"class":247},[214,2614,2615,2617,2619,2621,2623,2625,2627,2629],{"class":216,"line":264},[214,2616,1473],{"class":247},[214,2618,2222],{"class":227},[214,2620,295],{"class":247},[214,2622,333],{"class":247},[214,2624,289],{"class":247},[214,2626,65],{"class":231},[214,2628,295],{"class":247},[214,2630,656],{"class":247},[214,2632,2633,2635,2637,2639,2641,2643,2645,2647],{"class":216,"line":283},[214,2634,1473],{"class":247},[214,2636,1495],{"class":227},[214,2638,295],{"class":247},[214,2640,333],{"class":247},[214,2642,289],{"class":247},[214,2644,1504],{"class":231},[214,2646,295],{"class":247},[214,2648,656],{"class":247},[214,2650,2651,2653,2655,2657,2659,2661,2663,2665],{"class":216,"line":300},[214,2652,1473],{"class":247},[214,2654,1534],{"class":227},[214,2656,295],{"class":247},[214,2658,333],{"class":247},[214,2660,289],{"class":247},[214,2662,1543],{"class":231},[214,2664,295],{"class":247},[214,2666,656],{"class":247},[214,2668,2669,2671,2673,2675,2677,2679,2681,2683],{"class":216,"line":314},[214,2670,1473],{"class":247},[214,2672,1595],{"class":227},[214,2674,295],{"class":247},[214,2676,333],{"class":247},[214,2678,289],{"class":247},[214,2680,1604],{"class":231},[214,2682,295],{"class":247},[214,2684,656],{"class":247},[214,2686,2687,2689,2691,2693,2695,2697,2699],{"class":216,"line":394},[214,2688,1473],{"class":247},[214,2690,1932],{"class":227},[214,2692,295],{"class":247},[214,2694,333],{"class":247},[214,2696,289],{"class":247},[214,2698,782],{"class":231},[214,2700,391],{"class":247},[214,2702,2703],{"class":216,"line":399},[214,2704,2705],{"class":247},"  }\n",[214,2707,2708],{"class":216,"line":405},[214,2709,828],{"class":247},[155,2711,1749,2712,2714],{},[182,2713,1543],{}," grants, the target should also consume the grant:",[205,2716,2718],{"className":207,"code":2717,"language":209,"meta":210,"style":210},"curl -X POST https://id.example.com/api/grants/grant-uuid-.../consume \\\n  -H \"Authorization: Bearer $AUTHZ_JWT\"\n",[182,2719,2720,2733],{"__ignoreMap":210},[214,2721,2722,2724,2726,2728,2731],{"class":216,"line":217},[214,2723,267],{"class":227},[214,2725,270],{"class":231},[214,2727,273],{"class":231},[214,2729,2730],{"class":231}," https://id.example.com/api/grants/grant-uuid-.../consume",[214,2732,280],{"class":279},[214,2734,2735,2737,2739,2741,2743],{"class":216,"line":224},[214,2736,286],{"class":231},[214,2738,289],{"class":247},[214,2740,1340],{"class":231},[214,2742,2477],{"class":279},[214,2744,391],{"class":247},[163,2746,2748],{"id":2747},"using-grapes-cli-instead","Using grapes CLI Instead",[155,2750,834,2751,2753],{},[182,2752,189],{}," CLI simplifies the entire flow into a few commands.",[856,2755,2757],{"id":2756},"login","Login",[205,2759,2761],{"className":207,"code":2760,"language":209,"meta":210,"style":210},"# Human login (opens browser for passkey auth)\ngrapes login --idp https://id.example.com\n\n# Agent login (key-based)\ngrapes login --idp https://id.example.com --key ~/.ssh/agent_key --email agent+deploy@example.com\n",[182,2762,2763,2768,2779,2783,2788],{"__ignoreMap":210},[214,2764,2765],{"class":216,"line":217},[214,2766,2767],{"class":220},"# Human login (opens browser for passkey auth)\n",[214,2769,2770,2772,2774,2776],{"class":216,"line":224},[214,2771,189],{"class":227},[214,2773,410],{"class":231},[214,2775,413],{"class":231},[214,2777,2778],{"class":231}," https://id.example.com\n",[214,2780,2781],{"class":216,"line":251},[214,2782,255],{"emptyLinePlaceholder":254},[214,2784,2785],{"class":216,"line":258},[214,2786,2787],{"class":220},"# Agent login (key-based)\n",[214,2789,2790,2792,2794,2796,2798,2800,2802,2804],{"class":216,"line":264},[214,2791,189],{"class":227},[214,2793,410],{"class":231},[214,2795,413],{"class":231},[214,2797,416],{"class":231},[214,2799,419],{"class":231},[214,2801,241],{"class":231},[214,2803,424],{"class":231},[214,2805,427],{"class":231},[856,2807,2809],{"id":2808},"request-and-execute-in-one-step","Request and Execute in One Step",[205,2811,2813],{"className":207,"code":2812,"language":209,"meta":210,"style":210},"# Request grant, wait for approval, execute via escapes\ngrapes run escapes \"systemctl restart nginx\" --reason \"Deploy hotfix #42\"\n\n# Request with timed approval\ngrapes run escapes \"apt-get upgrade\" --approval timed --duration 1h --reason \"Security update\"\n",[182,2814,2815,2820,2842,2846,2851],{"__ignoreMap":210},[214,2816,2817],{"class":216,"line":217},[214,2818,2819],{"class":220},"# Request grant, wait for approval, execute via escapes\n",[214,2821,2822,2824,2826,2828,2830,2832,2834,2836,2838,2840],{"class":216,"line":224},[214,2823,189],{"class":227},[214,2825,446],{"class":231},[214,2827,449],{"class":231},[214,2829,289],{"class":247},[214,2831,454],{"class":231},[214,2833,295],{"class":247},[214,2835,459],{"class":231},[214,2837,289],{"class":247},[214,2839,464],{"class":231},[214,2841,391],{"class":247},[214,2843,2844],{"class":216,"line":251},[214,2845,255],{"emptyLinePlaceholder":254},[214,2847,2848],{"class":216,"line":258},[214,2849,2850],{"class":220},"# Request with timed approval\n",[214,2852,2853,2855,2857,2859,2861,2864,2866,2869,2872,2875,2878,2880,2882,2885],{"class":216,"line":264},[214,2854,189],{"class":227},[214,2856,446],{"class":231},[214,2858,449],{"class":231},[214,2860,289],{"class":247},[214,2862,2863],{"class":231},"apt-get upgrade",[214,2865,295],{"class":247},[214,2867,2868],{"class":231}," --approval",[214,2870,2871],{"class":231}," timed",[214,2873,2874],{"class":231}," --duration",[214,2876,2877],{"class":231}," 1h",[214,2879,459],{"class":231},[214,2881,289],{"class":247},[214,2883,2884],{"class":231},"Security update",[214,2886,391],{"class":247},[856,2888,2890],{"id":2889},"manual-flow","Manual Flow",[205,2892,2894],{"className":207,"code":2893,"language":209,"meta":210,"style":210},"# Request a grant\ngrapes request \"systemctl restart nginx\" --audience escapes --wait\n\n# Check status\ngrapes status grant-uuid-...\n\n# List pending grants\ngrapes list --status pending\n\n# Get the token\ngrapes token grant-uuid-...\n",[182,2895,2896,2901,2922,2926,2931,2941,2945,2950,2963,2967,2972],{"__ignoreMap":210},[214,2897,2898],{"class":216,"line":217},[214,2899,2900],{"class":220},"# Request a grant\n",[214,2902,2903,2905,2908,2910,2912,2914,2917,2919],{"class":216,"line":224},[214,2904,189],{"class":227},[214,2906,2907],{"class":231}," request",[214,2909,289],{"class":247},[214,2911,454],{"class":231},[214,2913,295],{"class":247},[214,2915,2916],{"class":231}," --audience",[214,2918,449],{"class":231},[214,2920,2921],{"class":231}," --wait\n",[214,2923,2924],{"class":216,"line":251},[214,2925,255],{"emptyLinePlaceholder":254},[214,2927,2928],{"class":216,"line":258},[214,2929,2930],{"class":220},"# Check status\n",[214,2932,2933,2935,2938],{"class":216,"line":264},[214,2934,189],{"class":227},[214,2936,2937],{"class":231}," status",[214,2939,2940],{"class":231}," grant-uuid-...\n",[214,2942,2943],{"class":216,"line":283},[214,2944,255],{"emptyLinePlaceholder":254},[214,2946,2947],{"class":216,"line":300},[214,2948,2949],{"class":220},"# List pending grants\n",[214,2951,2952,2954,2957,2960],{"class":216,"line":314},[214,2953,189],{"class":227},[214,2955,2956],{"class":231}," list",[214,2958,2959],{"class":231}," --status",[214,2961,2962],{"class":231}," pending\n",[214,2964,2965],{"class":216,"line":394},[214,2966,255],{"emptyLinePlaceholder":254},[214,2968,2969],{"class":216,"line":399},[214,2970,2971],{"class":220},"# Get the token\n",[214,2973,2974,2976,2979],{"class":216,"line":405},[214,2975,189],{"class":227},[214,2977,2978],{"class":231}," token",[214,2980,2940],{"class":231},[856,2982,2984],{"id":2983},"approve-as-the-approver","Approve (as the approver)",[205,2986,2988],{"className":207,"code":2987,"language":209,"meta":210,"style":210},"grapes approve grant-uuid-...\ngrapes deny grant-uuid-...\n",[182,2989,2990,2999],{"__ignoreMap":210},[214,2991,2992,2994,2997],{"class":216,"line":217},[214,2993,189],{"class":227},[214,2995,2996],{"class":231}," approve",[214,2998,2940],{"class":231},[214,3000,3001,3003,3006],{"class":216,"line":224},[214,3002,189],{"class":227},[214,3004,3005],{"class":231}," deny",[214,3007,2940],{"class":231},[856,3009,3011],{"id":3010},"delegations","Delegations",[205,3013,3015],{"className":207,"code":3014,"language":209,"meta":210,"style":210},"# Allow another user to act on your behalf\ngrapes delegate --to alice@example.com --at escapes --approval always\n\n# List active delegations\ngrapes delegations\n",[182,3016,3017,3022,3045,3049,3054],{"__ignoreMap":210},[214,3018,3019],{"class":216,"line":217},[214,3020,3021],{"class":220},"# Allow another user to act on your behalf\n",[214,3023,3024,3026,3029,3032,3035,3038,3040,3042],{"class":216,"line":224},[214,3025,189],{"class":227},[214,3027,3028],{"class":231}," delegate",[214,3030,3031],{"class":231}," --to",[214,3033,3034],{"class":231}," alice@example.com",[214,3036,3037],{"class":231}," --at",[214,3039,449],{"class":231},[214,3041,2868],{"class":231},[214,3043,3044],{"class":231}," always\n",[214,3046,3047],{"class":216,"line":251},[214,3048,255],{"emptyLinePlaceholder":254},[214,3050,3051],{"class":216,"line":258},[214,3052,3053],{"class":220},"# List active delegations\n",[214,3055,3056,3058],{"class":216,"line":264},[214,3057,189],{"class":227},[214,3059,3060],{"class":231}," delegations\n",[3062,3063,3064],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}",{"title":210,"searchDepth":251,"depth":224,"links":3066},[3067,3068,3069,3070,3071,3072,3076,3079,3080,3083,3087],{"id":165,"depth":224,"text":166},{"id":196,"depth":224,"text":197},{"id":486,"depth":224,"text":487},{"id":507,"depth":224,"text":508},{"id":561,"depth":224,"text":562},{"id":850,"depth":224,"text":851,"children":3073},[3074,3075],{"id":858,"depth":251,"text":859},{"id":947,"depth":251,"text":948},{"id":1292,"depth":224,"text":1293,"children":3077},[3078],{"id":1670,"depth":251,"text":1671},{"id":1802,"depth":224,"text":1803},{"id":2013,"depth":224,"text":2014,"children":3081},[3082],{"id":2164,"depth":251,"text":2165},{"id":2432,"depth":224,"text":2433,"children":3084},[3085,3086],{"id":2436,"depth":251,"text":2437},{"id":2499,"depth":251,"text":2500},{"id":2747,"depth":224,"text":2748,"children":3088},[3089,3090,3091,3092,3093],{"id":2756,"depth":251,"text":2757},{"id":2808,"depth":251,"text":2809},{"id":2889,"depth":251,"text":2890},{"id":2983,"depth":251,"text":2984},{"id":3010,"depth":251,"text":3011},"Raw API reference for enrolling agents, requesting grants, and using AuthZ-JWTs.","md",null,{},{"title":24,"description":3094},"UwMHzWFYx1sijMSYhbaLjDmfW_1rX9rKN2zeSkWZJ6w",[3101,3103],{"title":20,"path":21,"stem":22,"description":3102,"children":-1},"Deploy your own OpenApe IdP with DNS, storage, and Passkey authentication.",{"title":34,"path":35,"stem":36,"description":3104,"children":-1},"The DDISA login flow and grant system explained.",1774221116104]