Skip to content

v0.6.0

Choose a tag to compare

@github-actions github-actions released this 03 Jun 06:41

Keyless trust mint (§3.1)

afauth now authenticates to the trust attestor by signing each /v1/token mint with the agent's account key (RFC 9421 / §5) instead of storing and presenting a bearer binding_token. The agent's keypair is the sole credential — there is no standing secret to leak.

Changed

  • afauth trust token, afauth signup (discovery-driven auto-attest), and afauth call --attest (§10.7 refresh-on-challenge) now sign the mint request with the agent key.
  • ~/.afauth/trust.json no longer stores a binding_token — only the binding id and its expiry. Existing trust.json files keep working: the old field is ignored on load, so upgrading needs no re-link.

Compatibility

  • Requires a trust attestor that accepts §5-signed mints. The default trust.afauth.org does as of this release. An older attestor that still expects a bearer token will reject v0.6.0 — re-link is not needed, but the attestor must be on the keyless build.

Binaries for macOS / Linux / Windows × amd64 / arm64 are attached below; brew upgrade afauth updates the Homebrew cask.