{"openapi":"3.1.0","info":{"title":"AgentPass Payment API","version":"1.0.0","description":"Live demonstration of the OpenAPI x-agent-trust extension as published in the OpenAPI Initiative Extensions Registry: https://spec.openapis.org/registry/extension/x-agent-trust.html . The Agent-Signature header is verified per the x-agent-trust security scheme; the minimum trust level required for each operation is carried in the security requirement scopes array.","contact":{"name":"CyberSecAI Ltd","email":"contact@agentsign.dev","url":"https://agentpass.co.uk"},"license":{"name":"Business Source License 1.1","url":"https://agentpass.co.uk/license"}},"servers":[{"url":"https://agentpass.co.uk","description":"AgentPass production"}],"components":{"securitySchemes":{"AgentTrust":{"type":"apiKey","name":"Agent-Signature","in":"header","description":"Uses agent trust information in lieu of a traditional API key. Requires the x-agent-trust extension below. The Agent-Signature header is an RFC 8941 structured field carrying keyid, alg, ts, and sig over a canonical request that is \"<METHOD> <PATH>\\n<unix-ts>\\n<sha256-hex(body)>\".","x-agent-trust":{"algorithm":"ES256","trustLevels":["L0","L1","L2","L3","L4"],"issuerKeysUrl":"https://agentpass.co.uk/.well-known/agent-trust-keys"}},"DeveloperKey":{"type":"http","scheme":"bearer","description":"Developer API key issued at registration. Authorises the calling account; orthogonal to AgentTrust which authorises the agent."}}},"paths":{"/api/pay":{"post":{"summary":"Make a payment authorised by an AI agent","description":"Pre-checks: AML sanctions screening (UK HMT + OFAC SDN), Mastercard Onboard Risk Check, trust scoring, identity verification. The Agent-Signature header is verified per the x-agent-trust extension before any state change. Per the registry, the scopes array on the security requirement carries the minimum trust level required for this operation.","operationId":"makeAgentPayment","security":[{"DeveloperKey":[]},{"AgentTrust":["L2"]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["agentId","to","amount","currency"],"properties":{"agentId":{"type":"string","example":"agent_a1b2c3..."},"to":{"type":"string","example":"aws.amazon.com"},"amount":{"type":"integer","description":"Amount in minor units (cents)","example":500},"currency":{"type":"string","example":"usd"},"description":{"type":"string","example":"EC2 instance"},"nonce":{"type":"string","description":"Optional client-supplied nonce for replay protection"}}}}}},"responses":{"201":{"description":"Payment authorised, transaction signed and recorded"},"401":{"description":"Agent-Signature missing, malformed, expired, or signature does not verify"},"403":{"description":"Sanctions hit, trust level insufficient, or limit exceeded"}}}},"/.well-known/agent-trust-keys":{"get":{"summary":"JWKS endpoint for agent public keys","description":"Returns the JSON Web Key Set of all currently active (non-revoked) AgentPass agent public keys. Each key has kid set to the agent ID. Verifiers can pin this URL or cache the keyset.","operationId":"getAgentTrustKeys","responses":{"200":{"description":"JWKS document"}}}}}}