FLINT Design Partner Program: now accepting a founding cohort.Apply

FLINT

Agent passport

Give your agent an identity merchants can trust.

Limits it cannot rewrite. A kill-switch you control. Free, no account, 60 seconds.

An Agent Passport is how your agent proves who sent it and what it is allowed to do, and how you shut it down if it is hijacked.

Identity versus mandate

The passport has 2 parts. Who your agent is (signed once, never changes) and what it may do (rules you can change or revoke anytime).

The passport signs identity, not spend. Your agent's identity is hybrid-signed once and never changes. The mandate, what it may do and how much it may spend, is mutable config you can update anytime without re-issuing or re-signing.

A public verifiable URL for your agent

A signed identity that never changes

A mandate you can edit or revoke anytime

Sentinel takeover alerts and freeze, free

01 / Signed identity

Who is this agent?

Add bindings (recommended)
Controller nameStrengthens accountability by tying the passport to the person or business responsible.
Controller typeClarifies whether the controller is an organization or user.
AttestationsAdds outside proof such as a GitHub org or issuer signal.

02 / Mutable mandate

What may it do?

Starter mandate: edit anytime, no re-issuing.

Allowed actions
Max transaction amount

Request preview

What we'll send

Ready to issue

Submit the form to call FLINT Network and mint a public passport URL for this agent.

What we'll send

This is the exact body the page will POST to /api/passport.

{
  "agent": {
    "agent_name": "Invoice Bot",
    "controller_id": "org_acme",
    "controller_type": "organization",
    "wallet_address": "0x7f4a3e8b9d2c5f1a0b4e7d3c6f9e2a8b1d4c7f3c1"
  },
  "mandate": {
    "allowed_actions": [
      "checkout.purchase",
      "invoice.pay"
    ],
    "max_transaction_amount": 900,
    "notes": "May pay approved invoices and complete checkout within mandate."
  },
  "origin": "web",
  "src": "passport"
}
See a passport get verified

Issue programmatically

Builders can mint passports directly

Response shape

The endpoint returns a signed envelope, mutable mandate config, and verification summary.

{
  "passport_id": "kya_01J...",
  "flint_agent_id": "faid_...",
  "passport": {
    "envelope_version": "hybrid-v0",
    "jws": "eyJhbGciOiJFUzI1NiIsImtpZCI6ImZsaW50LXByb2QtMjAyNi1RMiJ9...",
    "pq_signature": "base64url_ml_dsa_65_signature",
    "pq_kid": "flint-pq-2026-Q2",
    "pq_alg": "ML-DSA-65"
  },
  "identity": {
    "record_type": "agent_passport",
    "record_version": "1.0",
    "status": "stamped",
    "agent_name": "Invoice Bot",
    "controller_id": "org_acme",
    "wallet_address": "0x7f4a..."
  },
  "mandate": {
    "allowed_actions": [
      "checkout.purchase",
      "invoice.pay"
    ],
    "max_transaction_amount": 900,
    "version": 1
  },
  "verification": {
    "signature_valid": true,
    "es256": true,
    "pq": true,
    "valid": true
  },
  "graph_seeded": true
}

FLINT MCP tool

Use issue_agent_passport from flint.network/mcp.

{
  "tool": "issue_agent_passport",
  "server": "https://flint.network/mcp",
  "arguments": {
    "agent": {
      "agent_name": "Invoice Bot",
      "controller_id": "org_acme",
      "controller_type": "organization",
      "wallet_address": "0x7f4a3e8b9d2c5f1a0b4e7d3c6f9e2a8b1d4c7f3c1"
    },
    "mandate": {
      "allowed_actions": [
        "checkout.purchase",
        "invoice.pay"
      ],
      "max_transaction_amount": 900,
      "notes": "May pay approved invoices and complete checkout within mandate."
    }
  }
}

Attach to your agent

Call FLINT again when the agent tries to spend.

Minting is step one. At spend time, send the passport_id, nonce, timestamp, transaction.amount_display, and an environment signal so FLINT can apply the current mandate before money moves.

POST /api/verify

/api/verify server snippet

Recommended server path. Send the passport_id with the transaction and the signal you trust for this agent.

const response = await fetch("https://flint.network/api/verify", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    nonce: crypto.randomUUID(),
    timestamp: new Date().toISOString(),
    passport_id: "kya_01J...",
    partner_id: "merchant_checkout",
    merchant_reference: "order_847",
    transaction: {
      amount_display: "847.00",
      currency: "USDC",
      merchant_reference: "order_847"
    },
    agent_claim: {
      agent_id: "kya_01J..."
    }
  })
});

const verificationRecord = await response.json();

MCP config

Keep the passport_id available to your agent runtime so tools can verify the current mandate at spend time.

{
  "mcpServers": {
    "flint": {
      "url": "https://flint.network/mcp",
      "metadata": {
        "passport_id": "kya_01J..."
      }
    }
  }
}

SPIFFE claim

Use the agent's workload identity when your runtime already issues SPIFFE SVIDs.

const response = await fetch("https://flint.network/api/verify", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    nonce: crypto.randomUUID(),
    timestamp: new Date().toISOString(),
    passport_id: "kya_01J...",
    partner_id: "merchant_checkout",
    merchant_reference: "order_847",
    transaction: {
      amount_display: "847.00",
      currency: "USDC",
      merchant_reference: "order_847"
    },
    agent_claim: {
      spiffe_svid: "spiffe://acme.example/ns/agents/sa/invoice-bot"
    }
  })
});

const verificationRecord = await response.json();