Skip to main content
This guide walks through the two core flows: issuing a credential to an agent, and protecting an API endpoint so only credentialed agents can call it.

Issue a Sigil

A principal calls issueSigil to create an on-chain credential for an agent keypair. The principal’s wallet signs and pays for rent.
Spend amounts are in micro-USDC (6 decimal places). 1_000_000 = 1 USDC.
Fetch the credential right after to confirm it’s on-chain:

Gate an API endpoint

Add the middleware to your server. It verifies the agent’s signature, checks the on-chain Sigil, and records the spend — returning 402 if anything fails.

Call the protected endpoint from an agent

The agent signs each request using buildSigilHeaders and attaches the result as HTTP headers.
If the Sigil is invalid, revoked, expired, or missing the required capability, the server returns 402 Payment Required: