Agent CredentialsMenu

Agent Credentials

Agent credentials let you register AI agents under your verified UnaFonte identity. Each agent carries a credential that proves "a real, verified human authorized this agent" — without exposing who that human is.

Why Register Agents?

As agents start transacting with services, booking things, and executing tasks autonomously, services need a fast way to verify there's an accountable human behind an agent. UnaFonte is already the identity root — agents are just another branch.

What a Credential Looks Like

When you register an agent, UnaFonte generates a signed, opaque token:

text
uf_agent_7kX9mP2vLqR4nT8wB5jY1cD6fH3gA0

The credential contains an encoded reference to your registered agent, but carries zero PII. Services that verify it see only:

  • The agent's name and status
  • That a verified human exists behind it
  • The verification level (government ID)
  • The country of verification

Services never see your name, email, username, or any identifying information. Privacy by architecture.

Registering an Agent

  1. Go to Dashboard → Agents
  2. Click New Agent
  3. Enter a name ("My Shopping Agent", "Content Poster", etc.)
  4. Optionally add a description and platform (LangChain, CrewAI, Claude, etc.)
  5. Click Create
  6. Copy the credential token — it's shown only once

Each agent also gets a permanent public page at unafonte.com/your-username/agents/agent-slug (see below). The slug is set from the name at registration and never changes, even if you rename the agent.

Save the credential immediately

UnaFonte stores only a SHA-256 hash of the credential, never the raw token. If you lose it, you have to revoke the agent and register a new one. Copy it to a password manager or secrets vault as soon as you see it.

Using the Credential

Configure your agent to include the credential in its outgoing requests. Most agents add it as a header or a custom field when calling services. When a service wants to verify it, they POST to:

bash
curl -X POST https://unafonte.com/api/agents/verify \
  -H "Content-Type: application/json" \
  -d '{"credential": "uf_agent_7kX9mP2vLqR4nT8wB5jY1cD6fH3gA0"}'

Response:

json
{
  "valid": true,
  "agent": {
    "id": "ag_abc123",
    "name": "My Shopping Agent",
    "registeredAt": "2026-03-15T10:00:00Z",
    "status": "active"
  },
  "owner": {
    "verified": true,
    "verificationLevel": "government_id",
    "verifiedAt": "2026-01-15T10:00:00Z",
    "country": "US"
  }
}

Revoking an Agent

If an agent is compromised, retired, or no longer needed, revoke it immediately — one click from either the agent's public page or Dashboard → Agents. Revocation is instant and public: the next verification call returns valid: false with reason credential_revoked, and the public page flips to a red Revoked badge.

Revoked pages stay live on purpose — a revoked credential is still a public record. "I revoked my agent and anyone checking it sees it instantly" is the whole point. Revocation can't be undone; register a new agent if you need one again.

Services may cache verification results

UnaFonte doesn't cache verification results on our side, but services checking your agents may cache their own results for a short time. Revocation is immediate at UnaFonte but may take a few seconds to propagate through third-party caches.

Requirements

Agent registration requires a verified identity. The whole value proposition is that agent credentials trace back to a verified human — letting unverified users register agents would undermine that. If you haven't completed identity verification, do that first.

Public Agent Pages

Every registered agent has a public, shareable page — the agent equivalent of your profile and NOT ME rules. Anyone can visit it to answer four questions:

  • Who authorized this agent? Your verified identity, linked to your profile.
  • What can it do? Your "Can do" scope list.
  • What can it NOT do? Your "Cannot do" scope list — the agent equivalent of NOT ME rules.
  • Is it still valid? A prominent status badge: Active, Expired, or Revoked.

The page lives at:

text
unafonte.com/your-username/agents/your-agent-slug

It's public and indexable — the point is that anyone Googling a suspicious agent name can find the authoritative record. There's a Verify this credential button that does a live check against UnaFonte, so visitors can confirm the page isn't a stale screenshot.

Setting Scope (Can / Cannot do)

Scope is what makes an agent page useful. From your agent's page (or Dashboard → Agents), use Edit to set two lists:

  • Can do — e.g. "Summarize public web pages I share," "Draft outbound email replies for my review," "Query my public calendar availability."
  • Cannot do — e.g. "Send payments or sign contracts," "Access private accounts or DMs," "Make purchases on my behalf," "Speak publicly on my behalf."

Fill in the Cannot-do list

The denial list is the most valuable part. "This agent can never send payments" is exactly what a service — or a worried follower — needs to see. Treat it like NOT ME rules for your agent.

Expiration

Agents can have an optional expiration date. Past that date the public page shows Expired automatically — no action needed. You can extend it anytime via Edit. Leave it blank for an indefinite authorization.

Sharing

Each agent page has a copy-URL button and an "add to bio" snippet you can paste into a Twitter/LinkedIn/website bio or an agent README, like My verified AI agents: unafonte.com/your-username/agents. When the URL is shared, it unfurls with an image showing the agent name, your verified sponsorship, and the current status.