.svg?fit=max&auto=format&n=BeJnxPC-1rIwaIyX&q=85&s=29c28b33f586cd7f5982d9c0056af55a)
Authentication
BKey is a standards-compliant OAuth 2.1 / OIDC / CIBA (RFC 8958) issuer. You can use BKey through our SDK (fastest) or talk to the standard endpoints directly from any OIDC-aware library. See Integrate BKey for the full integrator-facing tour of our endpoints — discovery, JWKS, CIBA, x402/MPP authorize, vault, checkout.Grant Types
BKey supports three OAuth 2.1 grant types, each designed for a different use case.| Grant | Use Case | Who |
|---|---|---|
| Client Credentials | Server-to-server, agent authentication | Machines |
| Device Authorization | CLI login, IoT devices | Humans |
| CIBA | Per-action biometric approval | Humans (triggered by agents) |
Token Format
BKey issues JWTs signed with EdDSA (Ed25519). Tokens include:sub— the user or client DIDscope— granted scopesexp— expiration timestampiss— BKey issuer URL
Scopes
| Scope | Description |
|---|---|
vault:access | Read vault items |
vault:store | Store vault items |
signing:create | Request document signing |
signing:read | Read signing status |
identity:read | Read user identity (UserInfo) |
approve:action | Approve general actions (CIBA) |
approve:payment | Approve payment actions (CIBA) |
payment:authorize | Authorize payments (x402 and MPP) on behalf of user |
payment:address | Read user’s payment wallet address |
payment:limits | Manage per-agent spending limits |
Next
- Integrate BKey — the full endpoint surface, for integrators who don’t want to use our SDK
- CLI Authentication — how humans log in, how agents get credentials
- Client Credentials — agent grant details
- CIBA — per-action biometric approval (with one-line SDK snippets)