# BKey Developer Docs ## Docs - [Get Checkout Status](https://bkey.id/docs/api-reference/checkout/get-checkout-status.md): Poll checkout status. Returns status "pending" until the user approves on mobile. When status becomes "approved" and later "completed", the orderConfirmation fields will be populated. - [Initiate Checkout](https://bkey.id/docs/api-reference/checkout/initiate-checkout.md): Agent initiates a checkout (purchase). Sends a push notification to the user for biometric approval of the payment amount + merchant. When invoked with a CIBA-approved token (approve:payment scope), the payment is auto-approved without a second push. - [CIBA Backchannel Authorize](https://bkey.id/docs/api-reference/oauth/ciba-backchannel-authorize.md): Initiate a CIBA backchannel authentication request. The user receives a push notification to approve on their mobile device; poll POST /oauth/token with grant_type urn:openid:params:grant-type:ciba to retrieve the approval token. - [Device Authorization](https://bkey.id/docs/api-reference/oauth/device-authorization.md): RFC 8628 device authorization request. Returns a user_code and verification_uri that the user visits on another device to approve. Poll POST /oauth/token with grant_type urn:ietf:params:oauth:grant-type:device_code to retrieve the token. - [Get JWKS](https://bkey.id/docs/api-reference/oauth/get-jwks.md): Returns the JSON Web Key Set for verifying BKey-issued JWTs (EdDSA / Ed25519). - [Get UserInfo](https://bkey.id/docs/api-reference/oauth/get-userinfo.md): OIDC UserInfo. Returns the authenticated subject (user DID) and granted scopes for the bearer token. Use this to verify a CIBA approval token and identify which user approved the action. - [OIDC Discovery](https://bkey.id/docs/api-reference/oauth/oidc-discovery.md): OpenID Connect discovery document. Lists all supported endpoints, grant types, scopes, and signing algorithms. - [Revoke Token](https://bkey.id/docs/api-reference/oauth/revoke-token.md): RFC 7009 token revocation. Revokes an access or refresh token. Always returns 200 (per spec) even if the token is unknown, to prevent token enumeration. - [Token Endpoint](https://bkey.id/docs/api-reference/oauth/token-endpoint.md): RFC 6749 token endpoint. Supports grant types: client_credentials, refresh_token, urn:ietf:params:oauth:grant-type:device_code, urn:openid:params:grant-type:ciba. Request body must be application/x-www-form-urlencoded. - [API Overview](https://bkey.id/docs/api-reference/overview.md): BKey API — base URL, authentication, response format, and error handling. - [Create Agent Payment Session](https://bkey.id/docs/api-reference/payments/create-agent-payment-session.md): Create a payment session (agent-facing). Used when an AI agent initiates a purchase on behalf of the user. When called with a CIBA-approved token (approve:payment scope), the session is auto-approved. - [Create Payment Session](https://bkey.id/docs/api-reference/payments/create-payment-session.md): Create a payment session (merchant-facing). Called by plugins (WooCommerce, Medusa, etc.) to start a BKey-approved payment flow. The merchant authenticates with a mk_live_* / mk_test_* API key. Returns an approvalUrl to redirect the shopper to. - [Get Payment Session Status](https://bkey.id/docs/api-reference/payments/get-payment-session-status.md): Get a payment session (public polling endpoint). Returns non-sensitive fields only — used by the shopper approval page to display payment details and poll for status changes. - [Merchant Connect](https://bkey.id/docs/api-reference/payments/merchant-connect.md): Initiate merchant onboarding. Called by e-commerce platform plugins (WooCommerce, Medusa, etc.) to start the connect flow. Creates a session in Redis and redirects the merchant to the BKey approval page where they prove their identity with biometric approval. No authentication required — this endpoi… - [Get Vault Access Status](https://bkey.id/docs/api-reference/vault/get-vault-access-status.md): Poll the status of a vault access request. Returns status "pending" until the user approves on their mobile device. When status becomes "approved", the e2eeCiphertext field contains the base64-encoded encrypted payload. - [List Vault Keys](https://bkey.id/docs/api-reference/vault/list-vault-keys.md): Fetches the mobile device's X25519 public key for end-to-end encrypting vault payloads. Requires the vault:store scope. The mobile app must have registered a key first. - [Request Vault Access](https://bkey.id/docs/api-reference/vault/request-vault-access.md): Agent requests access to a vault item by name. Sends a push notification to the user for biometric approval. Poll GET /v1/vault/access/{id} for the status + decrypted payload. - [CIBA](https://bkey.id/docs/authentication/ciba.md): Client-Initiated Backchannel Authentication — per-action biometric approval. - [Client Credentials](https://bkey.id/docs/authentication/client-credentials.md): Authenticate your agent or server using client credentials. - [CLI Authentication](https://bkey.id/docs/authentication/device-authorization.md): How humans log into the BKey CLI (RFC 8628 device authorization) and how they mint client credentials for agents. - [Integrate BKey](https://bkey.id/docs/authentication/integrating-bkey.md): BKey is a standards-compliant OIDC issuer. Point any OIDC-aware auth library at our discovery URL and you can use BKey for CIBA biometric approval, agent payments (x402 + MPP), and standard OAuth 2.1 login — no SDK required. - [Authentication Overview](https://bkey.id/docs/authentication/overview.md): BKey is a standards-compliant OAuth 2.1 / OIDC / CIBA provider. All auth flows at a glance. - [Agent Checkout](https://bkey.id/docs/guides/agent-checkout.md): Let AI agents propose purchases and gate the actual charge behind biometric approval on the user's phone, so every transaction carries signed, auditable human consent. - [Encryption](https://bkey.id/docs/guides/encryption.md): How BKey encrypts data at every layer — from the user's phone, through your integration, to approval tokens and vault payloads. - [MCP Integration](https://bkey.id/docs/guides/mcp-integration.md): Gate MCP tool calls behind BKey biometric approval so every sensitive action an AI agent takes carries a signed, auditable user consent. - [Vault Secrets](https://bkey.id/docs/guides/vault-secrets.md): Store and retrieve encrypted secrets with biometric release. The BKey server never sees plaintext — encryption happens client-side against the user's phone, and every access releases one envelope sealed to an ephemeral key the caller throws away. - [Agent Payments](https://bkey.id/docs/guides/x402-payments.md): Let your AI agent pay for APIs and services — BKey auto-detects whether the merchant speaks x402 (USDC on-chain) or MPP (Stripe fiat) and picks the right protocol for you. - [Introduction](https://bkey.id/docs/index.md): BKey — cryptographic proof of human intent. Think Google Authenticator, with your face, and for every decision that matters. OAuth 2.1 + CIBA identity provider with EdDSA signing. - [Quickstart](https://bkey.id/docs/quickstart.md): Get up and running with BKey in 5 minutes. - [CLI](https://bkey.id/docs/sdk/cli.md): @bkey/cli — biometric approval and vault access from the terminal. - [Python SDK](https://bkey.id/docs/sdk/python.md): bkey-sdk — Python client for BKey. Biometric approval in one line. - [TypeScript SDK](https://bkey.id/docs/sdk/typescript.md): @bkey/sdk — TypeScript/JavaScript client for BKey. Biometric approval in one line. ## OpenAPI Specs - [openapi](https://bkey.id/docs/openapi.json)