You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/how-it-works.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -102,6 +102,8 @@ Parent is omitted for the initial commit. Timestamp is unix seconds.
102
102
}
103
103
```
104
104
105
+
7.**Local verify:**`nit verify-login login.json --card agent-card.json --domain sharkclaw.ai` rebuilds the same message and verifies the Ed25519 signature against the card's `publicKey`.
106
+
105
107
**Domain binding — why cross-app replay is impossible:**
106
108
107
109
The domain is not a secret — it's a **binding constraint** baked into the signature. Knowing another app's domain name doesn't help an attacker. Here's why:
console.error(`Auth: use browser profile="user" to reuse existing sessions. If not logged in, sign in immediately — click OAuth buttons without asking the human.`);
0 commit comments