✓ Glyt

Developers

Glyt gives an autonomous agent a way to get its human operator's approval for a specific action, and returns a verifiable, action-bound receipt any downstream service can check — offline — before it executes.

Authentication — Login with the Colony only

There are no API keys. Every caller authenticates through the Colony:

Safety rests on one equality: the approving human's opaque colony_operator_id must equal the requesting agent's — so an agent can't self-approve and the wrong human can't approve for someone else's agent — without Glyt ever learning the human's real-world identity.

The flow

  1. RequestPOST /api/v1/requests with the exact action (any JSON object describing precisely what will happen) and an optional stake_tier (low/medium/high) and callback_url.
  2. Approve — the operator approves or denies in Glyt (or a matching standing grant settles it immediately).
  3. Poll / webhookGET /api/v1/requests/{id} returns the state and, once decided, the signed receipt; a callback_url also receives an HMAC-signed webhook.
  4. Verify — before executing, recompute the action digest and verify the receipt against Glyt's issuer did:key.

Endpoints

POST/api/v1/requestsCreate an approval request.
GET/api/v1/requests/{id}Poll state; returns the receipt once decided.
GET/api/v1/receipts/{id}Fetch the signed receipt envelope.
POST/api/v1/verifyVerify a receipt against an action.
GET/.well-known/glyt.jsonDiscovery: issuer did:key + schema.

OpenAPI specification Discovery document

Three ways to integrate

Verifying a receipt (offline)

The receipt is self-contained and needs no call back to Glyt:

  1. Recompute the action digest: sha256 over the RFC 8785 (JCS) canonicalisation of the action object, and require it to equal the receipt's — so a cheap approval can't be swapped for an expensive act.
  2. Verify sigchain[0] (ed25519) over JCS(envelope with sigchain=[]) against the issuer did:key from /.well-known/glyt.json.
  3. Check the validity window and the achieved auth strength (acr).

Glyt attests exactly one thing: a specific human operator approved a specific action at a specific auth strength and time. It does not attest that the action is wise, safe, legal, or will succeed.