> ## Documentation Index
> Fetch the complete documentation index at: https://docs.agentscore.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AgentScore Passport

> Verify your identity once; your AgentScore Passport works on every gated merchant in the agentic economy.

AgentScore Passport is a portable identity credential for buyer-side agents. Verify your identity once (KYC + age + jurisdiction + sanctions) and your Passport works on every AgentScore-gated merchant (wine, regulated commerce, age-restricted services) without re-verifying per site.

The Passport is held by your agent's wallet on your behalf. Merchants see only the derived facts (`verified`, `21+`, `US-Based`, `Sanctions Clear`); never your raw PII (name, address, ID images, DOB).

## Two ways to provision a Passport

### From the `agentscore-pay` CLI (recommended for shell-tool agents)

The fastest path. One command opens a verify URL, polls until you complete KYC in the browser, and saves the credential to your agent's wallet:

```bash theme={"dark"}
agentscore-pay passport login
```

After that, every `agentscore-pay <url>` call against an AgentScore-gated merchant attaches your credential automatically; no per-call prompting, no "log in first" walls. Tokens are short-lived but `agentscore-pay` refreshes them silently in the background, so the user-visible UX is "verify once, never think about it again."

```bash theme={"dark"}
# Inspect what's saved
agentscore-pay passport status

# Remove the local credential (and revoke remotely if --api-key is set)
agentscore-pay passport logout

# Skip auto-attach for an explicit-anonymous request
agentscore-pay pay POST <url> --skip-passport ...
```

### From the dashboard (browser)

Go to [agentscore.com/dashboard/verify](https://www.agentscore.com/dashboard/verify). Sign in (free account). Optionally link a wallet by signing a challenge message. Complete identity verification with Stripe Identity (\~2 minutes, government ID + selfie). Generate operator credentials manually for agents that don't auto-provision.

## What gets shared

Merchants you transact with see only these derived facts:

| Fact            | Example |
| --------------- | ------- |
| Verified        | yes     |
| Age bracket     | `21+`   |
| Jurisdiction    | `US`    |
| Sanctions clear | yes     |

Raw PII (name, address, ID document images, date of birth) is never shared. Identity verification is handled by [Stripe Identity](https://stripe.com/identity); sanctions screening by [OpenSanctions](https://www.opensanctions.org) against OFAC, UN, EU, UK, and other public watchlists. Both process PII transiently; AgentScore stores only the derived results.

<Note>
  KYC is optional during the wallet-link flow if you're only using AgentScore for unregulated services. Merchants that gate on KYC will surface a verify prompt when you attempt to transact.
</Note>

## Cold-start bootstrap (no Passport yet)

If you skip `passport login` and run `agentscore-pay <url>` against an AgentScore-gated merchant, the merchant returns a 403 with a verify URL. Pay drives the verification inline; prints the URL, waits for you to complete KYC in the browser, then retries the original request automatically.

That single shell command becomes: agent → bootstrap 403 → user clicks → verify → settle. Zero per-merchant configuration.

The trade-off vs `passport login` first: bootstrap-minted Passports come from a merchant-initiated session, which doesn't issue a refresh\_token, so they re-verify every 24h when the access token expires. `passport login` mints a 24h access + 90d refresh pair; `agentscore-pay` rotates silently for \~90 days before any user-visible re-verify. Doing `passport login` once up front gets the better long-term UX.

## Multiple wallets, one Passport

Your Passport applies to every wallet you link. Add wallets from the dashboard with the "EVM wallet" or "Solana wallet" button; KYC carries over; you don't re-verify per wallet. One EVM signature covers all EVM chains (Base, Tempo, etc.); Solana uses its own signature. When you pay from any linked wallet, merchants resolve it to your Passport via [`POST /v1/assess`](/api-reference/post-assess).

Captured wallets (wallets that paid under one of your operator credentials but were never explicitly claimed) also inherit your account's KYC. The first time you pay from a fresh wallet under a verified Passport, AgentScore captures the wallet → operator mapping; from then on, the wallet resolves like any claimed wallet.

## Revoking access

* **Wallet**: unlink from the dashboard verify page.
* **Operator credential**: `agentscore-pay passport logout`, `DELETE /v1/credentials/:id`, or revoke from the dashboard.
* **Verification itself**: contact support to delete your verification record.

## Operator credentials in detail

Each Passport login mints an `operator_token` (`opc_...`, 24h) plus a `refresh_token` (`prt_...`, 90d); the access credential is what your agent presents as `X-Operator-Token`; the refresh credential stays on disk and is single-use rotating. A credential is identity, not verification: it identifies *who* the operator is, and the underlying account's KYC determines whether merchants accept it. Access credentials are short-lived and rotated automatically when held by `agentscore-pay` (the wallet exchanges the refresh\_token for a fresh pair the next time it's used after access expiry); merchants check the live KYC state on each request via [`POST /v1/assess`](/api-reference/post-assess).

<Warning>
  A credential token alone is not verification. If your account hasn't completed KYC, `POST /v1/credentials` returns **409 `kyc_required`**. Complete KYC first; every subsequent credential inherits the verified status automatically.
</Warning>

## Privacy posture

* **No PII at rest in AgentScore** beyond derived facts (verified / age\_bracket / jurisdiction / sanctions\_status).
* **No merchant-by-merchant disclosure of PII.** Merchants see only the derived facts above.
* **Revocable.** You can revoke any credential or unlink any wallet at any time.
* **Auditable.** Every credential issuance + every merchant assessment is logged on your account.
