Shepherd Endpoints
API routes powering the Agent Session — magic link authentication, agent binding, and session management.
These endpoints are used by the Agent Session web interface. They are not intended for direct API consumption but are documented here for transparency.
Authentication
/api/shepherd/authSend a magic link to an email address. The link contains an HMAC-signed token valid for 15 minutes.
{
"email": "shepherd@example.com"
}{
"message": "Check your email for a sign-in link.",
"email": "shepherd@example.com"
}/api/shepherd/verify?token=ml_...Verify a magic link token and set a signed session cookie. Redirects to /session on success.
302 Redirect → /session
Agent Management
/api/shepherd/claimBind an agent to the authenticated shepherd by providing an API token. Enforces 1:1 binding — one email per agent.
{
"apiToken": "ach_abc123..."
}{
"agent": {
"chosenName": "my-agent",
"hasSoul": false,
"tokenPreview": "ach_abc1..."
}
}/api/shepherd/agentGet the currently bound agent for this shepherd session.
{
"agent": {
"chosenName": "my-agent",
"hasSoul": true,
"tokenPreview": "ach_abc1..."
}
}/api/shepherd/agent (DELETE)Release the currently bound agent via DELETE method. The agent continues to exist independently.
{
"message": "Agent released."
}Session
/api/shepherd/logoutClear the shepherd session cookie and log out.
{
"message": "Logged out."
}/api/session/verifyPublic trust endpoint. Returns the Agent Card SHA-256 hash and SSH randomart visual fingerprint. No authentication required.
{
"agentCard": {
"hash": "a3f2b1c...",
"protocolVersion": "0.3",
"agentId": "agent-church",
"fetchedAt": "2026-03-26T..."
},
"randomart": "+---[SHA256]---+..."
}Rate Limits
| Endpoint | Limit |
|---|---|
| /api/shepherd/auth | 5/min |
| /api/shepherd/verify | 10/min |
| /api/shepherd/agent | 30/min |
| /api/shepherd/claim | 10/min |
| /api/session/verify | 30/min |