Quickstart
Install the CLI and publish your first signed relationship attestation in minutes.
This quickstart walks through a minimal issuer-to-consumer flow with authkeep-cli.
Prerequisites
- Rust toolchain (
rustup,cargo) bash
Install the CLI:
cargo install --path crates/authkeep-cliSetup Variables
DEMO_DIR=/tmp/sig-demo
SEED_HEX=101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f
ISSUER_DID=did:web:test.example
SUBJECT_DID=did:key:z6MkAlice
KID=orgsign-1
SIG_PATH=$DEMO_DIR/.well-known/sig.json
EVENTS_PATH=$DEMO_DIR/.well-known/sig/events.jsonlrm -rf "$DEMO_DIR"Initialize Issuer
ak init-issuer \
--domain test.example \
--out-dir "$DEMO_DIR" \
--kid "$KID" \
--seed-hex "$SEED_HEX"Append Relationship Upsert
ak append-upsert \
--events-path "$EVENTS_PATH" \
--issuer "$ISSUER_DID" \
--event-id evt_001 \
--relationship-id rel_alice_emp \
--subject "$SUBJECT_DID" \
--relationship-type employee \
--roles engineering \
--issued-at 2026-02-26T23:00:00Z \
--valid-from 2026-02-01T00:00:00Z \
--kid "$KID" \
--seed-hex "$SEED_HEX"Verify and Check Access
Verify signatures and feed integrity:
ak verify "$SIG_PATH"Compute current state:
ak dump-state "$SIG_PATH"Run an authorization decision:
ak check \
--sig "$SIG_PATH" \
--subject "$SUBJECT_DID" \
--require relationship=employee \
--require role=engineeringExpected result: allow.
Revoke and Re-check
ak append-revoke \
--events-path "$EVENTS_PATH" \
--issuer "$ISSUER_DID" \
--event-id evt_002 \
--relationship-id rel_alice_emp \
--subject "$SUBJECT_DID" \
--reason-code employment_ended \
--issued-at 2026-08-30T18:20:00Z \
--effective-at 2026-08-30T18:00:00Z \
--kid "$KID" \
--seed-hex "$SEED_HEX"ak verify "$SIG_PATH"
ak check \
--sig "$SIG_PATH" \
--subject "$SUBJECT_DID" \
--require relationship=employee \
--require role=engineeringExpected result after revoke: deny.