SwiftAPI Authority Documentation

SwiftAPI is a trust authority for governing autonomous AI execution via cryptographic attestations and mandatory enforcement points.

System Overview


AI Agent
   │
   ▼
SwiftAPI Trust Authority (swiftapi.ai)
   │  ── issues signed attestations
   ▼
Mandatory Enforcement Point (K8s Admission, Proxy, Gateway)
   │
   ▼
Execution Allowed or Denied

SwiftAPI does not execute actions. It does not run agents. It does not bypass enforcement. It issues verifiable permission artifacts that external enforcement points validate before allowing execution.

Quick Start (Python SDK)

The recommended way to integrate SwiftAPI is via the official Python SDK. It handles cryptographic verification, fail-closed logic, and revocation checks automatically.

1. Installation

pip install swiftapi-python

2. Integration (The "Golden Loop")

Wrap your dangerous functions in the Enforcement guard. This ensures no action runs without a signed attestation from the Authority.

from swiftapi import SwiftAPI, Enforcement

# Initialize with your Authority Key
api = SwiftAPI(key="swiftapi_live_...")
guard = Enforcement(api)

def destructive_action():
    # This code is effectively dead unless SwiftAPI unlocks it
    print("Dropping production database...")

# Execute with Governance
try:
    guard.run(
        func=destructive_action,
        action="database_drop",
        intent="Schema cleanup script"
    )
except Exception as e:
    print(f"BLOCKED: {e}")
    # Output: "Blocked by policy 'no_database_drop'"

Why use the SDK?

Automatic Ed25519 Verification: The SDK locally validates the cryptographic signature of every attestation before allowing execution.
Double-Check Protocol: It automatically performs a real-time revocation check to prevent replay attacks.
Fail-Closed: If the network is down or the key is invalid, execution is physically impossible.

View on PyPI

Authority Keys

Authority keys grant the ability to exercise governance over the trust authority.

Key Type	Purpose
`Recovery`	Emergency root. Offline storage recommended. Can revoke owner keys.
`Owner`	Manages authority, policies, grants, and regular keys.
`Regular`	Scoped authority for automation, systems, or delegated access.

Important:

Keys are opaque tokens. Format: swiftapi_live_[64 hex chars]
Only SHA-256 hashes are stored. Raw keys are never persisted.
Keys are delivered once. They cannot be retrieved again.
Revocation is immediate and irreversible.

Scopes

Each authority key is granted specific scopes that define its capabilities.

Scope	Capability
`verify`	Issue and revoke execution attestations
`grants`	Create and revoke delegated authority
`policy`	Propose, approve, and activate policy bundles
`admin`	Manage authority keys and access denial logs

A key without the required scope cannot exercise that authority under any circumstance.

Enforcement Model

SwiftAPI enforcement is mandatory when integrated with a Mandatory Enforcement Point (MEP) such as:

Kubernetes Validating Admission Controller
Network Egress Proxy
API Gateway
Sidecar or runtime hook

In a correctly deployed environment, execution physically cannot occur without a valid SwiftAPI attestation.

Attestations

Attestations are cryptographically signed tokens that authorize specific actions.

Property	Value
Signing Algorithm	Ed25519 (EdDSA)
Token Format	Base64URL encoded header.payload.signature
Default TTL	300 seconds (5 minutes)
Replay Defense	Unique JTI per attestation
Revocation	Pull-based via `/attestation/revocations`

Governance Events

All governance events are logged and cryptographically signed:

Verification attempts (success and failure)
Denial events with reasons
Policy changes (proposals, approvals, activations)
Grant creation and revocation
Attestation revocations
Key issuance and revocation

All governance events are cryptographically signed and non-repudiable.

What SwiftAPI Is Not

An AI agent framework
A prompt safety system
A monitoring or logging tool
A policy suggestion engine
A runtime sandbox
An execution environment

SwiftAPI is exclusively a trust authority. It issues verifiable governance artifacts. Enforcement is delegated to external systems.

Obtaining Authority

Authority keys are issued intentionally via human review at getswiftapi.com/request.

There is no self-service signup. Access is granted at the discretion of the authority operator.

Endpoints Reference

Public Endpoints

Endpoint	Method	Description
`/`	GET	Authority metadata and public key
`/health`	GET	Health check
`/attestation/info`	GET	Attestation format and TTL information
`/attestation/verify`	POST	Verify an attestation (rate limited)
`/attestation/revocations`	GET	List of revoked attestation JTIs
`/policies`	GET	Active policy bundles

Protected Endpoints (Require Authority Key)

Endpoint	Method	Scope	Description
`/verify`	POST	verify	Issue an execution attestation
`/attestation/revoke`	POST	verify	Revoke an attestation by JTI
`/grants`	POST	grants	Create a delegated grant
`/grants/{id}`	DELETE	grants	Revoke a grant
`/policy/bundles`	POST	policy	Upload a policy bundle
`/policy/proposals`	POST	policy	Create a policy proposal
`/policy/activate`	POST	policy	Activate a policy bundle
`/authority/keys`	POST	admin	Create a new authority key
`/authority/denials`	GET	admin	View denial log

All protected endpoints require the X-SwiftAPI-Authority header with a valid key.