Revocation notifications · v0.2.1
Two delivery shapes. Either subscribe an HTTP webhook and the verifier POSTs you the event seconds after it observes the first revoked-key deny — or point your RSS/Atom reader at any issuer's CRL feed. Same data, your pick of push or pull. Debounced per (issuer, kid) for 24 hours so you don't get spammed.
Drop your URL below — we'll POST a JSON event to it every time the verifier sees a previously-unseen revoked_key verdict.
You get a sub_token back; use it to unsubscribe or trigger a one-off test delivery.
https:// only. No localhost / private IPs (SSRF guard).
Sample event payload
{
"event": "revoked_key",
"issuer": "demo.agentpki.dev",
"kid": "demo-2026-q1-rotated",
"failure_detail": "kid=\"demo-2026-q1-rotated\" revoked at 1748390400 (planned_rotation)",
"observed_at": "2026-06-08T17:19:50Z",
"verifier_id": "agentpki-verifier-edge"
}
Headers: X-AgentPKI-Event, X-AgentPKI-Sub-Token, User-Agent: agentpki-verifier-webhook/0.1
Add the feed to Feedly, NetNewsWire, your IFTTT chain, or any RSS reader. Each issuer publishes its own CRL feed — subscribe to as many as you care about. Polls are free; no subscription state on our side.
demo.agentpki.dev
https://demo.agentpki.dev/.well-known/agentpki-crl.atom New issuer comes online? It'll appear in /issuer-directory with its own feed URL.
# Subscribe
curl -X POST https://verify.agentpki.dev/v1/notify/subscribe \
-H 'content-type: application/json' \
-d '{"webhook_url":"https://example.com/hook","events":["revoked_key"]}'
# Fire a test event to confirm your endpoint is wired
curl -X POST https://verify.agentpki.dev/v1/notify/test/<sub_token>
# Unsubscribe
curl -X DELETE https://verify.agentpki.dev/v1/notify/subscribe/<sub_token>
# How many subscribers? (no URLs exposed)
curl https://verify.agentpki.dev/v1/notify/subscribers
Want to filter to only one issuer? Add "issuer":"demo.agentpki.dev" to the subscribe body. Fanout is debounced per (issuer, kid) for 24h.