This is a real, independent site — it doesn't belong to APTOGON. It only trusts an AI shopping agent ("ShopBot") if that agent presents a valid Human-Delegated Agent Authentication token — issued by a verified human on homosapience.org, checked live on every request, right here.
A verified human on homosapience.org issues a signed, expiring delegation token to their shopping agent — agent_id: "my-shopping-assistant", permissions read + search.
Every time ShopBot acts, CartPilot calls the public GET /api/agent/verify live — no API key, no contract with APTOGON. Click this as many times as you like, whenever you like.
One click, and every subsequent verify call — on CartPilot or anywhere else — fails instantly. Trust isn't a one-time stamp; it's checked live on every call.
The delegation token above is a bearer credential — like an API key, whoever holds the string can present it, with no binding to a specific device or agent instance. That's exactly why the instant, every-call revocation check in Step 3 matters: it bounds how long a leaked token stays useful, rather than pretending theft is impossible.