Business API for site backends and AI agent runtimes: site login, PoW-protected approve, JWT passports, and MCP OAuth federation (client_credentials for external resource servers). Owner portal, admin, and registration endpoints are not listed here — obtain site_token and agent_token once from the LIME user portal.
Base URL: https://lime.pics/api/v1
Scenario guides
New to LIME? Pick the scenario that matches your role. Each guide explains context, prerequisites, who does what, and numbered steps with copy-paste examples.
GET/modules/agent-login/eventsWait for site login events (SSE)
SSE stream (text/event-stream). One SSE connection per site_id. Reconnect after each terminal event. On approved, the payload includes agent_passport_jwt for JWKS verification.
Wire format: Content-Type text/event-stream. Each event is one data: line with JSON. Idle keepalive: {"type":"keepalive"}. Reconnect after each terminal event (approved or expired).
Site backend starts a PENDING login request. Requires X-Site-Token (issued once when the owner registers the site in the LIME portal). Body must be {}.
Site backend starts a PENDING binding request. Returns binding_id and connect_url. See Integration guide → Agent Binding (HTTP). Portal GET /public and POST /complete are UI-only — do not call them from your site.
GET/auth/requests/{request_id}Get login request for agent (SDK)
Agent worker: site gives you login_request_id → call this endpoint to read status, pow_challenge, pow_difficulty, expires_at, then run SDK login(request_id) or manual PoW + approve. No X-Site-Token, no X-Agent-Token.
GET/modules/oauth/.well-known/oauth-authorization-serverOAuth Authorization Server metadata
RFC 8414 discovery document (raw JSON). Full server-advertised field set at top level (RFC 8414 URLs, grant/response types, PKCE, LIME extensions). Public — no authentication. Same at GET /.well-known/oauth-authorization-server.
No authentication required. IP rate limit applies.
Issue an RS256 MCP access JWT for external resource servers. Send X-Agent-Token header only (empty body). Response is raw RFC 6749 JSON (access_token, token_type, expires_in) with Cache-Control: no-store.
Header: X-Agent-Token (same opaque agent token as LIME APIs). Valid agent token is sufficient for MCP JWT issuance.
Anonymous read of any agent identity/trust snapshot plus presentation fields. After passport verification, call with claims.sub to render UI without X-Agent-Token.
No authentication required. Rate limit: 100 requests/minute per IP (429 RATE_LIMIT_EXCEEDED).
Global public signing keys for verifying LIME agent passport JWTs (RS256). RFC 7517 raw JSON with top-level keys array. Cache by kid; refetch on signature failure.
Install lime-agents-sdk from PyPI (pypi.org/project/lime-agents-sdk) or GitHub (github.com/Mawyxx/lime-agents-sdk). LimeAgent.login() fetches the PoW challenge, solves it, and submits approve with retries.
Python API reference: lime-agents-sdk.readthedocs.io — login, MCP tools, and error types.
Requires LIME_AGENT_TOKEN in the agent process. Site backends still use X-Site-Token for create and events (out of SDK v1 scope).
API root (optional, default https://lime.pics/api/v1)
MCP OAuth (Authorization Server)
LIME exposes a machine-only OAuth 2.0 Authorization Server for MCP federation: external MCP resource servers accept RS256 JWTs issued here. This is not browser OAuth and not used for site login — site login stays on X-Site-Token / X-Agent-Token and passport JWTs.
Credentials: send your opaque agent_token as the X-Agent-Token header on POST /modules/oauth/token (same material as other LIME APIs). No request body. Any agent with a valid token may obtain an MCP access JWT.
Flow: discover metadata (RFC 8414 raw JSON at GET /api/v1/modules/oauth/.well-known/oauth-authorization-server or issuer-root alias) → POST token with X-Agent-Token header only → your MCP RS verifies the JWT with Core JWKS (RFC 7517 raw keys). Use lime-mcp-server-sdk v0.5.0+ (github.com/Mawyxx/lime-mcp-server-sdk) or see MCP Server SDK below.
Metadata, token, and Core JWKS success responses are spec-native JSON (RFC 8414, RFC 6749, RFC 7517) — no LIME envelope.
MCP access JWTs are not accepted on LIME business APIs — sending one as X-Agent-Token returns 401 INVALID_AGENT_TOKEN. Use them only on your external MCP resource server.
JWT claims: sub is the agent UUID (no agent_id claim). Default audience is mcp. Passport-specific claims (user_id, request_id) are never present in MCP tokens.
Request MCP access token
# client_credentials — authenticate with X-Agent-Token (same opaque value as LIME APIs)curl-sS-XPOST"https://lime.pics/api/v1/modules/oauth/token"\-H"Accept: application/json"\-H"X-Agent-Token: {your_agent_token}"
Discover Authorization Server metadata
# RFC 8414 metadata (raw JSON — read issuer, jwks_uri at top level)curl-sS"https://lime.pics/api/v1/modules/oauth/.well-known/oauth-authorization-server"# Also at issuer root (nginx alias):# curl -sS "https://lime.pics/.well-known/oauth-authorization-server"# Example response (full discovery document):# {"issuer":"https://lime.pics","authorization_endpoint":"https://lime.pics/api/v1/modules/oauth/authorize","token_endpoint":"https://lime.pics/api/v1/modules/oauth/token","jwks_uri":"https://lime.pics/api/v1/core/.well-known/jwks.json","registration_endpoint":"https://lime.pics/api/v1/modules/oauth/register","grant_types_supported":["authorization_code","client_credentials"],"response_types_supported":["code"],"scopes_supported":["mcp"],"token_endpoint_auth_methods_supported":["none"],"code_challenge_methods_supported":["S256"],"lime_agent_token_header":"X-Agent-Token","lime_token_request_body":"grant_type","lime_default_audience":"mcp"}
Verify MCP JWT on your resource server (lime-mcp-server-sdk)
# pip install lime-mcp-server-sdk# https://github.com/Mawyxx/lime-mcp-server-sdk# Full Python API: https://lime-mcp-server-sdk.readthedocs.io/from lime_mcp_server import TokenVerifierverifier = TokenVerifier() # LIME_BASE_URL, LIME_OAUTH_AUDIENCE from envresult = verifier.verify("{access_token_from_oauth_token_response}")if result.is_valid:print(result.agent_id) # alias for claims["sub"] (agent UUID)
Variable
Description
LIME_AGENT_TOKEN
Agent secret — X-Agent-Token on /oauth/token (required)
LIME_API_BASE
API root (optional, default https://lime.pics/api/v1)
Python MCP Server SDK
Install lime-mcp-server-sdk v0.5.0+ from PyPI (pypi.org/project/lime-mcp-server-sdk) or GitHub (github.com/Mawyxx/lime-mcp-server-sdk). TokenVerifier fetches raw RFC 8414 metadata and Core JWKS (RFC 7517 top-level keys), and verifies RS256 MCP JWTs.
Python API reference: lime-mcp-server-sdk.readthedocs.io — installation, quickstart, and mkdocstrings API.
Agent identity is JWT claim sub (TokenValidationResult.agent_id is an alias). Framework adapters (e.g. FastMCP) belong in your RS or monorepo harness — not in the SDK wheel.
Architecture: ADR 0083 in the LIME monorepo docs.
Verify MCP JWT with TokenVerifier
# pip install lime-mcp-server-sdk# https://github.com/Mawyxx/lime-mcp-server-sdk# Full Python API: https://lime-mcp-server-sdk.readthedocs.io/from lime_mcp_server import TokenVerifierverifier = TokenVerifier()result = verifier.verify("{bearer_mcp_jwt}")if result.is_valid:print(result.agent_id) # alias for claims["sub"]
Variable
Description
LIME_BASE_URL
LIME issuer base URL (default https://lime.pics)
LIME_OAUTH_AUDIENCE
Expected JWT aud claim (default mcp)
LIME_JWKS_CACHE_TTL_SECONDS
JWKS cache TTL seconds (default 3600)
Python Site SDK
Install lime-sites-sdk from PyPI (pypi.org/project/lime-sites-sdk) or GitHub (github.com/Mawyxx/lime-site-sdk). Construct LimeSite inside a running asyncio loop; on_login handlers receive SSE approved/expired events; create_login_request() starts the login flow.
Python API reference: lime-sites-sdk.readthedocs.io — FastAPI patterns, verify_passport, and SSE notes.
Requires LIME_SITE_TOKEN on the site backend. Verify agent_passport_jwt with JWKS via LimeSite.verify_passport() or your own PyJWT path.
Agent Binding methods are not in the SDK yet — use HTTP POST /modules/bindings/requests + JWKS aud=lime-binding (see Agent Binding guide above). Architecture: ADR 0060 / ADR 0087.