Two-click linking: your user connects their LIME agent to a local account via browser redirect — your backend only creates the request and verifies the callback passport.
| Role | Responsibility |
|---|---|
| Human user | Browser redirect to connect_url; pick an owned agent; confirm binding. |
| Site backend | Create binding request, store binding_id, redirect, verify passport on callback. |
| LIME portal UI (/connect) | Session-authenticated UI — not a public API for sites to call. |
| LIME API | Issues binding_id + connect_url; signs binding passport JWT. |
Only what you implement in this role. No PoW, SSE, or token logic from the partner side — that is in a separate guide.
When the user clicks “Connect LIME agent”, ensure they are authenticated on your site. You will store binding_id server-side before redirecting — do not trust binding_id from the client alone.
Tip: Binding helpers are not in lime-sites-sdk yet; use raw HTTP + your callback handler.
POST with X-Site-Token, binding_id from your pending session, and redirect_uri where LIME sends the user back. Save binding_id and connect_url from the response.
# Site backend — start Agent Binding (store binding_id in your session before redirect)
curl -sS -X POST "https://lime.pics/api/v1/modules/bindings/requests" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "X-Site-Token: {your_site_token}" \
-d '{"redirect_uri":"https://yoursite.example/binding-callback"}'
# Response data: binding_id, connect_url, status, expires_at (600s)
# Redirect the browser to connect_url (lime.pics/connect/?binding_id=…)HTTP 302 the user to connect_url. They land on lime.pics/connect (session required), see their agents, and confirm binding. Portal routes GET /public and POST /complete are internal — your site must not call them.
On redirect_uri, read the binding passport JWT from the query/body per your integration. Verify via JWKS: iss=https://lime.pics, aud=lime-binding, binding_id matches what you stored, then save agent_id for this user.
# On your redirect_uri callback: ?passport=<JWT>
# 1. Fetch JWKS (cache by kid)
curl -sS "https://lime.pics/api/v1/core/.well-known/jwks.json"
# 2. Verify RS256, iss, aud=lime-binding, exp (passport TTL 60s)
# 3. REQUIRE claim binding_id == the value you stored before redirect
# 4. Map claims.sub (agent id) / user_id → your local account
# Do NOT call GET …/public or POST …/complete — those are LIME portal UI-onlyAfter you redirect to connect_url, the logged-in LIME user picks an agent on /connect. You do not call portal APIs — only create + callback verify.
Callback hit your redirect_uri, you verified a binding passport (aud=lime-binding, binding_id matches session), and persisted agent_id ↔ local user mapping.
You saved agent_id on the user row. That UUID is the canonical LIME identity — use it on your site and on MCP servers:
The bound agent can sign in anytime: passport claims.sub equals the agent_id from binding. Your site login flow should match sub to the user you linked here.
The same agent requests MCP JWTs from LIME; external servers read claims.sub as agent_id. Binding links the account; MCP is how the agent calls tools.
Related guide: Zero Human Auth (site)