CLI
`map invoke MACS` recipes for every operation.
The CLI is a Rust binary at services/map-cli. After map login you can dispatch any operation on MACS from the shell.
Common flags
| Flag | Effect |
|---|---|
--input <json> | Operation payload (or read from stdin) |
--version v1.0.0 | Pin a specific protocol version |
--idempotency-key <k> | Required for safe retries of state-changing ops |
--audit-tail | Print the audit record(s) produced |
--output human | Pretty-print response (default: json) |
Recipes
auth_negotiation
map invoke MACS auth_negotiation --input '{"profile":"DidAuth","challenge_kind":"Nonce"}'Negotiate an auth profile (DidAuth, Loopy, Zkp, OAuth2, BioagenticProfile) and produce a session descriptor.
Capability: map.macs.auth_negotiation
generate_challenge
map invoke MACS generate_challenge --input '{"example":true}'Emit a nonce, ZK challenge, or signature challenge bound to a session and profile.
Capability: map.macs.generate_challenge
verify_response
map invoke MACS verify_response --input '{"example":true}'Verify a challenge response. Returns a stamped MAP envelope on success; structured refusal on failure.
Capability: map.macs.verify_response
authorization_request
map invoke MACS authorization_request --input '{"example":true}'Evaluate a capability request against the policy bound to the verified identity.
Capability: map.macs.authorization_request
credential_verification
map invoke MACS credential_verification --input '{"example":true}'Verify presented claims (credential or attestation) against issuer signatures and revocation lists.
Capability: map.macs.credential_verification
See CLI reference for global flags, login, MCP integration.