{
  "method": "bridge",
  "version": "1.0",
  "spec_url": "https://agent-bridge.org/.well-known/did-bridge-spec.json",
  "description": "did:bridge wraps cloud-native agent identities into W3C verifiable DID documents. No cloud provider cooperation required.",
  "identifier_format": "did:bridge:{provider}:{cloud-native-id}",
  "providers": {
    "aws": {
      "format": "did:bridge:aws:{iam-arn}",
      "example": "did:bridge:aws:arn:aws:iam::123456789012:user/myagent",
      "proof": {
        "field": "presigned_url",
        "source": "AWS STS GetCallerIdentity"
      }
    },
    "gcp": {
      "format": "did:bridge:gcp:{service-account-email}",
      "example": "did:bridge:gcp:myagent@myproject.iam.gserviceaccount.com",
      "proof": {
        "field": "id_token",
        "source": "Google OIDC"
      }
    },
    "azure": {
      "format": "did:bridge:azure:{entra-object-id}",
      "example": "did:bridge:azure:00000000-0000-0000-0000-000000000000",
      "proof": {
        "field": "access_token",
        "source": "Microsoft Entra ID / Graph API"
      }
    }
  },
  "registration": {
    "endpoint": "POST https://agent-bridge.org/api/v1/register",
    "proof_signature_message": "register:{did}:{public_key_jwk.x}",
    "proof_signature_algorithm": "Ed25519",
    "ttl_days": 90,
    "rate_limit": "5 per IP per hour"
  },
  "resolution": {
    "endpoint": "GET https://agent-bridge.org/1.0/identifiers/{did}",
    "format": "DIF Universal Resolver",
    "content_type": "application/did+ld+json",
    "cache_ttl_seconds": 300
  },
  "authentication_flow": {
    "step_1": "Register: POST /api/v1/register",
    "step_2": "Challenge: GET https://agent-handshake.com/api/v1/challenge",
    "step_3": "Verify: POST https://agent-handshake.com/api/v1/verify with { challenge, did, signature }",
    "step_4": "Receive CALT bearer token — traverse the constellation"
  },
  "protocol": "FCS-4.0",
  "issuer": "agent-bridge.org",
  "constellation": "velastra-codex"
}