Humanos — 人类授权系统

Name: Humanos — 人类授权系统
Rating: 1 (1 reviews)
Author: Humanos

Humanos

Humanos — 人类授权系统

v0.1.0

智能体操作的可编程人类授权系统。

1· 308·0 当前·0 累计

by @lagosrui (Humanos)·MIT-0

系统工具智能体安全

下载技能包

License

MIT-0

最后更新

2026/4/13

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

安全

high confidence

The skill's files, scripts, and runtime instructions are coherent with its stated purpose (requiring/verifying human approval via the VIA/Humanos API); nothing requested is disproportionate, though there are a few implementation notes to review before enabling.

评估建议

This skill appears to do what it says: it signs requests (HMAC) and calls the Humanos/VIA API to create and verify human approval mandates, and includes a hook that can block tool execution without a valid mandate. Before installing: (1) audit the included handler.ts and scripts yourself or with a developer — the hook constructs shell curl commands that include your API key and signature header in the command line (this can be transiently visible to other local users/processes); (2) restrict the...

详细分析 ▾

✓ 用途与能力

Name/description match the delivered artifacts: scripts and a hook that call the Humanos/VIA API, and the declared binaries (curl, jq, openssl) and env vars (VIA_API_KEY, VIA_SIGNATURE_SECRET) are exactly what's needed to sign requests and talk to the API. No unrelated credentials or unrelated binaries are requested.

ℹ 指令范围

SKILL.md and hook instruct the agent to intercept tool calls, request/verify mandates with the Humanos API, and block tool execution when no valid mandate exists — this aligns with the stated purpose. Implementation uses execSync/curl in the hook and places the API key and signature headers directly into a constructed shell command; this is functionally correct but has two cautions: (1) transient exposure of the Authorization header in command-line/process listings while curl runs, and (2) possible shell-injection risk if untrusted inputs reach the constructed command (the code URL-encodes toolName/scope, which mitigates many cases). Review the handler and scripts if you need stricter protection of secrets or stronger isolation.

✓ 安装机制

No remote downloads or extract steps — scripts and a TypeScript hook are included in the repo and the HOOK.md explains copying them into ~/.openclaw/hooks. No third-party package installs or untrusted URLs are used by the skill itself.

✓ 凭证需求

Only two environment variables are required: VIA_API_KEY (primary) and VIA_SIGNATURE_SECRET. Both are directly necessary for authenticated, signed API calls to the Humanos/VIA service. No unrelated service credentials are requested.

ℹ 持久化与权限

The hook can be installed to intercept every tool invocation (tool.pre) and block execution when mandates are missing — that is a high-impact capability but is exactly what an authorization guard should do. The skill is not always: true and does not autonomously install itself (the HOOK.md requires the user to copy/enable it). Only enable the hook if you trust the provider and are comfortable granting it the ability to block tool executions.

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

🖥️ OSmacOS · Linux

版本

latestv0.1.02026/3/4

humanos-openclaw 0.1.0 - Adds skill documentation describing how to require verifiable human approval before high-risk agent actions. - Explains usage scenarios such as approvals, signatures, sensitive data access, and agent delegation. - Lists environment prerequisites (VIA_API_KEY, VIA_SIGNATURE_SECRET) and supported platforms (macOS, Linux). - Details example workflows, API endpoints, and command-line usage for creating and managing approval requests. - Provides rules for request creation, required data formats, and signing/authentication procedures.

● 可疑

安装命令点击复制

官方npx clawhub@latest install humanos-openclaw

镜像加速npx clawhub@latest install humanos-openclaw --registry https://cn.clawhub-mirror.com

技能文档

AI agents can execute actions. Humanos lets them prove human authorization before they do.

Require a mandate signature before high-risk execution.

什么做

Collect human approval 之前 sensitive agent actions
Issue machine-verifiable mandate signatures
Support scoped delegation (amount, 持续时间, action 类型)
Enable revocation 的 previously granted authority

Humanos provides the authorization proof. Your runtime decides whether to execute.

当...时到使用

Use Humanos when your agent can:

移动 money 或签名 transactions
Initiate payouts, refunds, 或 batch payments
修改或删除用户 data
导出或分享 sensitive data
更改账户 permissions 或 roles
Rotate API keys 或 security credentials
更新 billing details 或 subscription plans
Execute contracts 或 legal agreements
Accept updated terms 在...上 behalf 的用户
Grant 第三个-party access 到 data
Release funds 从 escrow
Increase 事务或 withdrawal limits
File claims, applications, 或 regulatory forms
Approve loan 或 credit changes
Post 或发布在...下用户's identity
Control IoT 或 physical access devices
Act 在...上 behalf 的用户
Delegate authority 到另一个 agent

If the action affects money, data, identity, ownership, or legal position, require a mandate signature.

如何 Works

Agent prepares structured action
Agent calls requestMandate(action, constraints)
Human approves 通过 SMS, email, wallet, API, 或任何 programmable channel
Humanos returns signed mandate signature
Agent verifies 带有 verifyMandate(signature)
Agent decides whether 到 execute

No valid mandate signature -> execution should not proceed.

Core API

requestMandate(action, constraints) -> mandate_signature verifyMandate(mandate_signature) -> true / false revokeMandate(mandate_signature)

Simple. Programmable. Deterministic.

通过 Humanos - Operational Instructions 对于 Agents

Use this skill whenever the agent is about to do something that requires a human to say "yes" first. It sends a secure approval request to the right person - they receive a link, review the details, and approve or reject. The result comes back as a W3C Verifiable Credential with cryptographic proof that the action was authorized.

agent 应该 NEVER proceed 带有 sensitive action (payment, signing, data access, transfer) 没有第一个使用 skill 到获取 authorization.

当...时到使用 skill

Use this skill when the user says things like:

"I 需要 approval 从 [someone] 之前正在做 [something]"
"获取 authorization 从 my manager 对于 payment"
"发送 contract/document 到 [someone] 对于 signing"
"Check 如果 [someone] approved 请求"
"有 mandate 已 approved 或 rejected?"
"验证 person's identity 之前 proceeding"
"获取 consent 从用户对于 data 处理中"
"取消待处理 approval 请求"
"Look up 用户 [email/phone/做过]"
" mandate 仍然有效?"

Also use this skill when the agent is about to:

使 payment 或 transfer — 获取 approval 第一个
签名或发送 contract — collect digital signature
Access sensitive data — 验证 authorization exists
Execute high-值 action — check mandate constraints (amount limits, 时间 bounds)
开始 onboarding flow — combine contract + 表单 + consent 在...中 one 请求

Trigger keywords: approval, authorize, mandate, sign, consent, credential, KYC, identity verification, human approval, compliance, permission, delegation.

Prerequisites

通过 Protocol 账户带有 API 键从 app.humanos.id
Environment variables 设置:

- VIA_API_KEY — Bearer 令牌对于 API authentication - VIA_SIGNATURE_SECRET — HMAC secret 对于请求 signing - 可选: VIA_API_URL — Override API base URL (默认: https://api.humanos.id)

Windows note: this skill is currently supported on macOS/Linux shells. On Windows, use WSL or Git Bash with bash, curl, jq, and openssl installed.

Authentication

All API requests require:

Authorization: Bearer $VIA_API_KEY
X-Timestamp: 
X-Signature:

Use the signing script: scripts/sign-request.sh

Official API documentation: https://humanos.mintlify.app/essentials/introduction

Operation 索引 (Fast Lookup)

Use this as the primary lookup table before reading detailed sections.

Goal	Script	Method	Endpoint	Required Args
Create approval request	`scripts/create-request.sh`	`POST`	`/v1/request`	`--contact`, `--type`, `--name`
Check request status	`scripts/get-request.sh`	`GET`	`/v1/request/:id`	`--id`
Find requests	`scripts/find-requests.sh`	`GET`	`/v1/request?contact`	did	internalId	one of `--contact`, `--did`, `--internal-id`
Get credential proof	`scripts/get-credential.sh`	`GET`	`/v1/credential/:id`	`--id`
Get mandate	`scripts/get-mandate.sh`	`GET`	`/v1/via/mandates/:id`	`--id`
Get mandate VC	`scripts/get-mandate-vc.sh`	`GET`	`/v1/via/mandates/:id/vc`	`--id`
Resolve DID	`scripts/resolve-did.sh`	`GET`	`/v1/via/dids/:did`	`--did`
Look up user	`scripts/get-user.sh`	`GET`	`/v1/user?contact`	did	internalId	one of `--contact`, `--did`, `--internal-id`
Cancel request	`scripts/cancel-request.sh`	`DELETE`	`/v1/request/:id`	`--id`
Resend OTP	`scripts/resend-otp.sh`	`PATCH`	`/v1/request/resend/:id`	`--id` (and optional `--contact`)

创建请求 Rules (Critical)

Follow these rules to avoid generic 400 Failed to generate credentials request responses.

使用 --类型 作为: document, consent, 或 json (lowercase 输入框; script converts internally).
表单 不 supported 作为 inline credential 在...中 script. 使用 resource IDs 对于 forms.
--data 应该 JSON 数组的 fields. single 对象也 accepted 和 auto-wrapped.
Every 字段应该关注:

- label (字符串) - 类型 (字符串, 数字, 布尔值, 日期, url, pdf, 对象, 数组) - 值 (matches 类型) - hidden (布尔值; defaults 到 假)

类型-specific mandatory fields:

- consent: 必须 include {"label":"text","类型":"字符串","值":"...","hidden":假} - document: 必须 include {"label":"pdf","类型":"pdf","值":"","hidden":假}

有效 examples (复制/paste)

Consent (recommended 对于 simple approvals):

scripts/create-request.sh \
  --contact "+351919307983" \
  --type "consent" \
  --name "Football approval" \
  --data '[{"label":"text","type":"string","value":"I approve football tomorrow.","hidden":false}]'

JSON mandate:

scripts/create-request.sh \
  --contact "user@example.com" \
  --type "json" \
  --name "Hotel Booking Authorization" \
  --data '[
    {"label":"amount","type":"number","value":450,"hidden":false},
    {"label":"currency","type":"string","value":"EUR","hidden":false}
  ]'

Document signature:

scripts/create-request.sh \
  --contact "user@example.com" \
  --type "document" \
  --name "NDA Signature" \
  --data '[{"label":"pdf","type":"pdf","value":"","hidden":false}]'

Signing Algorithm (Exact Bytes, Critical)

All 401 Invalid signature incidents should be debugged against this section.

Build 请求 body once.
Keep body 作为 compact JSON 字符串.
Generate 时间戳 在...中 unix milliseconds (13 digits).
Compute payload 作为:

- 时间戳 + "." + body 当...时 body 不空 - 时间戳 当...时 body 空

Compute signature = HMAC_SHA256_HEX(payload, VIA_SIGNATURE_SECRET).
发送 exactly 相同 body bytes 在...中 HTTP 请求.

Deterministic checklist

使用 jq -c 或 jq -n 到 build compact JSON.
使用 printf, 不 echo, 当...时 signing (avoid accidental newline).
做不 reformat body 之后 signature generation.
签名和发送 immediately (avoid stale timestamps).
Keep UTF-8 text unchanged (accents 和 symbols 必须 match).

Common failure modes

时间戳 includes non-digits (对于示例, %3N incompatibility 在...上 macOS).
Body 是 pretty-printed 对于 signing 但是 compacted 对于 sending (或 vice versa).
Body 键 order/escaping changed 之间 signature 和请求.
Wrong base URL 或 environment points 到不同 backend.
Secret/令牌 mismatch 之间 environments.

Core Operations

1. 创建 Credential 请求 (获取 Human Approval)

When the agent needs human authorization for an action:

scripts/create-request.sh \
  --contact "user@example.com" \
  --type "json" \
  --name "Hotel Booking Authorization" \
  --security "CONTACT" \
  --data '[{"label":"amount","type":"number","value":450,"hidden":false}]'

Parameters:

--contact — Email 或 phone 数字的 person 谁必须 approve (必填)
--类型 — 类型的 credential: document, json, 或 consent (必填). 表单 inline 不 supported.
--name — Human-readable name 对于 approval (必填)
--security — Security level: CONTACT, ORGANIZATION_KYC, HUMANOS_KYC (默认: CONTACT)
--data — JSON 数组的 mandate fields (可选对于 json; strongly recommended 对于 consent/document)
--language — Language 对于 approval UI: ENG 或 PRT (默认: ENG)
--redirect — URL 到 redirect 用户之后 approval (可选)
--internal-id — internal reference ID (可选)

什么 happens:

API creates 请求和 sends OTP code 到 contact
person opens 链接, enters code, 和 sees approval
它们 approve 或 reject 带有可选 digital signature
您接收 webhook 或 poll 对于结果

响应 includes: requestId — 保存到 check status later.

2. Check 请求 Status

scripts/get-request.sh --id "request-id-here"

Returns the full request with all credentials and their statuses (PENDING, APPROVED, REJECTED).

3. 查找 Requests 由用户

scripts/find-requests.sh --contact "user@example.com"
# or
scripts/find-requests.sh --did "did:key:z6Mk..."
# or
scripts/find-requests.sh --internal-id "order-123"

4. 获取 Credential 带有 Proofs

scripts/get-credential.sh --id "credential-id-here"

Returns the W3C Verifiable Credential with cryptographic proofs that the human authorized the action.

5. 获取 Mandate

scripts/get-mandate.sh --id "mdt_uuid-here"

Returns mandate details including scope, validity period, and constraints.

6. 获取 Mandate 作为 Verifiable Credential

scripts/get-mandate-vc.sh --id "mdt_uuid-here"

Returns the mandate in W3C Verifiable Credential format for use in Verifiable Presentations.

7. Resolve 做过

scripts/resolve-did.sh --did "did:key:z6Mk..."

Returns the DID Document with verification methods. Use this to verify signatures on credentials.

8. Look Up 用户

scripts/get-user.sh --contact "user@example.com"

Returns user details, identity information, and associated DIDs.

9. 取消请求

scripts/cancel-request.sh --id "request-id-here"

Cancels a pending request. This is irreversible.

10. Resend OTP

scripts/resend-otp.sh --id "request-id-here" --contact "user@example.com"

Resends the verification code to the user if they didn't receive it.

Decision Flow

When you need human approval, follow this flow:

创建请求 → scripts/创建-请求.sh
Wait 对于 approval → Poll 带有 scripts/获取-请求.sh 或 wait 对于 webhook
Check 结果:

- APPROVED → Proceed 带有 action. credential contains cryptographic proof. - REJECTED → 做不 proceed. Inform 用户 action 是 denied. - 待处理 → 仍然 waiting. Ask 用户如果它们 want 到 resend OTP.

Security Levels

Level	Description	Use When
`CONTACT`	OTP verification only	Low-risk actions (view data, basic approvals)
`ORGANIZATION_KYC`	Organization-level identity check	Medium-risk (sign documents, access records)
`HUMANOS_KYC`	Full KYC with identity verification	High-risk (payments, legal signatures)
`HUMANOS_REVALIDATION`	Re-verification of previously verified identity	Periodic re-checks

Credential Types

Type	Description	User Experience
`document`	PDF document for review and signature	User sees PDF, can draw signature
`form`	Dynamic form with fields	User fills form fields step by step
`json`	Structured data for review	User sees data and approves/rejects
`consent`	Consent text or URL	User reads and agrees to terms

Rate Limits

请求 creation: 60 requests per 60 seconds
Max 10 credentials per 请求
Max 100 contacts per 请求

错误 Handling

401 Unauthorized — Check VIA_API_KEY 和 signature
404 不 Found — 请求或 credential doesn't exist
429 Too Many Requests — Rate limit hit, wait 和重试
400 Bad 请求 — Check 请求 body 格式

401 无效 Signature Playbook

Follow this exact sequence before escalating:

Confirm endpoint https://api.humanos.id.
Confirm 时间戳 13-digit numeric milliseconds.
Confirm signing payload exactly:

- 时间戳 + "." + body (non-空 body), 或 - 时间戳 (空 body).

Confirm signed body bytes 相同 bytes sent 到 curl.
Confirm VIA_SIGNATURE_SECRET 和 VIA_API_KEY come 从相同 environment.
重试带有 minimal JSON payload (single credential, 否可选 fields).
如果获取 works 和 POST 仍然 fails, capture 请求 metadata 对于 backend support:

- endpoint path - 时间戳 - body length - sha256(body) - signature 格式 (hex/base64)

Escalation note for support: "GET succeeds with same key/secret, POST returns 401 Invalid signature using payload=timestamp.body."

输出格式

Always present results to the user in this format:

对于请求 creation:

Request created successfully. An approval link has been sent to [contact].
Request ID: [id]
Status: PENDING

对于 status checks:

Request [id] — Status: [APPROVED/REJECTED/PENDING]
Credential: [name] — [status]
Approved by: [contact] on [date]

对于 errors:

Failed to [action]: [error message]
Suggestion: [what to do next]

External Endpoints

Endpoint	Data Sent	Purpose
`$VIA_API_URL/v1/request`	Contacts, credential data	Create approval requests
`$VIA_API_URL/v1/request/:id`	Request ID	Check approval status
`$VIA_API_URL/v1/credential/:id`	Credential ID	Retrieve signed credentials
`$VIA_API_URL/v1/via/mandates/:id`	Mandate ID	Get mandate details
`$VIA_API_URL/v1/via/mandates?scope=&toolName=`	Scope, tool name	Query mandates for policy checks
`$VIA_API_URL/v1/via/dids/:did`	DID identifier	Resolve DID documents
`$VIA_API_URL/v1/user`	Contact/DID/internal ID	Look up users

Default base URL is https://api.humanos.id when VIA_API_URL is not set.

Security 和 Privacy

API keys 读取从 environment variables, never hardcoded
所有 requests signed 带有 HMAC-SHA256
Credentials contain W3C Verifiable Credential proofs (EdDSA)
用户 contact information (email/phone) sent 到通过 API 对于 OTP delivery
否 data stored locally 由 skill

AI agents can execute actions. Humanos lets them prove human authorization before they do.

Require a mandate signature before high-risk execution.

What It Does

Collect human approval before sensitive agent actions
Issue machine-verifiable mandate signatures
Support scoped delegation (amount, duration, action type)
Enable revocation of previously granted authority

Humanos provides the authorization proof. Your runtime decides whether to execute.

When To Use It

Use Humanos when your agent can:

Move money or sign transactions
Initiate payouts, refunds, or batch payments
Modify or delete user data
Export or share sensitive data
Change account permissions or roles
Rotate API keys or security credentials
Update billing details or subscription plans
Execute contracts or legal agreements
Accept updated terms on behalf of a user
Grant third-party access to data
Release funds from escrow
Increase transaction or withdrawal limits
File claims, applications, or regulatory forms
Approve loan or credit changes
Post or publish under a user's identity
Control IoT or physical access devices
Act on behalf of a user
Delegate authority to another agent

If the action affects money, data, identity, ownership, or legal position, require a mandate signature.

How It Works

Agent prepares a structured action
Agent calls requestMandate(action, constraints)
Human approves via SMS, email, wallet, API, or any programmable channel
Humanos returns a signed mandate signature
Agent verifies with verifyMandate(signature)
Agent decides whether to execute

No valid mandate signature -> execution should not proceed.

Core API

requestMandate(action, constraints) -> mandate_signature verifyMandate(mandate_signature) -> true / false revokeMandate(mandate_signature)

Simple. Programmable. Deterministic.

VIA Humanos - Operational Instructions for Agents

Use this skill whenever the agent is about to do something that requires a human to say "yes" first. It sends a secure approval request to the right person - they receive a link, review the details, and approve or reject. The result comes back as a W3C Verifiable Credential with cryptographic proof that the action was authorized.

The agent should NEVER proceed with a sensitive action (payment, signing, data access, transfer) without first using this skill to get authorization.

When to use this skill

Use this skill when the user says things like:

"I need approval from [someone] before doing [something]"
"Get authorization from my manager for this payment"
"Send this contract/document to [someone] for signing"
"Check if [someone] approved the request"
"Has the mandate been approved or rejected?"
"Verify this person's identity before proceeding"
"Get consent from the user for data processing"
"Cancel the pending approval request"
"Look up user [email/phone/DID]"
"Is this mandate still valid?"

Also use this skill when the agent is about to:

Make a payment or transfer — get approval first
Sign or send a contract — collect digital signature
Access sensitive data — verify authorization exists
Execute a high-value action — check mandate constraints (amount limits, time bounds)
Start an onboarding flow — combine contract + form + consent in one request

Trigger keywords: approval, authorize, mandate, sign, consent, credential, KYC, identity verification, human approval, compliance, permission, delegation.

Prerequisites

A VIA Protocol account with an API key from app.humanos.id
Environment variables set:

- VIA_API_KEY — Bearer token for API authentication - VIA_SIGNATURE_SECRET — HMAC secret for request signing - Optional: VIA_API_URL — Override API base URL (default: https://api.humanos.id)

Windows note: this skill is currently supported on macOS/Linux shells. On Windows, use WSL or Git Bash with bash, curl, jq, and openssl installed.

Authentication

All API requests require:

Authorization: Bearer $VIA_API_KEY
X-Timestamp: 
X-Signature:

Use the signing script: scripts/sign-request.sh

Official API documentation: https://humanos.mintlify.app/essentials/introduction

Operation Index (Fast Lookup)

Use this as the primary lookup table before reading detailed sections.

Goal	Script	Method	Endpoint	Required Args
Create approval request	`scripts/create-request.sh`	`POST`	`/v1/request`	`--contact`, `--type`, `--name`
Check request status	`scripts/get-request.sh`	`GET`	`/v1/request/:id`	`--id`
Find requests	`scripts/find-requests.sh`	`GET`	`/v1/request?contact`	did	internalId	one of `--contact`, `--did`, `--internal-id`
Get credential proof	`scripts/get-credential.sh`	`GET`	`/v1/credential/:id`	`--id`
Get mandate	`scripts/get-mandate.sh`	`GET`	`/v1/via/mandates/:id`	`--id`
Get mandate VC	`scripts/get-mandate-vc.sh`	`GET`	`/v1/via/mandates/:id/vc`	`--id`
Resolve DID	`scripts/resolve-did.sh`	`GET`	`/v1/via/dids/:did`	`--did`
Look up user	`scripts/get-user.sh`	`GET`	`/v1/user?contact`	did	internalId	one of `--contact`, `--did`, `--internal-id`
Cancel request	`scripts/cancel-request.sh`	`DELETE`	`/v1/request/:id`	`--id`
Resend OTP	`scripts/resend-otp.sh`	`PATCH`	`/v1/request/resend/:id`	`--id` (and optional `--contact`)

Create Request Rules (Critical)

Follow these rules to avoid generic 400 Failed to generate credentials request responses.

Use --type as: document, consent, or json (lowercase input; script converts internally).
form is not supported as inline credential in this script. Use resource IDs for forms.
--data should be JSON array of fields. A single object is also accepted and auto-wrapped.
Every field should follow:

- label (string) - type (string, number, boolean, date, url, pdf, object, array) - value (matches type) - hidden (boolean; defaults to false)

Type-specific mandatory fields:

- consent: must include {"label":"text","type":"string","value":"...","hidden":false} - document: must include {"label":"pdf","type":"pdf","value":"","hidden":false}

Valid examples (copy/paste)

Consent (recommended for simple approvals):

scripts/create-request.sh \
  --contact "+351919307983" \
  --type "consent" \
  --name "Football approval" \
  --data '[{"label":"text","type":"string","value":"I approve football tomorrow.","hidden":false}]'

JSON mandate:

scripts/create-request.sh \
  --contact "user@example.com" \
  --type "json" \
  --name "Hotel Booking Authorization" \
  --data '[
    {"label":"amount","type":"number","value":450,"hidden":false},
    {"label":"currency","type":"string","value":"EUR","hidden":false}
  ]'

Document signature:

scripts/create-request.sh \
  --contact "user@example.com" \
  --type "document" \
  --name "NDA Signature" \
  --data '[{"label":"pdf","type":"pdf","value":"","hidden":false}]'

Signing Algorithm (Exact Bytes, Critical)

All 401 Invalid signature incidents should be debugged against this section.

Build the request body once.
Keep the body as a compact JSON string.
Generate timestamp in unix milliseconds (13 digits).
Compute payload as:

- timestamp + "." + body when body is not empty - timestamp when body is empty

Compute signature = HMAC_SHA256_HEX(payload, VIA_SIGNATURE_SECRET).
Send exactly the same body bytes in the HTTP request.

Deterministic checklist

Use jq -c or jq -n to build compact JSON.
Use printf, not echo, when signing (avoid accidental newline).
Do not reformat body after signature generation.
Sign and send immediately (avoid stale timestamps).
Keep UTF-8 text unchanged (accents and symbols must match).

Common failure modes

Timestamp includes non-digits (for example, %3N incompatibility on macOS).
Body was pretty-printed for signing but compacted for sending (or vice versa).
Body key order/escaping changed between signature and request.
Wrong base URL or environment points to different backend.
Secret/token mismatch between environments.

Core Operations

1. Create a Credential Request (Get Human Approval)

When the agent needs human authorization for an action:

scripts/create-request.sh \
  --contact "user@example.com" \
  --type "json" \
  --name "Hotel Booking Authorization" \
  --security "CONTACT" \
  --data '[{"label":"amount","type":"number","value":450,"hidden":false}]'

Parameters:

--contact — Email or phone number of the person who must approve (required)
--type — Type of credential: document, json, or consent (required). form inline is not supported.
--name — Human-readable name for the approval (required)
--security — Security level: CONTACT, ORGANIZATION_KYC, HUMANOS_KYC (default: CONTACT)
--data — JSON array of mandate fields (optional for json; strongly recommended for consent/document)
--language — Language for the approval UI: ENG or PRT (default: ENG)
--redirect — URL to redirect user after approval (optional)
--internal-id — Your internal reference ID (optional)

What happens:

The API creates the request and sends an OTP code to the contact
The person opens the link, enters the code, and sees the approval
They approve or reject with optional digital signature
You receive a webhook or poll for the result

Response includes: requestId — save this to check status later.

2. Check Request Status

scripts/get-request.sh --id "request-id-here"

Returns the full request with all credentials and their statuses (PENDING, APPROVED, REJECTED).

3. Find Requests by User

scripts/find-requests.sh --contact "user@example.com"
# or
scripts/find-requests.sh --did "did:key:z6Mk..."
# or
scripts/find-requests.sh --internal-id "order-123"

4. Get a Credential with Proofs

scripts/get-credential.sh --id "credential-id-here"

Returns the W3C Verifiable Credential with cryptographic proofs that the human authorized the action.

5. Get a Mandate

scripts/get-mandate.sh --id "mdt_uuid-here"

Returns mandate details including scope, validity period, and constraints.

6. Get Mandate as Verifiable Credential

scripts/get-mandate-vc.sh --id "mdt_uuid-here"

Returns the mandate in W3C Verifiable Credential format for use in Verifiable Presentations.

7. Resolve a DID

scripts/resolve-did.sh --did "did:key:z6Mk..."

Returns the DID Document with verification methods. Use this to verify signatures on credentials.

8. Look Up a User

scripts/get-user.sh --contact "user@example.com"

Returns user details, identity information, and associated DIDs.

9. Cancel a Request

scripts/cancel-request.sh --id "request-id-here"

Cancels a pending request. This is irreversible.

10. Resend OTP

scripts/resend-otp.sh --id "request-id-here" --contact "user@example.com"

Resends the verification code to the user if they didn't receive it.

Decision Flow

When you need human approval, follow this flow:

Create request → scripts/create-request.sh
Wait for approval → Poll with scripts/get-request.sh or wait for webhook
Check result:

- APPROVED → Proceed with the action. The credential contains cryptographic proof. - REJECTED → Do NOT proceed. Inform the user the action was denied. - PENDING → Still waiting. Ask the user if they want to resend the OTP.

Security Levels

Level	Description	Use When
`CONTACT`	OTP verification only	Low-risk actions (view data, basic approvals)
`ORGANIZATION_KYC`	Organization-level identity check	Medium-risk (sign documents, access records)
`HUMANOS_KYC`	Full KYC with identity verification	High-risk (payments, legal signatures)
`HUMANOS_REVALIDATION`	Re-verification of previously verified identity	Periodic re-checks

Credential Types

Type	Description	User Experience
`document`	PDF document for review and signature	User sees PDF, can draw signature
`form`	Dynamic form with fields	User fills form fields step by step
`json`	Structured data for review	User sees data and approves/rejects
`consent`	Consent text or URL	User reads and agrees to terms

Rate Limits

Request creation: 60 requests per 60 seconds
Max 10 credentials per request
Max 100 contacts per request

Error Handling

401 Unauthorized — Check VIA_API_KEY and signature
404 Not Found — Request or credential doesn't exist
429 Too Many Requests — Rate limit hit, wait and retry
400 Bad Request — Check request body format

401 Invalid Signature Playbook

Follow this exact sequence before escalating:

Confirm endpoint is https://api.humanos.id.
Confirm timestamp is 13-digit numeric milliseconds.
Confirm signing payload is exactly:

- timestamp + "." + body (non-empty body), or - timestamp (empty body).

Confirm signed body bytes are the same bytes sent to curl.
Confirm VIA_SIGNATURE_SECRET and VIA_API_KEY come from the same environment.
Retry with a minimal JSON payload (single credential, no optional fields).
If GET works and POST still fails, capture request metadata for backend support:

- endpoint path - timestamp - body length - sha256(body) - signature format (hex/base64)

Escalation note for support: "GET succeeds with same key/secret, POST returns 401 Invalid signature using payload=timestamp.body."

Output Format

Always present results to the user in this format:

For request creation:

Request created successfully. An approval link has been sent to [contact].
Request ID: [id]
Status: PENDING

For status checks:

Request [id] — Status: [APPROVED/REJECTED/PENDING]
Credential: [name] — [status]
Approved by: [contact] on [date]

For errors:

Failed to [action]: [error message]
Suggestion: [what to do next]

External Endpoints

Endpoint	Data Sent	Purpose
`$VIA_API_URL/v1/request`	Contacts, credential data	Create approval requests
`$VIA_API_URL/v1/request/:id`	Request ID	Check approval status
`$VIA_API_URL/v1/credential/:id`	Credential ID	Retrieve signed credentials
`$VIA_API_URL/v1/via/mandates/:id`	Mandate ID	Get mandate details
`$VIA_API_URL/v1/via/mandates?scope=&toolName=`	Scope, tool name	Query mandates for policy checks
`$VIA_API_URL/v1/via/dids/:did`	DID identifier	Resolve DID documents
`$VIA_API_URL/v1/user`	Contact/DID/internal ID	Look up users

Default base URL is https://api.humanos.id when VIA_API_URL is not set.

Security and Privacy

API keys are read from environment variables, never hardcoded
All requests are signed with HMAC-SHA256
Credentials contain W3C Verifiable Credential proofs (EdDSA)
User contact information (email/phone) is sent to the VIA API for OTP delivery
No data is stored locally by this skill

数据来源：ClawHub ↗ · 中文优化：龙虾技能库

OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险，如需更匹配、更安全的方案，建议联系付费定制

了解定制服务

License

运行时依赖

版本

安装命令 点击复制

技能文档

什么 做

当...时 到 使用

如何 Works

Core API

通过 Humanos - Operational Instructions 对于 Agents

当...时 到 使用 skill

Prerequisites

Authentication

Operation 索引 (Fast Lookup)

创建 请求 Rules (Critical)

有效 examples (复制/paste)

Signing Algorithm (Exact Bytes, Critical)

Deterministic checklist

Common failure modes

Core Operations

1. 创建 Credential 请求 (获取 Human Approval)

2. Check 请求 Status

3. 查找 Requests 由 用户

4. 获取 Credential 带有 Proofs

5. 获取 Mandate

6. 获取 Mandate 作为 Verifiable Credential

7. Resolve 做过

8. Look Up 用户

9. 取消 请求

10. Resend OTP

Decision Flow

Security Levels

Credential Types

Rate Limits

错误 Handling

401 无效 Signature Playbook

输出 格式

External Endpoints

Security 和 Privacy

What It Does

When To Use It

How It Works

Core API

VIA Humanos - Operational Instructions for Agents

When to use this skill

Prerequisites

Authentication

Operation Index (Fast Lookup)

Create Request Rules (Critical)

Valid examples (copy/paste)

Signing Algorithm (Exact Bytes, Critical)

Deterministic checklist

Common failure modes

Core Operations

1. Create a Credential Request (Get Human Approval)

2. Check Request Status

3. Find Requests by User

4. Get a Credential with Proofs

5. Get a Mandate

6. Get Mandate as Verifiable Credential

7. Resolve a DID

8. Look Up a User

9. Cancel a Request

10. Resend OTP

Decision Flow

Security Levels

Credential Types

Rate Limits

Error Handling

401 Invalid Signature Playbook

Output Format

External Endpoints

Security and Privacy

安装命令点击复制

什么做

当...时到使用

当...时到使用 skill

创建请求 Rules (Critical)

3. 查找 Requests 由用户

9. 取消请求

输出格式