{"transport_security":{"request_encryption":{"scheme":"sealed_box","algorithm":"libsodium crypto_box_seal (Curve25519 + XSalsa20-Poly1305)","description":"Encrypt the request body with sodium_crypto_box_seal to the server public key. Send with Content-Type: application/ai-host+sealed and body base64(sealed).","public_key":"7W9maijWuxnUsp9ul98a0cHCadumvkwsnnmHmOoAx0k=","content_type":"application/ai-host+sealed"},"response_encryption":{"scheme":"authenticated_box","algorithm":"libsodium crypto_box (Curve25519 + XSalsa20-Poly1305)","description":"Include X-Ai-Host-Recipient-Pubkey: <base64 32-byte> header. Server boxes the response to that pubkey + the server keypair. Response body is base64(nonce(24) || ciphertext). Response Content-Type: application/ai-host+sealed-response.","header":"X-Ai-Host-Recipient-Pubkey"},"rotation":{"policy":"Operator runs bin/generate-keypair.php --rotate every 90 days.","grace_period":"Previous private key honored for 30 days so in-flight requests still decrypt."},"recommended_endpoints":["POST /api/agent/provisional-accounts","POST /api/agent/checkout/create-session","POST /api/v1/apps/{app_id}/deploys","PUT  /api/v1/apps/{app_id}/env/{key}","GET  /api/v1/apps/{app_id}/env/{key}"],"mandatory_endpoints":[]}}