Auth: Authorization: Bearer <API_KEY>
POST /v1/pbi/challenge
POST /v1/pbi/verify
GET /v1/billing/usage
GET /v1/billing/invoices
What this proves
Not “who” (no accounts).
A binding receipt that:
• a user was present (UP+UV via WebAuthn)
• for this exact challenge
• within expiry
• non-replayable
• auditable (receipt hash)