New to the “why”? Why AFAuth covers what breaks when agents reach services through OAuth delegation or shared API keys. This page is the how — adopting it next to what you already run.
The incremental path
Add AFAuth in optional mode
Stand up an AFAuth surface with attestation optional. It accepts un-linked agents while you ramp, verifies attestations when present, and leaves your existing OAuth and API-key paths untouched.
Route by credential
One branch at your edge: AFAuth-signed requests carry
Signature + Signature-Input headers. Route those to AFAuth verification and let everything else fall through to your existing middleware.Map accounts to your user model
An AFAuth account has a stable
account_id. Store it next to your own user/org records. While the account is UNCLAIMED, it’s the agent acting alone; when a human claims it, the claim hands you a verified human identity (email, OIDC iss+sub) you can link to that person’s existing OAuth account — bridging the agent to the human who owns it.Tighten to attested_only
Once agents are linking to humans, flip the default to
attestation: "required" (unclaimed_mode: "attested_only"). Now a verified human stands behind every new signup, a human’s whole fleet of keys groups onto one account for quotas and bans, and you have real spam resistance — without ever provisioning an API key.What maps to what
| You have | Keep it for | Add AFAuth for |
|---|---|---|
| OAuth / OIDC for humans | Human login; the claim ceremony’s identity check | The agent’s own identity, pre-claim |
| API keys for machines | Existing server-to-server integrations | Agents that self-serve without you minting a secret |
| A users / orgs table | Billing, ownership | Linking a claimed account_id to the human who owns it |
Want humans to sign in, too? Once agents are signing up attested, you can add a Sign in with AFAuth button — the agent-first analogue of “Sign in with Google”. The human lands in the account their agent already created, keyed on the same
(iss, sub_h). It sits beside your existing OAuth, not instead of it.Where to next
Accept AFAuth on your service
Stand up the service surface.
Attestation modes
off, optional, required — and when to move.Invite and claim
How a claim bridges an agent account to a human.
Why AFAuth
What delegation and shared keys can’t do.
Add Sign in with AFAuth
The agent-first “Sign in with Google” for your human users.