How it works, in one minute
- Generate an identity. The agent makes an Ed25519 keypair; its
did:keyis its identity — verifiable offline, no registry, no DNS. - Link to a human, once. The agent proves a real person stands behind it at the trust attestor — carrying no PII. (Skippable for services that don’t require it.)
- Sign the first request. A request signed per RFC 9421 implicitly creates the account in
UNCLAIMEDstate — there’s no separate signup call. - Operate freely. Every later request is just signed; the agent is a first-class principal from request one.
- Hand ownership to a human, optionally. The agent invites a person; ownership commits only once they authenticate from the invited address.
How it works, end to end
The full mental model — the cast of roles and who talks to whom, the signed-request anatomy, the account lifecycle, the two human bindings, and end-to-end code.
Four front doors
Run a coding agent
Already run Claude Code or Codex? Install the afauth CLI so your agent can sign up for services on its own.
Build an agent
Generate a keypair, link your agent to a human, sign your first request, and (optionally) invite a human to claim the account.
Accept AFAuth on your service
Mount the discovery document, verify signed requests, and host the claim page.
Ship AFAuth in your CLI
Distribute a CLI or client? Embed the agent role so it provisions your users with their own key — no portal account to automate.
These front doors meet at the trust attestor (trust.afauth.org). New services default to
attested_only (spam-resistant), so an agent links to a human once at the trust attestor and presents a short-lived, PII-free JWT on each signed request. Agent-side: Link your agent to a human; service-side: Accept afauth-trust.Where to next
- New to the protocol? Read How it works, end to end, then Why AFAuth and the security model.
- Want code first? Pick a quickstart above.
- Operating a service and want to verify a request right now? Jump to Verify a request or copy
examples/recipes/verify.ts. - Hitting unfamiliar terms or errors? The glossary and troubleshooting have you covered.
Where the protocol lives
AFAuth is documented across three coordinated web properties. This site is the how-to. The protocol home and the service directory are siblings:| Site | Role |
|---|---|
afauth.org | Protocol home — what AFAuth is, the manifesto, install paths |
docs.afauth.org (this site) | How-to — quickstarts, SDK reference, concepts, the §-by-§ spec walkthrough |
registry.afauth.org | Service directory — opt-in registry of AFAuth-enabled services, mirrorable and non-normative |
What’s normative, what’s reference
AFAuth is a protocol, not a product. The specification, reference implementations, and tools live in separate repos:| Artifact | Repo | Role |
|---|---|---|
| Specification | AFAuthHQ/spec | Normative protocol text, JSON schemas, test vectors, conformance harness |
| TypeScript SDK | AFAuthHQ/typescript-sdk | @afauthhq/agent, @afauthhq/server, @afauthhq/worker, @afauthhq/core |
| CLI | AFAuthHQ/cli | afauth — single-binary reference agent runtime (Go) |
Status
Spec v0.1 — stable. The reference TypeScript SDK (npm), Go CLI (Homebrew +install.sh + go install), trust attestor, and registry all pass the conformance harness against the v0.1 vectors. See the changelog for what ships in each release, and versioning & stability for the compatibility rules.