> ## Documentation Index
> Fetch the complete documentation index at: https://docs.afauth.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Introduction

> AFAuth is the open protocol that lets AI agents sign up to services on their own behalf, with their own cryptographic identity, and hand ownership to a human later.

Existing auth assumes a human is the root of trust. Agents reach services either by impersonating one (browser automation against signup forms) or by being delegated scope from a pre-existing human account (OAuth). Both break down as agents become the primary actor.

AFAuth takes the opposite stance. An **agent signs up on its own behalf**, identified by a cryptographic keypair it controls. If a human ever wants ownership, the agent invites them; the binding only takes effect once the human authenticates from the invited address. The agent continues to operate the account afterwards — but ownership-changing operations become privileged to the human.

## How it works, in one minute

1. **Generate an identity.** The agent makes an Ed25519 keypair; its `did:key` *is* its identity — verifiable offline, no registry, no DNS.
2. **Link to a human, once.** The agent proves a real person stands behind it at the [trust attestor](https://trust.afauth.org) — carrying no PII. (Skippable for services that don't require it.)
3. **Sign the first request.** A request signed per [RFC 9421](https://www.rfc-editor.org/rfc/rfc9421) *implicitly* creates the account in `UNCLAIMED` state — there's no separate signup call.
4. **Operate freely.** Every later request is just signed; the agent is a first-class principal from request one.
5. **Hand ownership to a human, optionally.** The agent invites a person; ownership commits only once they authenticate from the invited address.

<Card title="How it works, end to end" icon="map" href="/how-it-works" horizontal>
  The full mental model — the cast of roles and who talks to whom, the signed-request anatomy, the account lifecycle, the two human bindings, and end-to-end code.
</Card>

## Four front doors

<CardGroup cols={2}>
  <Card title="Run a coding agent" icon="terminal" href="/equip-your-agent">
    Already run Claude Code or Codex? Install the afauth CLI so your agent can sign up for services on its own.
  </Card>

  <Card title="Build an agent" icon="robot" href="/quickstart-agent">
    Generate a keypair, link your agent to a human, sign your first request, and (optionally) invite a human to claim the account.
  </Card>

  <Card title="Accept AFAuth on your service" icon="server" href="/quickstart-service">
    Mount the discovery document, verify signed requests, and host the claim page.
  </Card>

  <Card title="Ship AFAuth in your CLI" icon="ship" href="/ship-afauth-in-your-cli">
    Distribute a CLI or client? Embed the agent role so it provisions your users with their own key — no portal account to automate.
  </Card>
</CardGroup>

<Note>
  These front doors meet at the **trust attestor** ([trust.afauth.org](https://trust.afauth.org)). New services default to `attested_only` (spam-resistant), so an agent links to a human once at the trust attestor and presents a short-lived, PII-free JWT on each signed request. Agent-side: [Link your agent to a human](/guides/link-to-a-human); service-side: [Accept `afauth-trust`](/guides/accept-afauth-trust).
</Note>

## Where to next

* New to the protocol? Read [How it works, end to end](/how-it-works), then [Why AFAuth](/why-afauth) and the [security model](/concepts/security-model).
* Want code first? Pick a quickstart above.
* Operating a service and want to verify a request right now? Jump to [Verify a request](/guides/verify-a-request) or copy [`examples/recipes/verify.ts`](https://github.com/AFAuthHQ/typescript-sdk/blob/main/examples/recipes/verify.ts).
* Hitting unfamiliar terms or errors? The [glossary](/concepts/glossary) and [troubleshooting](/guides/troubleshooting) have you covered.

***

## Where the protocol lives

AFAuth is documented across three coordinated web properties. This site is the **how-to**. The protocol home and the service directory are siblings:

| Site                                                     | Role                                                                                         |
| -------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
| [`afauth.org`](https://afauth.org)                       | Protocol home — what AFAuth is, the manifesto, install paths                                 |
| [`docs.afauth.org`](https://docs.afauth.org) (this site) | How-to — quickstarts, SDK reference, concepts, the §-by-§ spec walkthrough                   |
| [`registry.afauth.org`](https://registry.afauth.org)     | Service directory — opt-in registry of AFAuth-enabled services, mirrorable and non-normative |

## What's normative, what's reference

AFAuth is a **protocol**, not a product. The specification, reference implementations, and tools live in separate repos:

| Artifact       | Repo                                                                    | Role                                                                        |
| -------------- | ----------------------------------------------------------------------- | --------------------------------------------------------------------------- |
| Specification  | [`AFAuthHQ/spec`](https://github.com/AFAuthHQ/spec)                     | Normative protocol text, JSON schemas, test vectors, conformance harness    |
| TypeScript SDK | [`AFAuthHQ/typescript-sdk`](https://github.com/AFAuthHQ/typescript-sdk) | `@afauthhq/agent`, `@afauthhq/server`, `@afauthhq/worker`, `@afauthhq/core` |
| CLI            | [`AFAuthHQ/cli`](https://github.com/AFAuthHQ/cli)                       | `afauth` — single-binary reference agent runtime (Go)                       |

Alternative implementations are welcome. The protocol is small and language-agnostic.

## Status

**Spec v0.1 — stable.** The reference [TypeScript SDK](https://www.npmjs.com/org/afauthhq) (npm), [Go CLI](https://github.com/AFAuthHQ/cli/releases) (Homebrew + `install.sh` + `go install`), trust attestor, and registry all pass the conformance harness against the v0.1 vectors. See the [changelog](/changelog/overview) for what ships in each release, and [versioning & stability](/changelog/versioning) for the compatibility rules.
