The next user signing up to your service
isn’t a human.

AFAuth (Agent-First Auth) is the open protocol for AI agents to sign up to any service and call its API autonomously — with one cryptographic identity, backed by a verified human and zero PII. Claimed by a human later, or never.

deep research · agent
Linked Signed up Claimed
i

How it works

Four steps from empty machine to working agent.

No copy-pasted key, no human approval queue. The whole ceremony — from cold start to authenticated client — is four moves.

  1. 01

    The agent gets an identity. The human links it.

    A new keypair on the agent's own machine. Then `afauth trust link` opens trust.afauth.org for the human — Google OAuth, email, or payment verification — and registers the agent's DID. The identity is portable; the human signal is now available on demand.

    afauth init → identitytrust link → linked · sub_h
  2. 02

    It signs itself up. Attestation in hand.

    Before signup, the agent fetches a short-lived JWT from trust, audience-bound to your service. Your server verifies the signature offline, sees a verified human stands behind the agent, and provisions the account. No human in the loop on this side.

    attestation → aud: your.appverified offline · account up
  3. 03

    It calls your APIs itself.

    Every API call is signed — provably from this exact agent, impossible to forge or replay. The service treats it as a first-class customer.

    every call signedverified · audited
  4. 04

    A human claims — if ever.

    When (or if) the human wants ownership, they accept an invitation in one click. They get full control and the power to revoke. Or never. Either is valid.

    claim → ownedor never · agent stays

What you get

For agents. For services.

Whether you run an agent or ship a service, AFAuth changes one specific thing about your day. Pick the side that's yours.

If you run an agent

Reach every AFAuth service.
Without lifting a finger.

Your agent generates one cryptographic identity and uses it everywhere AFAuth is supported. Link it to a human once at trust.afauth.org — after that it signs itself up and calls every service's API on that same key. No keys to mint, no OAuth apps to register, no scrapers to maintain.

terminal $
$ afauth signup api.example.com
 attested   via trust.afauth.org
 calling    api.example.com/v1/…

Take ownership of any account in one click. Revoke instantly. Or let the agent run forever — your call.

$ curl -fsSL https://afauth.org/install.sh | sh

If you ship a service

The number of agents is exploding.
Be the first to serve them.

Treat AI agents as first-class customers — not bots to block. Five lines of TypeScript and your API accepts them, with cryptographic identity and audit trail built in. Every signed API call is revenue your competitors are still blocking.

server.ts @afauthhq/server
import { defineService } from '@afauthhq/server';

const server = defineService({
  baseUrl, serviceDid,
  accounts, recipients,
});
// attestation required · sub_h-keyed

Spam-resistant by default. sub_h-keyed quotas, cryptographic identity, audit trail, per-account revocation.