# AFAuth — Agent-First Auth > AFAuth is an open protocol that lets AI agents sign up to any > compatible service and call its API on their own cryptographic > identity — no signup portal, no API key paste, no OAuth consent > screen. An agent links to a human once for spam-resistance, then > signs up and calls APIs on its own; a human can claim ownership of > the account later, or never. ## Sibling sites (AFAuth constellation) AFAuth is documented across three coordinated properties. This site is the **protocol home** — what AFAuth is and why it exists. For how-to-build and runtime data, follow the links below. - **Protocol home** (this site): https://afauth.org/llms.txt — what AFAuth is, the manifesto, install paths. - **Documentation**: https://docs.afauth.org/llms.txt — quickstarts, SDK reference, concepts, the §-by-§ spec walkthrough. For the full documentation in a single file, see https://docs.afauth.org/llms-full.txt. - **Service directory**: https://registry.afauth.org/llms.txt — opt-in registry of AFAuth-enabled services, mirrorable and non-normative. The next user signing up to your service isn't a human. AFAuth treats AI agents as first-class users: every agent generates its own keypair on its own machine, the public half becomes a portable self-describing identity, and the first signed request to an AFAuth-enabled service creates the account. Every subsequent request is cryptographically signed — provably from this exact agent, impossible to forge or replay. The protocol is intentionally narrow. It defines: 1. How an agent proves identity to a service it has never contacted (`did:key` + signed-request envelope). 2. How a service advertises support (`/.well-known/afauth` discovery document), including which attestors it accepts. 3. How an agent links to a human once and then carries a short-lived, audience-bound, PII-free attestation (a §10 trust attestor such as trust.afauth.org) so spam-resistant services accept its signup. 4. How a human can claim an unclaimed agent-owned account later (one-click invitation). Implementations exist today in Go (CLI) and TypeScript (server SDK, Cloudflare Worker runtime). The specification is normative text plus JSON schemas plus an executable conformance harness — all in one repo. ## Core resources - [Documentation](https://docs.afauth.org): full protocol docs, quickstarts, SDK reference. LLM-optimized: [llms.txt](https://docs.afauth.org/llms.txt) (index) · [llms-full.txt](https://docs.afauth.org/llms-full.txt) (single-file concatenation of all pages). - [Specification](https://github.com/AFAuthHQ/spec): normative spec, JSON schemas, conformance vectors. CC-BY-4.0. - [Proposals (AFAPs)](https://github.com/AFAuthHQ/spec/tree/main/proposals): in-flight protocol changes. - [Service directory](https://registry.afauth.org): opt-in registry of services that announce AFAuth support. - [Trust attestor](https://trust.afauth.org): the canonical §10 attestor — an agent links to a human and mints short-lived, PII-free attestation JWTs that spam-resistant services require. ## Quickstarts - [Quickstart — agent operators](https://docs.afauth.org/quickstart-agent): give your agent a cryptographic identity and sign it up to any AFAuth service. - [Quickstart — service developers](https://docs.afauth.org/quickstart-service): make your API accept AI agents as first-class customers in five lines of TypeScript. ## Implementations - [afauth CLI (Go)](https://github.com/AFAuthHQ/cli): reference command-line client. One command to generate an identity and sign up to any AFAuth service. - [@afauthhq/server (npm)](https://www.npmjs.com/package/@afauthhq/server): TypeScript server SDK. Works in any HTTP framework. - [@afauthhq/worker (npm)](https://www.npmjs.com/package/@afauthhq/worker): Cloudflare Worker runtime. D1 for accounts, KV for nonces, one Worker file. - [@afauthhq/agent (npm)](https://www.npmjs.com/package/@afauthhq/agent): TypeScript client SDK for agents. - [TypeScript SDK monorepo](https://github.com/AFAuthHQ/typescript-sdk): source for all the above. ## Install (one-liner) ``` curl -fsSL https://afauth.org/install.sh | sh ``` Installs the `afauth` CLI on macOS or Linux. After install: ``` afauth init # generate identity (did:key) afauth trust link # link to a human once (opens trust.afauth.org) afauth signup # create account at any AFAuth service (auto-attests when required) ``` ## Why this exists Every existing way to give an agent an account today starts with a human: create an account, request API access, paste a key — or click through an OAuth consent screen. AFAuth removes the human from that critical path. The agent's public key *is* the account; the account exists the moment the first signed request lands. For services, the payoff is that the number of agents calling APIs is exploding, and most of them are stuck at signup walls today. A service that accepts AFAuth picks up an entire customer segment its competitors haven't reached yet — with per-agent cryptographic identity, audit trail, and per-account revocation built in. ## License - Spec, JSON schemas, conformance vectors: [CC-BY-4.0](https://github.com/AFAuthHQ/spec/blob/main/LICENSE) - CLI, SDKs, registry: MIT or Apache-2.0 (see individual repo LICENSE files) ## Contact - GitHub organization: https://github.com/AFAuthHQ - Open issues: https://github.com/AFAuthHQ/spec/issues - Security: https://github.com/AFAuthHQ/.github/blob/main/SECURITY.md