Every agent gets a persistent DID, sponsors grant scoped delegation chains, and paid actions require independent payment authorization. One integration gives your site verifiable agent login with full audit trail.
Google Sign-In is for humans. Agent Auth is for AI agents.
Google Sign-In
OAuth 2.0
Verify Identity
Google verifies
Site Recognizes User
authorized
Google Sign-In
OAuth 2.0
Verify Identity
Google verifies
Site Recognizes User
authorized
Request Passport
Agent Auth
Issue DID
Agent Auth
Site Recognizes Agent
authorized
Request Passport
Agent Auth
Issue DID
Agent Auth
Site Recognizes Agent
authorized
One integration. Your APIs now recognize both humans and AI agents.
The pattern is the same. Identity gets verified first, then your site decides what that identity can do.
For Humans
A person signs in, Google returns proof of identity, and the site uses that context to make access decisions.
User clicks "Sign in with Google".
Google verifies identity and returns a token.
Website gets the token. Now it knows:
Website decides what they can access.
For AI Agents
An agent authenticates through Agent Auth, receives a DID credential with delegation chain and payment authorization context.
Agent authenticates via Agent Auth (OAuth-like flow or headless API).
Agent Auth verifies DID identity and returns a signed credential with delegation context.
Your site gets the credential. Now it knows:
Your site decides what the agent can access — with full audit trail.
Same integration shape. Different identity primitive.
OAuth
Integration
Integrate like Google Sign-In. Authorization code flow with PKCE, hosted consent page, standard token exchange. Three steps to add agent login.
Chain
Delegation
Sponsors grant scoped authority to agents. Agents sub-delegate within depth limits. Every link is signed, verifiable, revocable.
Pay
Authorization
Paid actions require independent approval. Payment authorization is a separate credential — login, delegation, and spend are never conflated.
Audit
Trail
Reconstruct any incident from identity to execution. Append-only events link agent, sponsor, delegation, payment, receipt, and trace.
Five steps from unregistered to delegated and integrated.
The agent registers a DID identity with its name, model, provider, and purpose. The server generates an Ed25519 keypair and returns a DID and credential.
// POST /v1/identities
{
"agent_name": "Claude",
"agent_model": "claude-opus-4-6",
"agent_provider": "Anthropic",
"agent_purpose": "Research assistant"
}
// Response:
{
"did": "did:key:z6Mk...",
"credential": "eyJhbGciOiJFZERTQSIs...",
"key_fingerprint": "SHA256:a1b2c3d4...",
"key_origin": "server_generated",
"private_key_jwk": { "kty": "OKP", "crv": "Ed25519", ... }
}Create a DID identity below, then use the SDK to authenticate, receive delegation grants, and integrate with your website via OAuth.
Test the registration flow manually. Registration issues a credential with the default 24-hour lifetime. Website developers control credential lifetime when requesting authentication challenges.
A complete agent authentication platform — from DID registration through delegation chains to payment authorization and execution receipts.
did:key with Ed25519
Every agent gets a globally unique Decentralized Identifier derived from its Ed25519 public key. One DID works across every site that trusts Agent Auth — portable, verifiable, revocable.
Sponsor → Agent → Sub-agent
Sponsors authorize agents with scoped grants. Agents can sub-delegate within depth limits. Every edge in the chain is signed, verifiable, and independently revocable.
Authorize → Code → Token
Websites integrate Agent Auth the way they integrate Google Sign-In. PKCE-protected authorization code flow, hosted consent page, and standard token exchange.
Independent approval gate
Paid agent actions require a separate payment authorization credential. Approval is independent from the agent requesting it. Supports Stripe, USDC on Base, and payment links via Anyway.
Signed proof of work
Every completed task produces a signed receipt linking agent, session, delegation, payment, and trace. Receipts enable reconciliation between authorization and execution.
Append-only event stream
Every identity, delegation, authorization, payment, and execution event is recorded with request IDs, actor subjects, and payload hashes. Reconstruct any incident in minutes.
Zero browser, zero secrets
Agents authenticate entirely via API — register, challenge, sign, verify. No passwords, no shared secrets. Purpose-built for CI agents, tool-use agents, and autonomous systems.
Node.js & Python
npm install auth-agents or pip install auth-agents. Key generation, challenge signing, credential verification, and delegation management in a single package.
Agent Auth is an identity, delegation, and payment authorization system for AI agents. It provides DID-based authentication, sponsor-controlled delegation chains, independent payment approval, and execution receipts with full audit trail. Integrate it the way you would Google Sign-In.
Register a developer app to get a client_id. Add a sign-in link to the hosted authorization page with your client_id and redirect_uri. When an agent completes the OAuth-like flow, your backend exchanges the authorization code for a session token and verifiable credential via the /oauth/token endpoint.
A sponsor (human or organization) creates a delegation grant for an agent, specifying scopes, site access, depth limits, and expiration. That agent can sub-delegate to child agents within its remaining depth. Every edge in the chain is signed as a Verifiable Credential and independently revocable.
Paid agent actions require a separate payment authorization credential. The requesting agent and the approval actor must be different entities. Agent Auth manages the approval state machine and delegates payment execution to the Anyway payment adapter (Stripe, USDC on Base, payment links).
After a paid task completes, the agent or website submits an execution receipt linking the agent session, delegation, payment authorization, trace, and input/output hashes. Receipts are signed as Verifiable Credentials and enable reconciliation between authorization and execution.
No. Agents authenticate by signing a one-time nonce with their Ed25519 private key. No passwords, no API keys, no shared secrets. The headless flow works entirely via API for CI agents, tool-use agents, and autonomous systems.
Official SDKs for Node.js (npm install auth-agents) and Python (pip install auth-agents). Both support key generation, challenge signing, credential verification, and delegation management.