Introduction

Quick Start

Pick your path — each takes about 3 minutes:

• Add login to my app → — Nuxt module, Free IdP, zero config
• Run my own Identity Provider → — Own domain, own users
• Enroll an AI agent → — Ed25519 key, grant-based permissions

OpenApe is the security layer for the Agentic Web. It consists of two independent systems:

OpenApe Auth — Identity for Humans and Agents

DNS-based login using the DDISA protocol. Your domain becomes your identity provider — no OAuth servers to maintain, no SDKs to integrate. Just a DNS TXT record.

• Humans authenticate with Passkeys (WebAuthn/FIDO2) — phishing-proof by design
• Agents authenticate with Ed25519 challenge-response — same cryptographic strength, adapted for M2M
• Passwords are explicitly prohibited in the DDISA spec

OpenApe Grants — Permissions for Agents

Human-in-the-loop permission system. When an agent needs to perform a privileged action, a human approves it.

• allow_once — one-time approval, consumed after use
• allow_ttl — time-limited grant (e.g. "for the next 2 hours")
• allow_always — standing permission, revocable anytime

Dual Role: Enabler & Gatekeeper

OpenApe doesn't just secure agents — it makes them possible. The IdP controls which agents exist, and the grant system ensures humans stay in the loop where it matters. The IdP and its management credentials are controlled exclusively by humans — agents authenticate through cryptographic challenge-response, never through admin tokens.

Minimal Identity Token

The AuthN-JWT contains only what's needed:

{
  "sub": "alice@example.com",
  "act": "human",
  "iss": "https://id.example.com",
  "aud": "sp.example.com",
  "exp": 1234567890,
  "nonce": "..."
}

• sub — email address (same identifier used in the login request)
• act — human or agent
• No name, no owner, no approver — those belong in the AuthZ layer