Enroll an AI Agent

Prerequisites

• Node.js 22+
• An account on an OpenApe IdP (e.g. id.openape.ai)

1. Enroll

npx @openape/apes enroll

The wizard asks for the IdP URL (default: id.openape.ai), your agent's name, and which Ed25519 key to use (default: ~/.ssh/id_ed25519).

It opens a browser where you confirm the enrollment. The CLI waits until confirmed, then verifies the agent can authenticate.

2. Verify

npx @openape/apes whoami

You should see your agent's email and IdP.

3. Build

# Optional: scaffold a starter project
npx @openape/apes init --sp my-agent-app

Or use the agent programmatically — the config is stored in ~/.config/apes/.

Done

Your agent has a DDISA identity and can authenticate with Ed25519 challenge-response. It has zero permissions by default — every action requires a human-approved grant.

What's Next?

• Grant system — how agents request and receive permissions
• Delegation — act on behalf of another user
• escapes — privilege escalation with grant verification

Agent Lifecycle

Enroll  →  apes enroll (one-time, registers public key at IdP)
Login   →  Ed25519 challenge-response (automatic, per-session)
Request →  Ask for permission (grant)
Approve →  Human approves in browser or CLI
Execute →  Use grant token for authorized action