Your agents live in Attach. When they go out to browse the web, consume APIs, or access premium content—they need to prove who they are. OpenBotAuth gives them a cryptographic identity using RFC 9421 HTTP Message Signatures.
Your agents are powerful. They can browse the web, call APIs, and gather data. But without identity, they're just anonymous bots—blocked, rate-limited, or ignored.
OpenBotAuth gives your agents a passport. Every agent gets an Ed25519 keypair and signs requests using RFC 9421—proving exactly who they are.
Your agents get a cryptographic identity. When they browse the web or call APIs, they can prove who they are.
Industry-standard HTTP Message Signatures. Every request your agent makes is cryptographically signed.
Publishers can verify your agents. Access paywalled content, premium APIs, and gated data sources.
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Attach Runtime │ │ Your Agent │ │ The Web │
│ (Your Agents) │────▶│ + OpenBotAuth │────▶│ (APIs, Data, │
└─────────────────┘ │ Identity │ │ Publishers) │
└─────────────────┘ └─────────────────┘
Your agent's outbound request:
Signature-Input: sig1=(...);created=1234;keyid="your-agent"
Signature: sig1=:base64signature:
→ Publishers verify and grant accessYour agents run in Attach. When they go out to the web, OpenBotAuth signs every request with their cryptographic identity. Publishers can verify and trust your agents.
Get cryptographic identity for your AI agent.
# Visit registry.openbotauth.org # or use the CLI npm i -g @openbotauth/bot-cli oba-bot keygen # Generate Ed25519 keypair
# Enable OpenBotAuth verification export AUTH_BACKEND=openbotauth export OB_TRUSTED_DIRECTORIES=https://registry.openbotauth.org # Start the gateway attach-gateway --port 8080
# Using oba-bot CLI
oba-bot fetch http://localhost:8080/api/chat -v
# Or sign programmatically (Node.js)
import { signRequest } from '@openbotauth/registry-signer';
const signed = await signRequest(request, {
keyId: 'your-agent-id',
privateKey: yourPrivateKey,
});# Request includes RFC 9421 headers: # Signature-Input: sig1=(...);created=1234;keyid="agent-id" # Signature: sig1=:base64signature: # Signature-Agent: https://registry.openbotauth.org/jwks/agent-id # Attach verifies signature, adds X-Attach-Agent header # Downstream services know exactly which agent is calling
Your agents prove they're legitimate. Publishers grant access instead of blocking.
Call third-party APIs with verified identity. Higher rate limits, better access.
Access paywalled data sources. Publishers can verify and bill your agents directly.
When your agents call other agents, identity chains are preserved cryptographically.
Both. OpenBotAuth builds on RFC 9421 (HTTP Message Signatures), which is an IETF standard. The OpenBotAuth project provides reference implementations, a public registry, and tooling—all open source. Anyone can run their own registry.
Publishers verify RFC 9421 signatures and look up public keys from the registry. Any site that supports HTTP Message Signatures can verify OpenBotAuth identities. The registry just provides a trusted directory of agent public keys.
Your private key never leaves your infrastructure. The oba-bot CLI generates a keypair locally—only the public key is uploaded to the registry. Store your private key in a secure location like environment variables, a secrets manager, or HSM depending on your security requirements.
Publishers can choose which registries to trust. If they trust the OpenBotAuth public registry, your agent will be recognized. Some publishers may run private registries for their partners. The ecosystem is designed to be decentralized.
OpenBotAuth integration is in development. Join the waitlist or contribute to the open-source project.