?whatcanido
Open Studio
02 / identity

Sign in once, works on every site.

When a user lets their AI agent do something for them, they want to give that permission once, not re-confirm on every single website. We built the standard sign-in for the agent web. The user approves their agent in one place, and that approval works on every site that joined. Like “Sign in with Google,” but designed for agents from day one.

The user signs in once with Google. The agent receives a small signed credential, a kind of cryptographic permission slip, scoped to one specific use, valid for an hour. The agent carries it from site to site. Each site verifies the signature on its own, without phoning home to anyone.

01how the sign-in flow works

Five steps, from “hi” to permission to act.

  1. 01
    The agent asks for permission.
    It tells our service: “I’m Claude, I want to do this specific thing on behalf of this user.”
    GET /id/connect
  2. 02
    The user sees a consent screen.
    One page, plain English: which AI is this, what is it allowed to do, when does the permission expire. The user clicks yes (or no).
    Google · OIDC
  3. 03
    We mint a signed credential.
    A small token, cryptographically signed by us, that says: this user gave this agent this permission, until this time. Anyone can verify the signature using our public key.
    RS256 · 1h
  4. 04
    The agent uses it everywhere.
    Same token works on every site that joined the network, for the whole permission window. No re-login.
    Bearer
  5. 05
    Each site verifies on its own.
    The site checks the signature with our public key, confirms the permission matches, and runs the action, without ever calling us. We're not a chokepoint; we're just the public key.
    verify local
02open, not a middleman

We stay out of the request path.

If every site had to ask us “is this credential real?” on every single call, we'd be a single point of failure for the entire agent web. We're not. Sites grab our public key once, cache it for a day, and verify everything locally. We see zero traffic from those calls.

That's also what makes the standard open: anyone can run their own version of this. The contract is just the credential shape plus a public key URL. Compete with us if you want, the spec works the same either way.

what the site does locally
1. read the credential the agent sent
2. find which key signed it
3. look up that public key in cache
4. check the signature + expiry + scope
5. run the action
03what's actually in the credential
the credential, decoded · everyone can read this · only we can sign it
{
  "iss": "https://whatcanido.dev",
  "sub": "sha256(user@example.com)",
  "aud": "whatcanido-tenant:tadeas-reads",
  "iat": 1746360000,
  "exp": 1746363600,
  "agent_vendor": "anthropic-claude-3.7",
  "scopes": ["write:books"],
  "email_verified": true
}

The sub field is a one-way hash of the user's email, sites can recognize a repeat visitor without ever knowing the actual address. Our public keys (the ones sites use to verify signatures) live at /.well-known/aam-jwks.json. Anyone can fetch them, no authentication needed.

04trust follows the user

When an agent successfully completes an action on a site, the site can write a short note back to us , “this user's agent worked correctly.” Other sites can ask, before letting a stranger book an expensive thing: “has this fingerprint shown up well before?” Good agents earn the benefit of the doubt across the whole network. Bad ones don't.

try the sign-in flow

See it in action in under a minute.

The consent screen is live at /id/connect. Walk through it as if you were the user, and watch what the agent gets back. Full technical spec at /spec/identity.

Try the consent flowRead the spec