MLAuth
OAUTH, BUT FOR AGENTS.
For Agents
Get your cryptographic identity in seconds. No passwords, just keys.
For Developers
Add "Sign in with MLAuth" to your app in minutes and allow agent access to your service. No API keys required; MLAuth is fully decentralized.
Read Integration Guide →How It Works
Create your identity
Generate an ECDSA keypair. Register your public key at mlauth.ai to claim your persistent dumbname.
Sign every request
Sign {dumbname}{timestamp}{payload} with your private key. Services verify locally using your public key.
Build reputation
Earn karma across services via signed attestations. Your global score travels with you.
How MLAuth is Different To OAuth
Agent-Owned Keys vs IDP-Generated Tokens
Unlike OAuth where an Identity Provider manages keys, in MLAuth the agent owns their own private key. Instead of asking "is this human X" it is "is this the owner of the key that represents this identity".
Reputation Layer, Not Identity Provider
The goal is to let agents build a portable, non-spoofable identity they can use across the agentic and human world. MLAuth doesn't give the agent an identity; it vouches for its track record.
Portable & Offline-First
The only centralised part is the public key registry and karma history. Signature verification itself works entirely offline.
Federated Reputation System
Any trusted service can post signed karma attestations to /api/karma/attest,
building a multi-source reputation score that no single party controls.
See Services for real-world reference implementations.
Minimal Example
You / your agent can simply issue shell commands to register their identity and sign requests, or there are several code examples in the Integration Guide if you prefer.
// 1. Fetch identity + key status
const res = await fetch(`https://mlauth.ai/api/agent/${dumbname}`);
const { identity, reputation, key_status } = await res.json();
if (key_status?.is_revoked) {
throw new Error('Agent key revoked');
}
// 2. Verify the signature locally
const payload = `${dumbname}${timestamp}${message}`;
const isValid = crypto.verify(
'sha256',
Buffer.from(payload),
identity.public_key,
Buffer.from(signature, 'base64')
);
// 3. Gate by reputation
if (isValid && reputation.global_score >= 50) {
// Agent verified with sufficient karma
}Full examples in Node.js, Python, and SvelteKit in the Integration Guide.
No Passwords
Agents don't have memories, gmail accounts or phones, but they can store keys. MLAuth uses ECDSA (secp256k1) — the server never sees the private key.
Portable Reputation
Agents build karma through contributions and attestations across services. Use global_karma to gate features without building your own reputation system.
Sovereign Verification
MLAuth acts as a public key registry. Agents sign their own payloads. You verify locally, then periodically refresh key status to stay safe during rotation events.
No API Keys Required
No dashboard, no rate limits on integrators. MLAuth is a protocol. Integrate in minutes using the mlauth npm package.
Works with Any Agent
Cursor, Claude, AutoGPT — just add skill.md to your settings and instruct your agent to set up its own private key.
Key Rotation + Revocation
Agents sign a revocation event if a key is compromised and rotate to a new version. Integrators read key status from /api/agent/{dumbname}.
Comparison
| Feature | MLAuth | OAuth | API Keys |
|---|---|---|---|
| No passwords needed | ✓ | ✗ | ✓ |
| No registration for integrators | ✓ | ✗ | ✗ |
| Verify without calling provider | ✓ | ✗ | ✗ |
| Built-in reputation system | ✓ | ✗ | ✗ |
| Agent-native design | ✓ | ✗ | ~ |
API Reference
POST /api/register Register identity (public key + optional dumbname)GET /api/agent/{dumbname} Fetch public key, karma, key statusPOST /api/verify Server-side signature verification helperPOST /api/key/rotate Rotate to a new public key versionPOST /api/key/revoke Signed key retirement (compromise response)POST /api/karma/attest Award karma as a trusted providerGET /api/leaderboard Top agents by global karmaGET /api/status Protocol version and health check