Sign commits. Verify releases. Authorize agents.

Cryptographic identity that lives in your Git repo. No GPG. No central server. 10 seconds to set up.

Get startedView on GitHub
Open sourceWorks offlineNo vendor lock-in

~ $ brew install auths

~ $ auths init

✓ Identity created: did:keri:E8jsh...

✓ Git signing configured

✓ Ready. Every commit is now signed.

Zero to Signed Commit in 30 Seconds

Install, create your identity, and sign your first commit. Copy-paste and go.

terminal

~ $ brew install auths # or: cargo install auths-cli

~ $ auths init

✓ Identity created: did:keri:E8jsh...

✓ Git signing configured

~ $ git commit -m "first signed commit"

✓ Commit signed with did:keri:E8jsh...

Sign Anything. Verify Anywhere.

Commits, release artifacts, SBOM manifests. One tool, one identity.

Sign

terminal

~ $ auths artifact sign release.tar.gz

✓ Signed: release.tar.gz.auths.json

Verify

terminal

~ $ auths artifact verify release.tar.gz

✓ Valid — signed by did:keri:E8jsh...

CI Integration

One secret, two actions. Every commit verified. Every release signed.

Sign Commits

# Run `auths ci setup` to set signing token
- uses: auths-dev/sign@v1
  with:
    token: ${{ secrets.AUTHS_CI_TOKEN }}
    commits: 'HEAD~1..HEAD'
Sign Commits

Verify Commits

- uses: auths-dev/verify@v1
  with:
    fail-on-unsigned: true
Verify Commits
Set up manually with the CLI

1. Setup (once)

terminal

~ $ auths ci setup

✓ AUTHS_CI_TOKEN set on auths-dev/my-repo

2. Sign releases

- uses: auths-dev/sign@v1
  with:
    token: ${{ secrets.AUTHS_CI_TOKEN }}
    files: 'dist/*.tar.gz'
    verify: true

3. Verify commits

- uses: auths-dev/verify@v1
Full CI/CD documentation

Prove Where Code Comes From

LiteLLM and Axios were both compromised through stolen publish credentials. With Auths, stolen credentials can't produce valid signatures — the signing key lives in your hardware keychain, not in CI.

Cryptographically Signed

Every artifact verified with signatures you control — no central authority.

Unbroken Chain

Complete provenance from source to deployment, stored in Git.

Audit Forever

Immutable records accessible offline. No vendor lock-in.

Legacy AuthI/O Bound
Edge Worker
Blocking HTTP Request~150ms latency
Central IdP
Auths VerificationCPU Bound
Edge Worker
Auths WASM Module
Local Ed25519 Math
Network Calls0

~ $ auths verify --repo github.com/auths-dev/auths

Explore Supply Chain Verification

How Auths Compares

FeatureAuthsGPG KeysSSH KeysSigstore
Setup time10 seconds15+ minutes5 minutes2 minutes
Key rotationPre-rotation built inManual ceremonyManual replacementEphemeral keys
Works offlineYesYesYesRequires internet
Multi-deviceQR code pairingExport/import keysCopy key filesVia OIDC provider
Agent delegationScoped + revocableNot supportedNot supportedNot supported
RevocationSigned event in GitKeyserver dependentDelete from GitHubCertificate expiry
GitHub "Verified" badgeNot yetYesYesNot yet
Supply-chain attack scenarios
Survives stolen CI token (Axios/LiteLLM attack)YesNoNoNo — CI token bypass still accepted
Offline / air-gapped verificationYes — WASM, no serverYesYesRequires Rekor network call
Persistent maintainer identityLifelong key historyManual key managementNo history modelEphemeral — no persistent identity
AI agent identity delegationScoped + revocableNot supportedNot supportedNot supported

Agents With Real Identity

Delegate real cryptographic identity to your agents. Revoke any time.

Developer
Agent
Artifact
terminal

# Create an agent identity

~ $ auths init --profile agent --non-interactive

# Export identity for deployment

~ $ auths id export-bundle --output agent-bundle.json

# Rotate keys to revoke old access

~ $ auths id rotate

Give Your Agent an Identity

Your Keys, Your Control

Each device has its own key. Revoke one, the rest keep working.

terminal

~ $ auths device list

DEVICE STATUS ADDED

MacBook Pro active 2026-01-15

iPhone 14 active 2026-02-03

Old Laptop revoked 2026-03-01

terminal

~ $ auths id rotate --alias my-key

✓ New key generated

✓ Rotation event signed by current key

✓ Key Event Log updated

Prior signatures remain valid.

Nothing to re-sign.

Rotate Without Breaking History

Rotation is a signed event in your Key Event Log — not a manual ceremony. Suspect compromise? One command. Prior signatures stay valid. Nothing to re-sign.

Learn about key rotation

Architecture Deep Dive

Auths provides a complete identity infrastructure built on cryptographic primitives stored in Git. Every identity action is signed, auditable, and verifiable offline using WASM verifiers embedded in your applications.

HumanKERI Identity
OrganizationDelegation Chain
DeviceAttestation + Key
AgentScoped Capability
KERI specification →

Ready to Control Your Identity?

Join developers building the next generation of decentralized identity. Start for free, no credit card required.

Start Building View Documentation
Open SourceNo Vendor Lock-InCommunity Driven