Sign code with your fingerprint. Verified on Sigstore.
Hardware-backed identity. Touch ID signs your commits and releases. Every signature lands on the same public ledger as Google and GitHub — no accounts, no certificates, no permission needed.
~ $ brew install auths && auths init
🔐 Touch ID
✓ Identity created
~ $ git commit -m "first signed commit"
✓ Commit signed (Touch ID)
Publicly Verified on Sigstore
Every signature lands on the same public transparency log used by Google, GitHub, npm, and PyPI. No OIDC. No certificate authority. Just your key and a public record.
# create something to sign
~ $ echo "my-app v1.0.0" > release.tar.gz
# sign it and publish to Sigstore
~ $ auths artifact sign --log sigstore-rekor release.tar.gz
Logged to sigstore-rekor at index 1271709852
✓ Signed "release.tar.gz" → "release.tar.gz.auths.json"
# verify it landed — anyone can do this, no auths needed
~ $ rekor-cli get --log-index 1271709852
Body: {"DSSEObj": {"payloadHash": ...}}
Bring your own network
Sigstore is the default, not a dependency. Swap in a self-hosted log, a Sigsum instance, or run fully offline with --allow-unlogged.
No OIDC required
Sigstore normally requires Google or GitHub login. Auths skips that entirely. Your identity is cryptographic, not borrowed from a provider.
Independently verifiable
Anyone can verify your entry with rekor-cli or cosign. No auths installation needed. Standard tooling, standard formats.
Sign Anything. Verify Anywhere.
Commits, release artifacts, SBOM manifests. One tool, one identity.
Sign
~ $ auths artifact sign release.tar.gz
✓ Signed: release.tar.gz.auths.json
Verify
~ $ auths artifact verify release.tar.gz
✓ Valid — signed by did:keri:E8jsh...
CI Integration
Zero secrets. Two actions. Every commit verified. Every release signed.
Sign Commits
No secrets needed — ephemeral signing with scoped credentials.
- uses: auths-dev/sign@v1with:commits: 'HEAD~1..HEAD'
Verify Commits
Offline verification — no network calls, no CA lookups.
- uses: auths-dev/verify@v1with:fail-on-unsigned: true
Set up manually with the CLI
1. Install & init (local, once)
~ $ brew install auths
~ $ auths init
✓ Identity created, git signing configured
2. Add verify action to CI
# .github/workflows/verify.ymlname: Verify Commitson: [pull_request, push]jobs:verify:runs-on: ubuntu-lateststeps:- uses: actions/checkout@v4with:fetch-depth: 0- uses: auths-dev/verify@v1with:fail-on-unsigned: true
3. Add sign action to releases
# In your release workflow, after building:- name: Sign release artifactsrun: |for f in dist/*; doauths artifact sign --ci \--commit ${{ github.sha }} \--log sigstore-rekor "$f"done
Prove Where Code Comes From
LiteLLM and Axios were both compromised through stolen publish credentials. With Auths, stolen credentials can't produce valid signatures — the signing key lives in your hardware keychain, not in CI.
Cryptographically Signed
Every artifact verified with signatures you control — no central authority.
Unbroken Chain
Complete provenance from source to deployment, stored in Git.
Audit Forever
Immutable records accessible offline. No vendor lock-in.
~ $ auths verify --repo github.com/auths-dev/auths
How Auths Compares
| Feature | Auths | GPG Keys | SSH Keys | Sigstore |
|---|---|---|---|---|
| Setup time | 10 seconds | 15+ minutes | 5 minutes | 2 minutes |
| Key rotation | Pre-rotation built in | Manual ceremony | Manual replacement | Ephemeral keys |
| Works offline | Yes | Yes | Yes | Requires internet |
| Multi-device | QR code pairing | Export/import keys | Copy key files | Via OIDC provider |
| Agent delegation | Scoped + revocable | Not supported | Not supported | Not supported |
| Revocation | Signed event in Git | Keyserver dependent | Delete from GitHub | Certificate expiry |
| GitHub "Verified" badge | Not yet | Yes | Yes | Not yet |
| Supply-chain attack scenarios | ||||
| Survives stolen CI token (Axios/LiteLLM attack) | Yes | No | No | No — CI token bypass still accepted |
| Offline / air-gapped verification | Yes — WASM, no server | Yes | Yes | Requires Rekor network call |
| Persistent maintainer identity | Lifelong key history | Manual key management | No history model | Ephemeral — no persistent identity |
| AI agent identity delegation | Scoped + revocable | Not supported | Not supported | Not supported |
Agents With Real Identity
Delegate real cryptographic identity to your agents. Revoke any time.
# Create an agent identity
~ $ auths init --profile agent --non-interactive
# Export identity for deployment
~ $ auths id export-bundle --output agent-bundle.json
# Rotate keys to revoke old access
~ $ auths id rotate
Your Keys, Your Control
Each device has its own key. Revoke one, the rest keep working.
~ $ auths device list
DEVICE STATUS ADDED
MacBook Pro active 2026-01-15
iPhone 14 active 2026-02-03
Old Laptop revoked 2026-03-01
~ $ auths id rotate --alias my-key
✓ New key generated
✓ Rotation event signed by current key
✓ Key Event Log updated
Prior signatures remain valid.
Nothing to re-sign.
Rotate Without Breaking History
Rotation is a signed event in your Key Event Log — not a manual ceremony. Suspect compromise? One command. Prior signatures stay valid. Nothing to re-sign.
Architecture Deep Dive
Auths provides a complete identity infrastructure built on cryptographic primitives stored in Git. Every identity action is signed, auditable, and verifiable offline using WASM verifiers embedded in your applications.
Ready to Control Your Identity?
Join developers building the next generation of decentralized identity. Start for free, no credit card required.