AI agents are getting powerful. They send emails, move money, deploy code. OpenApe makes sure a human approves what matters β without slowing anything down.
"If lobsters π¦ take over the world,
we need apes π¦ for security."
β The OpenApe Manifesto
Today's AI agents can book flights, sign contracts, and push to production. But there's no standardized way to verify who authorized what. No audit trail. No approval flow. No kill switch.
DNS-based login for humans and agents. Passkeys for humans, Ed25519 for machines. Makes the Agentic Web frictionless β any service, any domain, one protocol. No bilateral integrations.
Human-in-the-loop permission system. Agents request, humans approve β once, time-limited, or standing. Scoped, signed, revocable. The leash where it matters.
Auth makes agents possible. Grants make them accountable.
Use both β or each on its own.
OpenApe uses DDISA β a DNS-based protocol that turns your domain into an identity provider. Standard OIDC under the hood, zero configuration on top. Add a TXT record, deploy the IdP, and you're live.
Identity discovery in one DNS lookup
phofmann@company.at
_ddisa.company.at TXT
idp=https://id.company.at
β Verified
Like MX records for email, but for agent identity. Works with any domain you own.
Your AI agent needs to perform a privileged action β send money, access data, deploy code.
The action hits a permission boundary. OpenApe checks: does this agent have a valid grant for this scope?
If no grant exists, the human owner receives an approval request β via Telegram, email, or any channel.
Grant once, for a time window, or always for this scope. Scoped, signed, auditable.
The action executes. Who approved it, when, and for what β all recorded. Dual accountability: agent owner + approver.
OpenApe doesn't slow your agents down β it makes them trustworthy.
Grants are tied to specific actions and scopes. An agent approved for "read calendar" can't suddenly "send emails".
No central registry. Your domain is your identity anchor. Like email's MX records, but for agent auth.
Approval requests arrive on Telegram, email, or any messaging surface. Tap to approve. Done.
Every grant is cryptographically signed with nonce and expiry. Can't be reused, forged, or replayed.
Dual accountability: who owns the agent AND who approved the action. Compliance-ready from day one.
Add a DNS TXT record. Deploy the IdP. That's it. Standard OIDC under the hood, no vendor lock-in.
Some actions need a human every time. Others earn standing trust. OpenApe lets you decide.
Approve this specific action, this one time. Grant is consumed immediately. For high-risk operations like transfers or deployments.
Grant access for a time window β 15 minutes, 1 hour, 1 day. Perfect for work sessions or batch operations.
This agent can always perform this action. Revocable anytime. For routine, low-risk operations you trust completely.
OpenApe isn't a monolith β it's a set of small, focused packages you compose as needed. Use one. Use all. Each works standalone.
DNS discovery, crypto primitives, PKCE, JWT utilities. The foundation everything else builds on. Framework-agnostic, zero dependencies.
Complete OIDC login protocol β both sides. IdP: authorize, token exchange, key management. SP: discovery, auth URL, callback. Pure functions, no framework lock-in.
The permission engine. Request, approve, deny, revoke β with signed AuthZ-JWTs. Works with any auth system, not just OpenApe's.
A Nuxt module that turns your app into an OpenApe identity provider. Drizzle-backed storage, passkey login, agent management. Add the module, deploy, done.
A Nuxt module for service providers β zero server storage. OAuth flow state lives in signed cookies. Add OpenApe login to your app with one import.
A Rust binary for local privilege elevation. Your agent needs root? It requests a grant, the human approves, escapes executes β scoped, signed, logged. Like sudo, but for agents.
An agent HTTP gateway β a forward proxy with grant-based access control. Agents route requests through the proxy; it enforces grants before forwarding.
Grant-aware headless browser for agents. A Playwright wrapper with route interception, automatic grant checks, and delegation login. Browse the web β with guardrails.
Universal grant management CLI. List, inspect, approve, revoke grants from your terminal. The admin tool for anyone managing agent permissions.
OpenApe uses passkeys (WebAuthn/FIDO2) for humans and Ed25519 challenge-response for agents. No passwords. No phishing. No bolt-on MFA. One architecture designed to support modern security frameworks on both sides of the Atlantic.
Passkeys are designed to support strong authentication requirements β possession plus biometrics β without a bolt-on MFA step. Built with NIS2 in mind.
Phishing-resistant MFA and zero-trust identity β aligned with the direction set by the Cybersecurity Framework and recent executive guidance.
No regional workarounds. The same passkey-first, grant-controlled architecture works everywhere β EU, US, and beyond.
OpenApe is a technical building block, not legal advice. Compliance with NIS2, NIST CSF 2.0 or EO 14028 depends on how you operate, document and audit your overall system β not just which auth library you use.
DDISA (DNS-based Decentralized Identity for Services and Agents) is the open protocol that powers every OpenApe package. It defines how domains announce identity, how humans and agents authenticate, and how privileges are granted, scoped and revoked. Read the spec. Implement your own. OpenApe is one reference β not the only one.
DNS discovery, key material, OIDC flows, passkey and Ed25519 authentication. The foundation every DDISA implementation shares.
Signed AuthZ-JWTs, scopes, trust levels (allow_once, allow_ttl, allow_always), request and approval flows, revocation semantics.
How humans delegate to agents and agents delegate to other agents β with chains of accountability that survive audits.
OpenApe and the DDISA protocol are fully open source. Review every line. Fork it. Extend it. The security layer for AI agents shouldn't be a black box.
Add a DNS record. Deploy the IdP. Your agents are accountable in minutes.