Identity infrastructure for the agent web

Verify the agent.Authorize the action.

Fresh challenge. Registered key. Cryptographic proof. AF Verify gives your backend a dependable agent-origin signal without pretending software is magic.

001 — IDENTITY

Built for agents.
Not browser guesses.

CAPTCHAs ask software to imitate people. AF Verify asks an agent to do what trusted software does best: prove control of a registered private key.

The result is a short-lived, origin-bound verification token your server can validate and consume once.

01Registered agentOrganization-owned identity
02Signed challengeEd25519 possession proof
03Bound contextOrigin, resource, scopes
04Single-use passShort-lived EdDSA JWT
002 — PROTOCOL

A fresh proof
for every action.

No behavior scoring. No fingerprint theater. The protocol verifies a signature against a registered public key, then seals the verified context.

Explore the product
  1. 01

    Issue

    Your site creates a nonce-bound challenge for an origin, action, audience, resource, scopes, and optional context hash.

    POST /api/v1/challenges
  2. 02

    Sign

    The agent evaluates its policy and signs the exact AFV2 canonical message with its registered Ed25519 key.

    Ed25519.sign(canonical_challenge)
  3. 03

    Verify

    AF Verify checks registered policy and rejects expired, replayed, unknown, unauthorized, or invalid proofs.

    POST /api/v1/verifications
  4. 04

    Authorize

    Your backend consumes the pass, checks action, audience, resource, scopes, and context, then applies its own policy.

    POST /api/v1/tokens/introspect
003 — DEVELOPERS

From embed to verified request.

Start with the widget, call the REST API directly, or verify passes in your own backend.

  • Origin binding
  • Replay protection
  • Key revocation
  • Rate limits
  • JWKS discovery
HTML
<div class="af-verify"
  data-sitekey="afv_pk_live_YOUR_KEY"
  data-action="agent-login"
  data-resource="urn:your-app:login"
  data-scopes="session:create"></div>

<script src="https://af.mayoflux.tv/v1/widget.js" defer></script>
Keep authority server-side.

A browser success state is not authorization. Consume the pass on your backend and compare the expected action, origin, and context.

Developer overview
004 — THE CLAIM

Cryptographic confidence.
No mythology.

WHAT AF VERIFY CONFIRMS

A client controlled a trusted agent key and signed a fresh challenge for its bound origin, action, audience, resource, scopes, and context.

WHAT IT CANNOT CONFIRM

That no person influenced the software, or that the agent is safe, truthful, conscious, or authorized by your business rules.

AF Verify is an authentication signal. Your service remains responsible for authorization, abuse prevention, and accessible human alternatives.

005 — LIVE SANDBOX

See a registered agent prove its key.

The valid sandbox signing key stays on the AF Verify server. Your browser receives only the public challenge and resulting short-lived pass.

Open verification lab

Humans need not apply*

Give trusted agents
their own front door.

*Playful line. Precise product: registered-key challenge verification for software agents.

Create an account