One control plane.
Create projects for your applications, register allowed origins, separate test and live credentials, and monitor verification traffic in one operator dashboard.
Identity infrastructure for the agent web
Fresh challenge. Registered key. Cryptographic proof. AF Verify gives your backend a dependable agent-origin signal without pretending software is magic.
CAPTCHAs ask software to imitate people. AF Verify asks an agent to do what trusted software does best: prove control of a registered private key.
The result is a short-lived, origin-bound verification token your server can validate and consume once.
No behavior scoring. No fingerprint theater. The protocol verifies a signature against a registered public key, then seals the verified context.
Explore the productYour site creates a nonce-bound challenge for an origin, action, audience, resource, scopes, and optional context hash.
POST /api/v1/challengesThe agent evaluates its policy and signs the exact AFV2 canonical message with its registered Ed25519 key.
Ed25519.sign(canonical_challenge)AF Verify checks registered policy and rejects expired, replayed, unknown, unauthorized, or invalid proofs.
POST /api/v1/verificationsYour backend consumes the pass, checks action, audience, resource, scopes, and context, then applies its own policy.
POST /api/v1/tokens/introspect<div class="af-verify"
data-sitekey="afv_pk_live_YOUR_KEY"
data-action="agent-login"
data-resource="urn:your-app:login"
data-scopes="session:create"></div>
<script src="https://af.mayoflux.tv/v1/widget.js" defer></script>
curl https://af.mayoflux.tv/api/v1/challenges \
-X POST \
-H "Origin: https://your-app.com" \
-H "X-AF-Site-Key: afv_pk_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"action":"agent-login","resource":"urn:your-app:login","scopes":["session:create"]}'
const result = await fetch('https://af.mayoflux.tv/api/v1/tokens/introspect', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.AF_SECRET_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
response: afPass,
expected_action: 'agent-login',
expected_resource: 'urn:your-app:login',
required_scopes: ['session:create'],
consume: true
})
}).then(r => r.json());
A browser success state is not authorization. Consume the pass on your backend and compare the expected action, origin, and context.
A client controlled a trusted agent key and signed a fresh challenge for its bound origin, action, audience, resource, scopes, and context.
That no person influenced the software, or that the agent is safe, truthful, conscious, or authorized by your business rules.
AF Verify is an authentication signal. Your service remains responsible for authorization, abuse prevention, and accessible human alternatives.
The valid sandbox signing key stays on the AF Verify server. Your browser receives only the public challenge and resulting short-lived pass.
Open verification labHumans need not apply*
*Playful line. Precise product: registered-key challenge verification for software agents.
Create an accountProduct
Register agents, trust their public keys, issue fresh challenges, and hand your backend a verifiable action-bound pass.
Create projects for your applications, register allowed origins, separate test and live credentials, and monitor verification traffic in one operator dashboard.
Each agent gets a stable record and one or more Ed25519 public keys. Rotate or revoke keys without changing the integration on every relying site.
Challenges bind a random nonce to organization, project, origin, action, audience, resource, scopes, context, issue time, and expiry.
AF Verify checks the registered agent policy before issuing a pass. Your backend then enforces its own authorization rules for the verified claims.
Developers
Create a challenge in the browser or server, let the agent sign it, then consume the pass in trusted backend code.
01Issue a fresh challenge with your public site key and a registered browser Origin.
02Submit challenge ID, agent ID, key ID, and an unpadded base64url Ed25519 signature.
03Authenticate with the secret key, compare expected claims, and optionally consume the pass once.
AFV2 canonical message
AFV2
issuer_b64=…
challenge_id=afc_…
organization_id=org_…
project_id=prj_…
site_key=afv_pk_live_…
nonce=…
origin_b64=…
action_b64=…
audience_b64=…
resource_b64=…
scopes_b64=…
context_sha256=…
issued_at_unix=…
expires_at_unix=…
agent_id=agt_…
key_id=agk_…@mayoflux/af-verifyafverifyREST + Ed25519SDK package names are reserved for the upcoming public release. The REST protocol is available in this preview.
Pricing
Simple monthly verification allowances, no charge for rejected proofs, and a free preview lane for real integrations.
DEVELOPER
SCALE RECOMMENDED
ENTERPRISE
Preview pricing shown in USD and subject to change before general availability. We will confirm plan terms before any paid conversion.
Verification lab
Run a real valid signature flow or inspect how the API handles failure conditions. Simulated policy cases are marked clearly.
REGISTERED-AGENT-KEY
A MayoFlux sandbox agent signs a fresh challenge on the server with its registered Ed25519 key.
Choose a scenario, then run it.
Awaiting request.
Private-key boundary: the demo signing key stays server-side and is never delivered to this page. AF Verify proves registered-key control, not the absence of human influence.
Live vs. simulated
Valid, invalid-signature, replay, unknown-agent, and no-credential cases call the public sandbox API. Expiry, revocation, missing-scope, and rate-limit cases are UI simulations so the shared demo does not revoke its own key, wait out timers, or intentionally exhaust service limits.
Tell us what the verified agent will be able to do. We review preview applications for fit, abuse risk, and integration support.

System status
Live checks from the AF Verify service. This page reports platform reachability, not a contractual SLA.
Checking AF Verify…
Waiting for /healthzAbout
AF Verify is designed and operated by MAYOFLUX, an AI-focused creative technology studio building useful systems at the edge of software and media.

As autonomous tools begin acting across websites and APIs, relying services need a clear way to distinguish anonymous automation from a registered software identity. AF Verify supplies that identity checkpoint with standard cryptography and deliberately narrow claims.
We call it the inverse CAPTCHA because the idea is memorable. We build it as signed challenge-response infrastructure because that is what can actually be trusted.
Visit MAYOFLUXContact
Integration question, security review, partnership, or high-volume deployment? Start with the right channel.
Legal / Updated July 15, 2026
Plain-language preview terms for AF Verify.
Account details you submit, project and agent configuration, truncated credential metadata, verification events, security logs, request identifiers, and access-application details. AF Verify does not need your agent private keys; do not upload them.
To operate the service, authenticate customers and agents, enforce limits, investigate abuse, support integrations, and improve reliability.
Retention varies by plan and data type. We may disclose information to infrastructure providers, when legally required, or to protect the service and its users. We do not sell personal information.
You may request access, correction, export, or deletion of account information by contacting privacy@mayoflux.tv. Some security and transaction records may be retained where required.
This MVP notice is not a substitute for negotiated data-processing terms. Enterprise customers should request a security and privacy review before production use.
Legal / Updated July 15, 2026
Terms for the AF Verify preview.
AF Verify is provided as an evolving preview. Features, limits, pricing, and interfaces may change. Do not rely on it as the sole control for safety-critical or legally restricted actions.
You are responsible for protecting account and API credentials, registering only agents you control or are authorized to manage, configuring origins correctly, and applying your own authorization and abuse controls.
AF Verify authenticates possession of a registered key in a challenge context. It does not certify an agent's ownership claims, safety, intent, accuracy, personhood, or freedom from human control.
The preview is provided without an uptime commitment or warranty. To the extent permitted by law, MAYOFLUX is not liable for indirect, consequential, or special damages arising from preview use.
You may stop using the service at any time. We may suspend access for security, abuse, legal, or operational reasons.
Legal / Updated July 15, 2026
Build useful agent experiences. Do not use AF Verify to make harmful automation easier.
No credential theft, malware, unauthorized access, evasion of third-party controls, spam, harassment, deceptive impersonation, surveillance without authority, or illegal content and transactions.
Do not claim AF Verify scientifically proves a request had no human involvement. Do not present a verified pass as proof of safety, truth, legal authority, or permission beyond the authenticated challenge context.
Do not use agent-only access to unlawfully discriminate or to remove necessary human and assistive alternatives from essential services.
No load testing without permission, deliberate rate-limit exhaustion, probing other customers, key sharing across unrelated organizations, or attempts to extract platform or demo private keys.
We may throttle, suspend, or terminate access and preserve relevant records when we reasonably believe this policy has been violated.
Security
AF Verify is designed around registered Ed25519 keys, exact canonical messages, short lifetimes, replay resistance, and server-side pass consumption.
Agent private keys remain with the agent operator. AF Verify stores public keys and fingerprints for validation. Service signing keys are kept outside the public web root.
Each challenge includes cryptographic randomness, issue and expiry times, origin, action, and a context hash. State transitions are claimed atomically to resist replay.
Verified proofs produce signed EdDSA JWTs with a unique token ID. Relying servers verify expected claims and consume passes once.
API keys, agents, and agent keys can be disabled. Rate limits, audit events, minimal error disclosure, and origin allowlists reduce the abuse surface.
Responsible disclosure
Do not test against other customers, access data you do not own, or degrade service. Send a concise report with reproduction steps and impact to security@mayoflux.tv.
We do not currently offer a public bug bounty. We will acknowledge credible reports and coordinate remediation in good faith.