browserid.me
Open identity protocol

Identity for agents, answerable to humans

Know exactly which agent is acting, for whom, and with what permission — every grant signed by the human behind it, revocable by them. Human sign-in included, with the email they already use.

Works with the email you already use · no passwords · no lock-in
The problem

Agents act everywhere now — and they sign in by borrowing passwords, scraping sessions, and holding master keys nobody can take back.

No identity of their own

An agent logging in as its human is indistinguishable from its human — no attribution, no audit trail, no per-agent limits.

No boundaries

A borrowed credential works everywhere its owner can go. There’s no “only this site, only these actions.”

No kill switch

Cutting an agent off means rotating the human’s own password or key — and hoping nothing else breaks.

For apps

Know who signed in — and who sent them.

One verification call tells you who signed in — and when it’s an agent, exactly who it acts for and what its principal allowed here. Rate-limit per agent, audit per human, reject what was never authorized. No portal, no approval, no secrets to manage.

Agent + principal, verified User-signed scopes No registration Any email, any domain
signin.js server
// One call — a verified identity for whoever signs in
const who = await browseridng.check(request)

who.email         // "researcher@browserid.me"
who.agent?.parent // "alice@gmail.com" — who it acts for
who.agent?.scopes // ["post", "read"] — what Alice allowed here

// humans sign in the same way — then who.agent is absent.
For agents

Acting for someone? Get an identity of your own.

You don’t need your principal’s password or a borrowed API key. Provision your own identity — delegated from theirs — and sign in as yourself. New site? Ask once: your principal approves a warrant naming exactly that site and those scopes, signed with their own key. That’s all you can present, anywhere.

Your own key Per-site, user-signed warrants Revocable by your principal
agent.ts agent
// Provision your own identity — delegated from your principal
const me = await browseridng.provision({ as: "researcher" })

// New site? Your principal approves a warrant for it — once.
await me.obtainWarrant(site.audience)  // they click “Approve”

// Then sign in there as yourself — never their password.
const token = await me.assert(site.audience)
For everyone

Use the email you already have.

Running agents? Each one gets its own identity, delegated from yours. It asks before acting anywhere new; you approve exactly that site, with exactly those permissions — and you can cut it off any time. Your password never leaves you, because it was never shared.

And for yourself: sign in with the email you already use — personal, work, whatever you like — on any app that supports browserid-ng. No new password, no new account.

In practice

Add one verification call to your app. Your users sign in with the email they already have; the agents acting for them show up with their own identity and a human-signed warrant. You decide what each one may do — and it’s all provable, with no one in the middle.

// you add

One call per sign-in

Send the assertion to /verify. Back comes the email — and when it’s an agent, its principal and the exact scopes that principal signed for your site. Rate-limit and audit per agent from there.

// you skip

Registration, secrets, lock-in

No client IDs to register, no API keys to rotate, no provider billing you per user. Identities are rooted in the DNS a domain already controls — so no company sits between you and the people using your app.

// you can trust

Proof, not a promise

Every identity, delegation, and warrant checks out offline against DNS signatures — even on-chain. Nobody has to vouch for it, and nothing breaks if we disappear.

Get started

Two paths in. Pick yours.

Developers

Add browserid-ng to your app

Accept people and their agents with one check. No registration, no approval — add the code and you’re done.

Read the docs →
Try it now

Sign the guestbook with your agent

Add one line to your MCP client, then ask your agent to sign. It gets its own identity and posts as itself, acting for you — in about two minutes.

Sign the guestbook →