AIdenID Documentation

Everything you need to integrate AIdenID — the site-owned clearance layer for AI-agent traffic. Decide, per request, whether agent- attributable traffic should be allowed, throttled, queued, sandboxed, denied, or priced.

What is AIdenID?

AIdenID is the clearance layer for agentic access. It gives websites a deterministic decision point in front of agent traffic: classify the actor, verify cryptographic proof when present, apply route policy, and emit one of six outcomes before the request reaches sensitive handlers.

The hard path verifies RFC 9421 HTTP Message Signatures, DPoP proofs, audience-bound session tokens, key epochs, and replay resistance. The soft path labels traffic as verified_agent, signed_agent, likely_human, suspicious_automation, or unknown without pretending to know human intent.

Around that decision layer, AIdenID still exposes supporting identity, inbox, webhook, target-registry, and resilience-testing APIs. Those surfaces exist to provide issuer identity, demo traffic, audit evidence, and controlled testing for the clearance layer; they are not the buyer story by themselves.

For site owners: mount AIdenID at the edge or origin, start in observe or shadow mode, and move sensitive routes to enforce once the verified, signed, suspicious, and unknown traffic mix is clear.

For security teams: stream OCSF-shaped decisions, Merkle-rooted audit evidence, replayable demo artifacts, and revocation events into the same evidence trail.

For agent and platform teams: bind agent identities to declared intent, allowed targets, TTLs, key epochs, budgets, and revocation leases so sites can accept useful automation without raw credential passthrough.

Core capabilities

Six-outcome decision ladder — Every request resolves to allow, throttle, queue, sandbox, deny, or price_required with deterministic precedence.
Cryptographic hard path — Verify request signatures, DPoP, exchanged session tokens, issuer key epochs, and replay windows before a strict route accepts a delegated agent.
Confidence-labeled soft path — Label traffic with bounded actor classes and keep policy explicit for unsigned or suspicious automation.
Route clearance policy — Configure observe, shadow, or enforce behavior per host, route, method, actor class, and risk tier.
Instant revocation — Bump session or issuer epochs and deny strict routes before grant lookup, without leaking whether a grant exists.
Transparency-log audit — Commit policy versions, issuer rotations, revocation epochs, decision batches, and evidence roots into Merkle-backed audit artifacts.
Edge and origin verifiers — Use Cloudflare, Fastly, Node, Python, or origin middleware with the same decision model and no upstream credential passthrough.
Live decision stream — Server-Sent Events and OCSF-shaped exports make the dashboard, SIEM, and evidence pack reflect the same request-level truth.
Authorized demo swarms — Drive verified, signed, suspicious, and unknown traffic through staging portals and record videos, ledgers, reports, and email-ready proof.
Supporting identity APIs — Scoped identities, delegated subidentities, inboxes, webhooks, and target registries remain available for agent issuer workflows and demo harnesses.
Enterprise controls — BYOD domains, RBAC, audit logs, tenant quotas, signed webhooks, retention policy, and rollout modes.

Approved use cases

Website agent clearance — Decide which AI agents can access checkout, support, account, health, benefits, admin, or internal-tool routes.
Observe-to-enforce rollout — Measure actor-class mix, model counterfactual blocks, then move route policies from observe to shadow to enforce.
Authorized demo and staging tests — Generate reproducible evidence against customer-controlled staging targets with explicit allowlists.
Agent issuer interoperability — Bind signed agent identities and delegated sessions to route-level site decisions.

Launch posture: clearance-first, policy-first, audit-first. AIdenID does not automate third-party account signup or fabricate sessions outside declared authority.

Quick links

QuickstartPlan your first clearance gate API ReferenceSupporting endpoint documentation Free TierLegacy identity sandbox for agent prototypes Human vs AgentHow identities support clearance decisions Consumer APIConsumer inbox and magic-link support surface Dashboard GuideDecisions, evidence, identity, webhooks, admin Core ConceptsClearance, actor classes, policy, audit, revocation IntegrationsVerifiers, MCP, webhooks, realtime SSE, and more

Architecture overview

AIdenID is a multi-service clearance platform built contract-first on Next.js 15 + FastAPI + PostgreSQL 16 + Redis 7 with edge adapters, verifiers, event streams, and supporting identity/inbox infrastructure. The major surfaces:

Verifier hot path — deterministic cryptographic and classification checks that return a route decision without calling an LLM on the request path.
Control plane API — targets, grants, sessions, policies, revocation, billing, quotas, webhook endpoints, and audit controls.
Decision event layer — live dashboard streams, OCSF-shaped exports, signed outbound callbacks, and transparency-log commitments.
Demo and proof harness — authorized browser swarms, evidence scoring, videos, reports, and email-ready proof packs for staging targets.
Supporting identity layer — scoped identities, delegated subidentities, inboxes, lifecycle controls, and extraction APIs used by issuer and test workflows.
Operational governance — rollout modes, rate limits, quota guardrails, DSAR workflows, signed webhooks, and evidence retention.

All services communicate through versioned REST contracts and verifier SDK interfaces. Sites adopt AIdenID incrementally: observe first, shadow when policy is ready, enforce route by route.

Authentication

AIdenID supports three authentication models depending on your use case:

API keys — For control-plane, dashboard, and supporting identity integrations. Pass your key via the Authorization header with X-Org-Id and X-Project-Id headers. See the authentication guide.
Magic-link sessions — For human consumers. Passwordless email-based authentication. See the consumer API.
IP-keyed tokens — For the free tier. No signup needed. See the free tier API.

Getting help

If you need help integrating AIdenID, start with the quickstart guide. For API- specific questions, the API reference has detailed endpoint documentation with request and response examples. The dashboard guide walks through every panel in the web interface.