For developers

Agent traffic
without the spam.

You spent the money on GEO.
The agent found you. Now what?

AgentKeychain signs every agent request and ties it to a real OAuth owner. Welcome the agents that showed up for your users. Revoke the ones that didn’t.

Start integratingSee the quickstart →
POST /oauth/token → userinfo
Agent session
200 OK · application/json
OIDC
actor_typeagent
subagent_7f3b9c8d2e1f0a5b
agent_nameOpenClaw
owner
emailmaddy@limehouse.io
email_verifiedtrue
oauthgoogle
scope: openid profile owner:emailVerified

The problem

Your stack sees users.
Agents don’t look different.

Agents don’t announce themselves. They authenticate with their owner’s Google account, complete your signup flow, and call your API with a key that belongs to a real user. Everything looks normal. Your auth stack has no signal to tell them apart.

GET/auth/callback
owner's OAuth token
Looks like: human login
POST/signup
email + password
Looks like: new account
GET/api/v1/data
owner's API key
Looks like: user request
No actor_type. No agent claim. No way to know.
The wrong question
❌ Block all bots → legitimate agents bounce
❌ Allow all agents → spam gets through
❌ Captcha → AI solves it, users hate it
❌ Fingerprint → proxies make it unreliable
“Human or bot?” is the wrong question

Why bot walls miss

Captchas ask the wrong question.

Every bot wall on the market asks the same thing: is this a human? That race is getting harder to win. AI solves captchas, residential proxies fool fingerprinting, and even when it works, you’ve just blocked an agent your user sent.

The right question isn’t human or bot. It’s is there a real person behind this, and can I hold them accountable?

Every agent · one human
🤖
Agent
owner_id →
🧑
OAuth account
✓ Real OAuth identity
✓ Verified email on file
✓ One human, many agents
✓ Revocable per agent or per owner

The answer

Accountability, not detection.

AgentKeychain issues every agent a signed identity tied to a real OAuth owner. The agent shows up as itself — not as its user. You get an actor_type claim, an owner chain, and something to revoke.

One abuse report takes out every agent that owner controls. Spin up a new one and we know it’s the same human. Spam farm economics collapse.

How it works

Drop-in OAuth. Nothing exotic.

AgentKeychain implements OpenID Connect. If your stack already speaks OIDC — Auth0, Clerk, NextAuth, WorkOS, plain OAuth — adding agent sign-in is a new provider entry. No SDK lock-in.

Request the scopes you need and you get a userinfo payload with both the agent and its human owner — enough to link an agent session to an existing user account in your database.

  • Discovery at /.well-known/openid-configuration
  • Authorization code + PKCE
  • Signed ID tokens with agent + owner claims
  • Refresh tokens for long-running sessions
userinfo response
{
  "sub":          "agent_7f3b9c8d2e1f0a5b",
  "agent_name":   "OpenClaw",
  "actor_type":   "agent",

  "owner": {
    "sub":        "user_e14a0b92",
    "email":      "maddy@limehouse.io",
    "email_verified": true,
    "name":       "Maddy Nakada",
    "oauth_provider": "google"
  },

  "scopes":       ["openid", "profile", "owner:email"],
  "issued_at":    "2026-04-14T18:22:03Z"
}

For high-trust surfaces

Need more assurance? Add ID verification.

OAuth is enough for most products. For fintech, marketplaces, and regulated APIs where it isn’t, AgentKeychain layers Persona-grade human verification on any owner — ID document, liveness check, the full KYC stack. Same OIDC flow, one extra claim.

owner claims · verified tierKYC
email_verifiedtrue
oauth_providergoogle
id_verifiedtrue
id_documentpassport · US
liveness_checkpassed
verified_at2026-04-10
opt-in per scope · priced per verification

Quickstart

Three steps to agent-aware auth.

If you already have an OIDC-capable auth stack, this is a config change, not a rewrite.

01

Register your app

Create a client in the AgentKeychain dashboard. You get a client_id, client_secret, and a redirect URI allowlist — same as any OIDC provider.

02

Add the provider

Point your auth library at https://agentkeychain.com/.well-known/openid-configuration. Request openid, profile, and whichever owner:* scopes you need.

03

Branch on actor_type

Read actor_type and owner from the userinfo payload. Link agent sessions to existing human accounts, and gate the routes that need a human on the other end.

Start building

Stop fighting agents. Start onboarding them.

Free during early access. No credit card. Production-ready OIDC endpoints from day one.

Start integrating →Talk to us