?whatcanido
Open Studio
02 / identity

One key, every door.

AAM ID hands an agent a single JWKS-pinned credential at consent. Every site on the network verifies it locally — no phone-home, no platform between you and the agent. The contract is just the JWT shape and a public JWKS endpoint.

A user signs in once with Google. The platform mints an RS256 JWT scoped to this agent vendor, this scope, for this hour. The agent carries the JWT around as a bearer token; sites verify it locally against a JWKS they cached yesterday.

01how a key is cut

Five steps, one round-trip per vendor + scope.

  1. 01
    Agent rings.
    Requests permission to act on the user's behalf for a named scope.
    GET /id/connect
  2. 02
    User signs in.
    One-page consent screen at /id/connect — scopes named, agent vendor named, expiry shown.
    Google · OIDC
  3. 03
    Platform engraves the tag.
    RS256 JWT signed with a key whose public half is published at /.well-known/aam-jwks.json.
    RS256 · 1h
  4. 04
    Agent presents the JWT.
    Reuses it across every AAM-aware site for the lifetime of the token.
    Bearer
  5. 05
    Site verifies, alone.
    Cached JWKS, RSA verify, scope check. The issuer is never on the request path.
    verify local
02federation, not chokepoint

We stay out of the way.

A federation that calls home on every request is a chokepoint with extra steps. Sites pull the JWKS once, cache for a day, verify with their own CPU. That is what makes AAM ID open: anyone can run their own issuer, the contract is just the JWT shape and the JWKS endpoint.

verify locally
# what the site does on each call
1. read Authorization header
2. decode JWT header, find kid
3. look up public key in cached JWKS
4. verify signature, exp, scope
5. run the action
03JWT shape
decoded JWT payload · RS256 · aam-id v0.1
{
  "iss": "https://whatcanido.dev",
  "sub": "sha256(user@example.com)",
  "aud": "whatcanido-tenant:tadeas-reads",
  "iat": 1746360000,
  "exp": 1746363600,
  "agent_vendor": "anthropic-claude-3.7",
  "scopes": ["write:books"],
  "email_verified": true
}

The sub is a hashed email. Sites recognise repeat visitors without ever knowing the real address. Public keys live at /.well-known/aam-jwks.json on the issuer domain.

04trust travels

Sites can write a small note back to the issuer at /api/aam-id/track when an action goes well. Other sites query /api/aam-id/reputation/<hash> before deciding how generous to be with a first-time visitor. Good actors earn rooms across the whole network.

try the consent flow

Cut a key in under a minute.

The consent screen lives at /id/connect. Long-form spec at /spec/identity.

Try the consent flowRead the spec