authkeep
SIG Protocol alpha·dff0564

Trust infrastructure for the modern web

Authkeep gives organizations a cryptographic way to publish, manage, and verify relationship attestations — no proprietary registries, no vendor lock-in.

Get Started Read the Docs

Built on first principles

SIG is designed around a small set of ideas that compose into a powerful trust layer.

Web-Native

Discovery through .well-known URLs on your domain. No registries, no sidechains, no proprietary APIs — just HTTPS.

Cryptographic

Every event is JWS-signed with Ed25519. Verification requires only the issuer's public key — no callbacks, no tokens, no shared secrets.

Append-Only

Events are never deleted or overwritten. The log is an immutable record — replay it to reconstruct state at any point in time.

Deterministic

Replay events through a pure reducer to derive current state. Same input always produces the same output, on any machine.

Core capabilities

Everything you need to issue, verify, and manage signed relationship attestations at scale.

Issuer Identity

Generate Ed25519 key pairs and publish a JWKS. Create a did:web identifier tied to your domain.

Signed Event Log

Publish relationship events as JWS-signed entries in an append-only NDJSON feed. Every entry is tamper-evident and sequenced.

Independent Verification

Consumers fetch your public JWKS and verify every signature independently. No trust in the transport — just math.

Key Rotation

Rotate signing keys without breaking existing attestations. Old events verify against old keys, new events use new ones.

Instant Revocation

Revoke any relationship by appending a signed revocation event. Consumers see the change on their next feed fetch.

Full Auditability

The append-only log is a complete audit trail. Reconstruct who had access to what at any point in time.

Built for real-world use cases

From agentic authorization to marketplace trust, SIG handles the hard parts of verifiable identity across organizational boundaries.

Agentic Authorization

Let AI agents and bots prove their relationship to an organization before accessing APIs or performing actions.

Marketplace Trust

Verify that sellers, vendors, and partners are who they claim to be with cryptographic proof of organizational relationships.

B2B Federation

Publish employee and contractor attestations that partner organizations can verify without API integrations or shared databases.

terminal
# Initialize an issuer on your domain
$ ak init-issuer --domain id.acme.com
Created .well-known/sig.json
Created .well-known/jwks.json
Created .well-known/did.json
Created .well-known/sig/events.jsonl
# Attest a relationship
$ ak append-upsert \
--issuer "did:web:id.acme.com" \
--subject "did:key:z6Mkf1...bot" \
--relationship-type agent \
--roles read,write
Appended event sequence=1
# Verify a subject
$ ak check \
--sig .well-known/sig.json \
--subject "did:key:z6Mkf1...bot" \
--require relationship=agent
allow relationship=agent roles=read,write seq=1

The Authkeep stack

Five Rust crates that compose into a complete trust infrastructure. Use them together or pick what you need.

authkeep-core
Types, event model, and state derivation
authkeep-jose
JWS signing, JWKS, and DID documents
authkeep-server
HTTP server for hosting SIG endpoints
authkeep-client
Fetch, verify, and query remote issuers
authkeep-cli
Command-line tool for all SIG operations