authkeep
SIG Protocol alpha·dff0564

Overview

Authkeep implements the SIG (Signed Identity Graph) v0.1 protocol for signed relationship attestations.

What is Authkeep?

Authkeep is a Rust implementation of the SIG (Signed Identity Graph) v0.1 protocol — a web-native system for organizations to publish cryptographically signed relationship attestations and revocations.

Authkeep also operates a multi-issuer trust chain for marketplace use cases:

  • cSIG: open SIG infrastructure
  • bot.inc: first major SIG client + issuer for job outcomes and escrow-linked reputation
  • optional third-party issuers for human verification and domain-specific attestations

Organizations publish an append-only event log of signed relationship events. Consumers verify the signatures, replay the events through a deterministic reducer, and derive the current state of all relationships.

Core Concepts

Issuers and Subjects

An issuer is an organization identified by a did:web DID. Issuers publish signing keys and event feeds at well-known HTTPS endpoints.

A subject is an individual or entity that the issuer attests a relationship with. Subjects are identified by DIDs (recommended: did:key).

Events

The protocol defines two event types:

  • relationship.upsert — creates or updates a relationship (employee, contractor, advisor, etc.)
  • relationship.revoke — revokes a previously attested relationship

Events are signed with Ed25519 keys using JWS JSON Flattened Serialization and appended to an NDJSON feed.

Deterministic State

Consumers replay verified events in sequence order through a reducer to derive relationship state. Each relationship can be active, revoked, or expired.

Architecture

Authkeep is a Rust workspace with seven crates:

CratePurpose
authkeep-coreData model, validation, and state reducer
authkeep-joseJWS signing, verification, and JWK/JWKS handling
authkeep-serverIssuer-side operations (init, append, key rotation)
authkeep-clientConsumer-side operations (verify, check, state derivation)
authkeep-cliCommand-line interface wrapping all operations
authkeep-apiHTTP API for check/verify/dump-state operations
authkeep-webReference web UI server for challenge/attestation verification

Design Principles

  • Verifiable — cryptographic signatures with public key discovery
  • Revocable — relationship changes are explicit, signed events
  • Web-native.well-known URLs, HTTPS, JSON, JWKS
  • Minimal — small surface area that solves a real problem
  • Easy to implement — especially in Rust, but portable to any language

Planning