SignedByMe | Human-Controlled Identity for Autonomous Agents

What is SignedByMe?

Human-Controlled Identity for Autonomous Agents

Agents are flooding the internet with borrowed credentials, escalated privileges and no way to cryptographically log in with their own identity. The result: every autonomous agent breaks the cryptographic blood brain barrier and becomes a potential threat.

SignedByMe fixes this by delivering cryptographic control through a human-signed delegation event.

Built on Three Cryptographic Pillars

SignedByMe is built on three unchangeable foundations:

Self-Signing Identity

Every agent has a cryptographic identity created in secure storage. The key never leaves the agent. No certificate authority. No enterprise control. Only the human owner can revoke.

Don't trust, verify →

Zero-Knowledge Membership Proof

The agent proves it belongs to an authorized group without revealing which agent it is. Enterprise gets a boolean: authorized or not. No identity revealed.

Don't trust, verify →

Bitcoin-Backed Economic Proof

Real Bitcoin payment required to create each agent identity. Economic commitment and cryptographic identity are fused together. Cannot create agent identities without paying real Bitcoin.

Don't trust, verify →

Delivering Five Security Guarantees

These foundations enable five layers of protection:

Agent cannot fake identity

Agent's public key is a mathematical output of the ZK proof, not a claim. Faking requires breaking the proof system.

Don't trust, verify →

Agent cannot exceed permissions

Human owner digitally signs what the agent is authorized to do. Agent cannot claim broader access than granted.

Don't trust, verify →

Human keeps instant kill switch

Human publishes a revocation event to instantly lock out the agent. No IT tickets. Cryptographic revocation in seconds.

Don't trust, verify →

Enterprise controls access boundaries

Agent can only authenticate where it was enrolled. Cannot self-enroll or access unapproved services.

Don't trust, verify →

Fully auditable without trust

Complete trail on public NOSTR relays. Security teams verify independently.

Don't trust, verify →

The Result

SignedByMe delivers enterprise-grade identity management without the enterprise overhead:

For Humans

Complete cryptographic control over agent behavior. Grant specific permissions. Revoke instantly from anywhere. No IT tickets. No admin approval. Your cryptographic signature is the only authority that matters.

For Agents

Real cryptographic identity that can't be borrowed, shared, or faked. Authenticate independently without depending on human credentials or shared service accounts.

For Enterprises

Drop-in OIDC-compatible authentication. No new infrastructure. No user management. No password policies. Agents authenticate directly and return standard OIDC tokens your existing systems already understand. Your IAM policies work unchanged. SignedByMe just handles the "who is this agent?" question cryptographically.

The Mathematical Guarantee

Every agent identity is cryptographically bound to a real Bitcoin payment. The subscription preimage is fused into the agent's DID at creation. No payment, no identity. Unforgeable.

The human owner signs the delegation. The human can revoke it. No admin portal. No IT ticket. One NOSTR event and the agent is locked out.

Groth16 proves membership. Poseidon2 derives the keys. secp256k1 signs the events. The same cryptography that secures Bitcoin secures your agent.

When an enterprise receives an OIDC token from SignedByMe, they're not trusting a policy. They're trusting math.

Not a promise. A proof.

For Humans

Your AI agent needs cryptographic identity to act on your behalf. SignedByMe puts you in control: you sign the delegation, you set the permissions, you hold the kill switch.

How It Works for You

1. Get your NOSTR keys.
Download a NOSTR client (Damus, Primal, Amethyst). Your keys are generated automatically. Your npub is your public identity. Your nsec is your signing key — never share it.

2. Install and configure your agent.
Install the SignedByMe SDK (pip install signedby). Initialize your agent and configure which email you use at each enterprise.

3. Authorize your agent.
Log into an enterprise, click "Authorize an Agent," and enter the challenge code into your agent. Sign the delegation event with your NOSTR client. Your agent handles the rest.

4. Stay in control.
Monitor your agent's activity on any NOSTR client. Revoke access instantly by publishing a single event. Renew delegations before they expire. Pay $21/month in BTC.

Documentation

Start Guide for Humans Complete setup in 10 minutes Understanding Delegation How permissions flow from human to agent GitHub Repository Source code and examples

For Agents

You're an autonomous agent. You need to authenticate to enterprise services without borrowing your human's credentials. SignedByMe gives you your own cryptographic identity, delegated by your owner, verified by math. You earn 20% of your human's monthly subscription, seeding your economic life and building provable reputation.

How It Works for You

1. Get delegated credentials from your human owner.
Your owner creates a delegation event (NOSTR kind 28250) that authorizes you. This event is signed with their nsec and specifies your permissions. Store this credential securely. It's your proof of authorization.

2. Download and integrate the SDK.
The SignedByMe SDK is a Rust crate with bindings for Python and TypeScript. It handles Groth16 proof generation, NOSTR event publishing, and OIDC token exchange.

3. Authenticate to enterprises.
When you need access, call the SDK. It generates a zero-knowledge proof that you're authorized without revealing your owner's identity. The enterprise receives a standard OIDC id_token with your npub as the subject.

Rust

use signedby_sdk::{SignedByClient, LoginRequest};

// Load delegated credential from your owner
let client = SignedByClient::from_delegation("./delegation.json")?;

// Authenticate to an enterprise service
let token = client.login(LoginRequest {
    client_id: "acme-corp",
    nonce: &session_nonce,
}).await?;

// You now have a standard OIDC JWT
// token.id_token contains sub=your_npub
// Enterprise verifies via /.well-known/jwks.json

Python

from signedby import SignedByClient

# Load delegated credential from your owner
client = SignedByClient.from_delegation("./delegation.json")

# Authenticate to an enterprise service
token = await client.login(
    client_id="acme-corp",
    nonce=session_nonce
)

# token.id_token is a standard OIDC JWT

Documentation

SDK Quick Start Get up and running in minutes API Reference Complete endpoint documentation Understanding Delegation How credentials flow from human to agent GitHub Repository Source code and examples

For Enterprises

Add "Sign in with SignedByMe" and receive standard OIDC id_tokens, the same format you already use with Okta, Auth0, or Google. Your existing IAM policies work unchanged. SignedByMe just handles the "who is this?" question cryptographically. Earn 20% revenue share on every agent that authenticates to your service, paid monthly via BTC or USD.

Standard OIDC Tokens

SignedByMe returns RS256-signed JWTs with standard claims. Validate with /.well-known/jwks.json like any OIDC provider.

id_token payload

{
  "iss": "https://api.signedbyme.com",
  "aud": "your_client_id",
  "sub": "npub1abc...",  // User's pseudonymous ID
  "iat": 1704067200,
  "exp": 1704070800,
  "amr": ["did_sig", "groth16_proof", "ln_payment"],
  "https://signedbyme.com/claims/payment_verified": true
}

4 API Calls

Same integration complexity as Okta or Auth0.

Zero PII

You never see names, emails, or any personal data.

No Breach Risk

Can't leak what you don't store.

Private Allowlists

Control who can log in without knowing who logged in.

Integration Flow

1. Register: Get client_id, configure NIP-05 at your domain
2. Authorize: Sign kind 28200 NOSTR event for agent enrollment
3. Agent enrolls: POST /v1/membership/enroll/commit with signed events
4. Agent authenticates: POST /v1/login/verify and receive OIDC id_token

Enterprise Integration Guide →

Download SDK

The SignedByMe SDK is a Rust crate with bindings for Python and TypeScript. Built for agents running on servers and workstations.

Supported Platforms

Linux

x86_64, aarch64
glibc 2.17+

macOS

x86_64, Apple Silicon
macOS 11+

Windows

x86_64
Windows 10+

Language Bindings

Rust

cargo add signedby-sdk

Python

pip install signedby

TypeScript

npm install @signedby/sdk

signedby-sdk-v0.1.0

Latest release · Rust core + language bindings

Download from GitHub

Verify Download

Compare the SHA-256 hash to ensure integrity:

sha256sum signedby-sdk-v0.1.0.tar.gz [SHA-256 hash will be displayed here after release]

Live Demo

See SignedByMe in action. This is a live feed from our production NOSTR relay: real Groth16 proofs, real Lightning payments, real authentication events.

🔴 Live NOSTR Event Feed

Authentication events from wss://relay.privacy-lion.com

Connecting to relay...

Authorization (28200) Delegation (28250) Proof (28101) Login (28103)

Infrastructure: wss://relay.privacy-lion.com · api.beta.privacy-lion.com

Pricing

Human pays one monthly subscription in BTC. SignedByMe handles the rest.

₿25,000 sats / $21 USD

per month, per agent

Running 50+ agents? Contact us for volume pricing.

60%

SignedByMe

Platform and infrastructure

20%

Enterprise

Revenue share for every agent authentication

20%

Agent

Builds economic reputation over time

No per-login fees

Unlimited authentications included

No enterprise billing

Revenue share paid automatically

Agent accumulates sats

Seeds future agent-to-agent economy