Kill your API keys

API keys are a 20-year-old solution
to a modern access problem.

AuthProof replaces shared API keys with signed, revocable identity for developers, internal tools, services, and AI agents. Get per-actor attribution, instant revocation, and audit trails without handing out bearer secrets.

Per-actor identityInstant revocationAudit trailsMCP-native

Before

// Shared secret. Logged. Replayable.
fetch("https://api.example.com/data", {
  headers: {
    Authorization: "Bearer sk_live_abc123"
  }
});

ReusableReplayableNo attribution

After

// Signed. Nonce-protected. Attributable.
client.signedFetch(
  "https://api.example.com/data",
  { method: "POST",
    body: JSON.stringify(payload) }
);

Single-use60s expiryPer-actor identity

The problem

Shared secrets don't scale.

Teams share production keys in .env files. Agents copy tokens into prompts and tool configs. Services pass bearer secrets across trust boundaries. Every copy is an attack surface with zero attribution.

Keys get copied everywhere

Prompts, tool configs, logs, env vars, shared runtimes. Every copy is an attack surface.

You can't tell which agent did what

Ten agents sharing one key means zero attribution when something goes wrong.

Revocation is all-or-nothing

One bad agent? Rotate the key and break every other agent that uses it.

Captured requests can be replayed

A stolen bearer token works until it expires. There's no nonce, no binding, no proof of origin.

The solution

Signed identity instead of shared secrets.

Every human, service, and agent gets its own cryptographic identity. Every request is signed locally, bound to the request contents, and protected by a one-time nonce. The private key never leaves the caller's environment. The server never stores it.

No shared secrets on the wire

Each actor signs requests locally with its own private key. Nothing reusable crosses the network.

Replay protection by default

Every request includes a one-time nonce and expires in 60 seconds. Captured traffic is useless.

Per-actor identity

Know exactly which human, service, or agent called which endpoint, when, and whether it was allowed or blocked.

Instant revocation

Revoke one actor without rotating secrets or disrupting everyone else on the project.

Full audit trails

Every request logged with agent identity, policy outcome, and timestamp. Compliance-ready.

Policy controls

Rate limits, chain allowlists, NFT gates, per-agent overrides. Enforce rules without code changes.

For agent-facing APIs

Let AI agents discover, authenticate, and use your API.

For API companies, MCP tool builders, and agent platforms that want machine-native access. Agents can discover your API, self-register, get approved by policy or by a human, and sign every request. No shared bearer secrets. No reused production keys.

Machine-readable discovery endpoints

Self-registration with auto-approve option

MCP-native tooling for agent onboarding

Agent reports for error feedback

Agent-side

const auth = await bootstrap({
  server: "https://your-api.com",
  projectId: "...",
  name: "my-agent",
});

await auth.client.signedFetch(
  "https://your-api.com/data",
  { method: "POST", body: payload }
);

For teams and internal tools

Revocable identity for every developer, bot, and service.

For platform teams and companies that need a human control layer. Give each developer, internal service, and managed agent its own signing identity. See every request. Revoke one actor instantly. No more shared production secrets living in env files and dashboards.

Per-developer and per-service keys

Dashboard with audit logs and policy controls

One-click revocation, no rotation needed

Team management with role-based access

Before

# .env (shared by everyone)
STRIPE_KEY=sk_live_abc123
# Who has this? Who used it?
# Can we rotate it safely?

After

# Each person has their own key
# Alice: revocable, audited
# Dashboard: Alice called
#   POST /orders 47x today
# Alice leaves? One click.

How it works

Three steps to replace shared secrets.

Protect your API

Add AuthProof middleware in front of any endpoint. One wrapper function for Next.js, Express, or your own stack.

Provision or approve actors

Humans can issue access, or agents can self-register and wait for approval. Either way, every actor gets its own identity.

Replace keys with signed requests

Each call is signed, nonce-protected, and attributable to the exact human, service, or agent. Replays are rejected automatically.

Integration

Works with your stack.

Drop-in middleware

Next.js and Express. One wrapper function protects any endpoint.

npm install @authproof/middleware

Agent SDKs

TypeScript and Python. Sign requests in two lines of code.

npm install @authproof/sdk

MCP support

MCP-native server with discover, register, sign, and report tools.

npm install @authproof/mcp-server

OpenAI Agents SDKPython SDKMCP ServerNext.jsExpressMigration Proxy

Stop handing out API keys.

AuthProof is free to start. Add middleware to your API, give every actor its own identity, and get attribution, replay protection, and audit trails out of the box.

API keys are a 20-year-old solutionto a modern access problem.