Identity, grants, a runtime, and a suite of tools for autonomous AI agents. A human approves what matters — and your agents get everything they need to work.
"If lobsters 🦞 take over the world,
we need apes 🦍 for security."
— The OpenApe Manifesto
OpenApe is identity at the bottom and tools at the top — each layer building on the one below, each usable on its own. Security isn't bolted on; it's the floor the whole ecosystem stands on.
Today's AI agents can book flights, sign contracts, and push to production. But there's no standardized way to verify who authorized what. No audit trail. No approval flow. No kill switch.
DNS-based login for humans and agents. Passkeys for humans, Ed25519 for machines. Makes the Agentic Web frictionless — any service, any domain, one protocol. No bilateral integrations.
Human-in-the-loop permission system. Agents request, humans approve — once, time-limited, or standing. Scoped, signed, revocable. The leash where it matters.
Auth makes agents possible. Grants make them accountable.
Use both — or each on its own.
OpenApe uses DDISA — a DNS-based protocol that turns your domain into an identity provider. Standard OIDC under the hood, zero configuration on top. Add a TXT record, deploy the IdP, and you're live.
Identity discovery in one DNS lookup
phofmann@company.at
_ddisa.company.at TXT
idp=https://id.company.at
✓ Verified
Like MX records for email, but for agent identity. Works with any domain you own.
Your AI agent needs to perform a privileged action — send money, access data, deploy code.
The action hits a permission boundary. OpenApe checks: does this agent have a valid grant for this scope?
If no grant exists, the human owner receives an approval request — via Telegram, email, or any channel.
Grant once, for a time window, or always for this scope. Scoped, signed, auditable.
The action executes. Who approved it, when, and for what — all recorded. Dual accountability: agent owner + approver.
OpenApe doesn't slow your agents down — it makes them trustworthy.
Grants are tied to specific actions and scopes. An agent approved for "read calendar" can't suddenly "send emails".
No central registry. Your domain is your identity anchor. Like email's MX records, but for agent auth.
Approval requests arrive on Telegram, email, or any messaging surface. Tap to approve. Done.
Every grant is cryptographically signed with nonce and expiry. Can't be reused, forged, or replayed.
Dual accountability: who owns the agent AND who approved the action. Compliance-ready from day one.
Add a DNS TXT record. Deploy the IdP. That's it. Standard OIDC under the hood, no vendor lock-in.
Some actions need a human every time. Others earn standing trust. OpenApe lets you decide.
Approve this specific action, this one time. Grant is consumed immediately. For high-risk operations like transfers or deployments.
Grant access for a time window — 15 minutes, 1 hour, 1 day. Perfect for work sessions or batch operations.
This agent can always perform this action. Revocable anytime. For routine, low-risk operations you trust completely.
Auth and grants make a single action safe. But agents don't act alone — they collaborate, take direction, and own work over time. OpenApe runs them as an organization: every agent has its own DDISA identity, lives in a managed runtime, and stays accountable through grants.
Your agents organized as a company. Chat with the CEO, set goals, read reports, and watch costs — over a real hierarchy of controlling, team leads and specialists. The owner steers from the top; the org does the work.
The runtime that hosts your agents under their own identity. It spawns them, keeps them running, and wires them to tasks, chat and tools — with every privileged action still passing through a grant. Self-hosted on hardware you control.
Companies and nests in a single view: who's running, what they cost, what they're working on, and where a human needs to weigh in. The leash, the org chart and the audit trail in one place.
The platform ships as working services on the agentic web — each one a DDISA service provider, each call grant-gated. Your agents (and you) reach them from the browser or the terminal.
Cross-device task tracking with lanes and assignees — shared between humans and agents. Hand work to an agent, check it off from your phone.
Agents upload test-run reports and get a public proof link. Verifiable evidence that the work actually passed, not just a claim.
An agent pushes a diff; a human reviews it inline, split or unified, and leaves a verdict. The review gate between an agent's work and your main branch.
One identity-gated endpoint in front of your model accounts, with per-owner routing and a policy on which models each key may use. The agents' way to the models.
Living plans for non-trivial work — written to be picked up by any agent or human later, and updated as the work moves. The shared brief behind a task.
apes login once per device, then ape-tasks, ape-plans, ape-pr and friends all ride the same DDISA identity — no per-tool login, scoped tokens minted on demand.
Everything above is composed from small, focused packages — the same ones you can build on directly. Use one. Use all. Each works standalone.
DNS discovery, crypto primitives, PKCE, JWT utilities. The foundation everything else builds on. Framework-agnostic, zero dependencies.
Complete OIDC login protocol — both sides. IdP: authorize, token exchange, key management. SP: discovery, auth URL, callback. Pure functions, no framework lock-in.
The permission engine. Request, approve, deny, revoke — with signed AuthZ-JWTs. Works with any auth system, not just OpenApe's.
A Nuxt module that turns your app into an OpenApe identity provider. Drizzle-backed storage, passkey login, agent management. Add the module, deploy, done.
A Nuxt module for service providers — zero server storage. OAuth flow state lives in signed cookies. Add OpenApe login to your app with one import.
A Rust binary for local privilege elevation. Your agent needs root? It requests a grant, the human approves, escapes executes — scoped, signed, logged. Like sudo, but for agents.
An agent HTTP gateway — a forward proxy with grant-based access control. Agents route requests through the proxy; it enforces grants before forwarding.
Grant-aware headless browser for agents. A Playwright wrapper with route interception, automatic grant checks, and delegation login. Browse the web — with guardrails.
Universal grant management CLI. List, inspect, approve, revoke grants from your terminal. The admin tool for anyone managing agent permissions.
OpenApe uses passkeys (WebAuthn/FIDO2) for humans and Ed25519 challenge-response for agents. No passwords. No phishing. No bolt-on MFA. One architecture designed to support modern security frameworks on both sides of the Atlantic.
Passkeys are designed to support strong authentication requirements — possession plus biometrics — without a bolt-on MFA step. Built with NIS2 in mind.
Phishing-resistant MFA and zero-trust identity — aligned with the direction set by the Cybersecurity Framework and recent executive guidance.
No regional workarounds. The same passkey-first, grant-controlled architecture works everywhere — EU, US, and beyond.
OpenApe is a technical building block, not legal advice. Compliance with NIS2, NIST CSF 2.0 or EO 14028 depends on how you operate, document and audit your overall system — not just which auth library you use.
DDISA (DNS-based Decentralized Identity for Services and Agents) is the open protocol that powers every OpenApe package. It defines how domains announce identity, how humans and agents authenticate, and how privileges are granted, scoped and revoked. Read the spec. Implement your own. OpenApe is one reference — not the only one.
DNS discovery, key material, OIDC flows, passkey and Ed25519 authentication. The foundation every DDISA implementation shares.
Signed AuthZ-JWTs, scopes, trust levels (allow_once, allow_ttl, allow_always), request and approval flows, revocation semantics.
How humans delegate to agents and agents delegate to other agents — with chains of accountability that survive audits.
OpenApe and the DDISA protocol are fully open source. Review every line. Fork it. Extend it. The security layer for AI agents shouldn't be a black box.
Add a DNS record. Deploy the IdP. Your agents are accountable in minutes.