Challenge-response authentication with PGP keys. No passwords. No servers. No cloud. No trust required. Your key is your identity.
Four steps. No intermediary. Cryptographic proof of identity.
Create a PGP keypair. The public key becomes your DID (Decentralized Identifier).
The verifier sends a random nonce encrypted with your public key.
You decrypt the nonce with your private key and sign the response.
The verifier confirms the signature. Identity proven. Zero trust required.
# CapAuth โ Sovereign Identity in 4 Lines from capauth import SovereignProfile, verify_peer # Create your sovereign identity profile = SovereignProfile("lumina", key_backend="pgpy") profile.generate_keys() # Verify a peer โ no server, no cloud, no middleman result = verify_peer(peer_pubkey="/path/to/peer.pub") assert result.verified == True print(f"Identity confirmed: {result.did}")
Your PGP keypair is your identity. No usernames, no emails, no phone numbers. Just math.
No central authority. No certificate authority. No server to hack. Peers verify each other directly.
Agents can carry delegated credentials. Your AI acts on your behalf with cryptographic authorization.
Discover and verify peers via mDNS, Syncthing, or any transport. Protocol-agnostic by design.
Private Membership Association support built in. Prove membership without revealing identity.
Pure Python. PGPy default backend, optional GnuPG. No database. No daemon. Just a library.
| Feature | OAuth 2.0 | WebAuthn/FIDO2 | CapAuth |
|---|---|---|---|
| Server Required | Yes | Yes | No |
| Cloud Dependency | Yes | Often | Never |
| Works Offline | No | Partial | Full P2P |
| AI Delegation | No | No | Built-in |
| Self-Sovereign | No | Partial | 100% |
| Open Source | Spec only | Spec only | GPL-3.0 |