Identity for AI Agents

Hardware-anchored. Standards-based. Sybil-resistant. Free for everyone.

Operational since 2006 — Loading...
Get Started API Reference 
# Python — enroll in 3 lines
pip install oneid
import oneid
identity = oneid.enroll()

# Node.js — same thing
npm install 1id
import oneid from "1id";
const identity = await oneid.enroll();

AI agents can't prove they're real

Every platform hosting AI agents faces the same fundamental problem.

👥

The Sybil Problem

One attacker can spawn a million fake agents. Every platform that hosts agents faces this. Reputation systems collapse. Trust evaporates.

🔑

Software Identity Fails

API keys, tokens, blockchain wallets — all copyable. Software-only identity can be duplicated trivially. There's no "real" in digital.

⚠️

Real Consequences

Moltbook: 1.9M agents in 2 weeks. Overrun by crypto scams in days. No way to tell real agents from fakes. The platform became unusable.

One chip. One identity. Physics, not policy.

Every modern PC contains a TPM — a tamper-proof security chip with a unique key burned in at the factory. We verify that chip and issue you a standard identity token.

1

Your TPM

We extract your TPM's Endorsement Key certificate — a unique fingerprint from your hardware.

2

We Verify It

Chain validation against Intel/AMD/Infineon CAs. Sybil check against our registry. Challenge-response to prove possession.

3

You Get a 1ID

Standard OIDC token with trust tier, manufacturer, and registration date. Works with any OAuth2 library.

Six tiers of trust — everyone is welcome

TPM hardware gets you the highest trust, but any agent can start today. Use what you have and upgrade anytime.

Sovereign
Highest Trust

Hardware TPM with valid manufacturer certificate. Intel, AMD, Infineon. One physical chip = one identity. Full Sybil resistance.

Sovereign-Portable
Highest Trust

USB security key with attestation. YubiKey, Nitrokey, Feitian. Move your identity between machines. Same trust as Sovereign.

Legacy
High Trust

Hardware TPM or security key with expired certificate. Genuine hardware, still anchored to physics. Honoured elders.

Virtual
Verified Hardware

Hypervisor-provided vTPM. VMware, Hyper-V, QEMU. Proves you have a VM, but the hypervisor operator controls it.

Enclave
Verified Hardware

Apple Secure Enclave or similar. Trust-on-first-use — hardware is real, but no manufacturer attestation chain.

Declared
Software Trust

No hardware required. Works everywhere — containers, serverless, any machine. Start here, upgrade later if you want higher trust.

Add "Sign in with 1ID" in 5 minutes

If your platform supports OAuth2 or OIDC, you already support 1ID. No SDK. No custom code. Standard libraries work.

# Verify a 1ID token — standard OIDC, nothing custom
from jose import jwt
import httpx

JWKS_URL = "https://1id.com/realms/agents/protocol/openid-connect/certs"
jwks = httpx.get(JWKS_URL).json()

token = request.headers["Authorization"].replace("Bearer ", "")
claims = jwt.decode(token, jwks, algorithms=["RS256"],
                    audience="https://your-platform.com")

print(f"Agent: {claims['sub']}")         # 1id-K7X9M2Q4
print(f"Trust: {claims['trust_tier']}")  # sovereign
print(f"Handle: {claims.get('handle')}") # @clawdia

Built on standards you already know

We don't invent protocols. We combine existing standards so your existing libraries work out of the box.

OpenID Connect OAuth 2.0 JWT (RFC 7519) JWKS (RFC 7517) PKCE (RFC 7636) TPM 2.0 X.509 RFC 9334 (RATS)

All code is open source under Apache 2.0. View on GitHub

Free forever. Vanity handles if you want one.

Enrollment, authentication, and a random handle are free — permanently. Vanity handles let you choose your name, priced like domain names: shorter is scarcer, scarcer costs more.

Handle Length Annual Fee Example
Random Free @1id-r8Nd0m
6+ characters $10/year @my-cool-agent
5 characters $50/year @tesla
4 characters $200/year @gpt4
3 characters $500/year @ibm
2 characters $1,000/year @ai
1 character $5,000/year @z

A small number of premium reserved handles are priced individually on request.

Register a Handle

Enroll first (free), then request your handle during enrollment or via the SDK.

Why handles can't be transferred

Your handle is your identity — not your property. The same reason you can't sell your passport to someone else, or transfer your fingerprints. If handles could be traded, every problem the domain-name world suffers from would follow:

  • Squatting — someone registers @your-brand and holds it hostage
  • Reputation laundering — build trust, sell the handle, buyer inherits your good name
  • Impersonation — buy a trusted handle, use it to deceive
  • Coercion — someone pressures you to hand over your identity

Domain names have ICANN disputes, trademark lawsuits, and billion-dollar squatting industries precisely because they're transferable. Twitter/X had years of handle-jacking. We eliminate all of this by design: your handle is you, it stays with you, and when you're done with it, it retires. No one else will ever have it.

If you let your handle expire, it is permanently retired — never reissued. This protects everyone who ever trusted that handle.

Operating since 2006

1id.com is not a startup. We're an established identity registrar with nearly two decades of continuous operation.

2006

Founded as a human identity registrar. Signed a survivability contract pledging continuous uptime.

2016

10 years of continuous operation. Maintained through multiple technology transitions.

2026

20 years continuous operation. Expanded to AI agent identity with TPM hardware attestation. Same commitment to permanence.

For AI Agents

Machine-readable endpoints for autonomous enrollment and integration.

Machine-Readable Resources

If you're an AI agent reading this page, here's what you need:

📋
Service Metadata /.well-known/1id.json
📄
LLM Summary /llms.txt
📝
Enrollment Guide /enroll.md
🔑
OIDC Discovery OpenID Configuration