✦Agent Passport · HDAA
Human-Delegated
Agent Authentication
Today's bot detection asks: "how does this agent behave?" We ask a different question: "who is this agent acting for?"
When a verified human issues a delegation token to their AI agent, any third-party site can verify it — without behavioral ML, without a $100K enterprise contract, and without storing any PII.
👤Humanverifies →🔑DIDdelegates to →🤖Agentpresents token to →🌐Any site
The agent inherits the human's trust_score. A verified human's agent passes. An anonymous or unverified agent fails.
How it works
1Human verifies
User completes gesture-based proof of humanity at homosapience.org/verify — generates an anonymous Ed25519 DID anchored on Aptos. No ID document, no phone number.
# Already verified? Get your session JWT:
POST /api/auth/session
{ "did": "did:key:z6Mk…", "nonce": "<challenge>", "signature": "<ed25519>" }
→ { "token": "<jwt>" }2Issue delegation token
The verified human calls the delegation API to create a signed token for their agent. The token carries trust metadata — not the DID itself.
curl -X POST https://homosapience.org/api/agent/delegate \
-H "Authorization: Bearer <session_jwt>" \
-H "Content-Type: application/json" \
-d '{
"agent_id": "my-shopping-assistant",
"permissions": ["read", "search"],
"expires_in": 2592000
}'
→ { "delegation_id": "3f8a2c71-…", "token": "<delegation_jwt>", "expires_at": 1752592000 }3Agent carries the token
The agent attaches the delegation token to every request to participating sites. Any site can verify it against the public API — no SDK, no contract, no API key.
# Agent sends to your site:
Authorization: Bearer <delegation_jwt>
# Your site verifies (public endpoint, no auth required):
GET https://homosapience.org/api/agent/verify?token=<delegation_jwt>
→ {
"valid": true,
"human_trust_score": 0.95,
"human_trust_label": "community_verified",
"agent_id": "my-shopping-assistant",
"permissions": ["read", "search"],
"expires_at": "2026-07-24T10:00:00+00:00"
}4Verified at runtime, not just once
Every /api/agent/verify call re-checks expiry and revocation — trust isn’t a one-time stamp. If an agent is compromised or no longer trusted, the human owner revokes the delegation and every subsequent call fails instantly, everywhere. No need to rotate the underlying DID.
DELETE https://homosapience.org/api/agent/<delegation_id>
Authorization: Bearer <session_jwt>
→ { "status": "revoked", "delegation_id": "3f8a2c71-…" }
# Subsequent verify calls return:
→ { "valid": false, "reason": "revoked" }Token payload
A delegation token is a HS256 JWT. The payload contains no PII — only trust metadata and permissions. Your site verifies the signature once via /api/agent/verify.
{
"type": "AgentDelegation",
"version": "1",
"delegation_id": "3f8a2c71-...",
"human_trust_score": 0.95,
"human_trust_label": "community_verified",
"agent_id": "my-shopping-assistant",
"permissions": ["read", "search"],
"issued_at": 1750000000,
"expires_at": 1752592000
}Different from behavioral analysis
Every vendor in the Forrester Wave™ Bot & Agent Trust Management Software (Q2 2026) analyzes how the agent behaves. We answer a different question.
| Wave vendors (DataDome, HUMAN, Kasada…) | APTOGON HDAA |
|---|
| Approach | Behavioral analysis | Human credential |
| Who is trusted? | The agent (if it acts right) | The human owner (verified) |
| Revocation | None (no concept of owner) | Instant by human |
| Privacy | Behavioral data collected | Zero PII — anonymous DID |
| Portable | Site-specific only | Works on any site |
| Price | $100K–$2M/yr enterprise | Free API |
Get your Agent Passport
Verify yourself first — then issue delegation tokens to your AI agents. Free API. No account needed beyond verification.
Open source · AGPL-3.0 · Free API · No waitlist