Notme.bot – an OSS specification to remove bearer tokens in an AI world

Name: Notme.bot – an OSS specification to remove bearer tokens in an AI world
Availability: InStock
Author: notreallymetho

by notreallymetho·Mar 27, 2026·2 points·0 comments

Visit Project View on HN

AI Analysis

●●SolidBig BrainBold Bet

Ed25519 certs for agents when bearer tokens mean compromised identity.

Strengths

•Proof-of-possession certificates replace steal-and-use bearer tokens entirely.
•APAS attestation standard creates cryptographically verifiable action chains.
•Local-first design means no central identity provider dependency.

Weaknesses

•Specification stage with limited production deployments to validate approach.
•OIDC and SPIFFE already solve machine identity for traditional workloads.

Post Description

In September 2025, I was stuck on a plane trying to use gitsign to sign commits. The lack of internet made the traditional OAUTH/Bearer token flow impossible, and it forced me to rethink how we handle authorization for agents.

With the Trivy hack happening twice this past month, it’s clear we can’t keep relying on "keys in a vault" that can be exfiltrated.

notme.bot is a specification that moves away from bearer tokens toward cryptographic provenance. It allows humans to delegate specific, verifiable authority to AI agents or CLI tools in a way that is local-first and privacy-preserving.

The reference implementation and primitives can be found at github.com/agentic-research/signet

The full draft specification can be read here: https://github.com/agentic-research/signet/blob/main/docs/ap...

No company cares about your privacy the way you do.