[{"data":1,"prerenderedAt":490},["ShallowReactive",2],{"navigation":3,"/getting-started":145,"/getting-started-surround":487},[4,28,49,88,101,127],{"title":5,"path":6,"stem":7,"children":8,"icon":27},"Getting Started","/getting-started","1.getting-started/1.index",[9,11,15,19,23],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Working with Agents","/getting-started/working-with-agents","1.getting-started/2.working-with-agents",{"title":16,"path":17,"stem":18},"Setup a Service Provider","/getting-started/setup-service-provider","1.getting-started/3.setup-service-provider",{"title":20,"path":21,"stem":22},"Setup an Identity Provider","/getting-started/setup-identity-provider","1.getting-started/4.setup-identity-provider",{"title":24,"path":25,"stem":26},"Developers","/getting-started/developers","1.getting-started/5.developers",false,{"title":29,"icon":27,"path":30,"stem":31,"children":32,"page":27},"Guides","/guides","2.guides",[33,37,41,45],{"title":34,"path":35,"stem":36},"How It Works","/guides/how-it-works","2.guides/1.how-it-works",{"title":38,"path":39,"stem":40},"Capabilities Guide","/guides/capabilities-guide","2.guides/2.capabilities-guide",{"title":42,"path":43,"stem":44},"End-to-End Tutorial","/guides/end-to-end-tutorial","2.guides/3.end-to-end-tutorial",{"title":46,"path":47,"stem":48},"Delegation Guide","/guides/delegation-guide","2.guides/4.delegation-guide",{"title":50,"path":51,"stem":52,"children":53,"icon":27},"Ecosystem","/ecosystem","3.ecosystem/1.index",[54,56,60,64,68,72,76,80,84],{"title":55,"path":51,"stem":52},"Overview",{"title":57,"path":58,"stem":59},"grapes CLI","/ecosystem/grapes","3.ecosystem/2.grapes",{"title":61,"path":62,"stem":63},"shapes CLI","/ecosystem/shapes","3.ecosystem/3.shapes",{"title":65,"path":66,"stem":67},"escapes","/ecosystem/escapes","3.ecosystem/4.escapes",{"title":69,"path":70,"stem":71},"OpenApe Proxy","/ecosystem/proxy","3.ecosystem/5.proxy",{"title":73,"path":74,"stem":75},"OpenApe Browser","/ecosystem/browser","3.ecosystem/6.browser",{"title":77,"path":78,"stem":79},"OpenApe Auth","/ecosystem/auth","3.ecosystem/7.auth",{"title":81,"path":82,"stem":83},"OpenApe Grants","/ecosystem/grants","3.ecosystem/8.grants",{"title":85,"path":86,"stem":87},"nuxt-auth-sp","/ecosystem/nuxt-auth-sp","3.ecosystem/9.nuxt-auth-sp",{"title":89,"icon":27,"path":90,"stem":91,"children":92,"page":27},"Security","/security","4.security",[93,97],{"title":94,"path":95,"stem":96},"Compliance","/security/compliance","4.security/1.compliance",{"title":98,"path":99,"stem":100},"Threat Model","/security/threat-model","4.security/2.threat-model",{"title":102,"path":103,"stem":104,"children":105,"icon":27},"Reference","/reference","5.reference/1.index",[106,107,111,115,119,123],{"title":102,"path":103,"stem":104},{"title":108,"path":109,"stem":110},"IdP Configuration","/reference/idp-configuration","5.reference/2.idp-configuration",{"title":112,"path":113,"stem":114},"SP Configuration","/reference/sp-configuration","5.reference/3.sp-configuration",{"title":116,"path":117,"stem":118},"API Endpoints","/reference/api-endpoints","5.reference/4.api-endpoints",{"title":120,"path":121,"stem":122},"escapes Config","/reference/escapes-config","5.reference/5.escapes-config",{"title":124,"path":125,"stem":126},"Proxy Config","/reference/proxy-config","5.reference/6.proxy-config",{"title":128,"path":129,"stem":130,"children":131,"icon":27},"Operations","/operations","6.operations/1.index",[132,133,137,141],{"title":128,"path":129,"stem":130},{"title":134,"path":135,"stem":136},"Deployment","/operations/deployment","6.operations/2.deployment",{"title":138,"path":139,"stem":140},"Troubleshooting","/operations/troubleshooting","6.operations/3.troubleshooting",{"title":142,"path":143,"stem":144},"Monitoring","/operations/monitoring","6.operations/4.monitoring",{"id":146,"title":10,"body":147,"description":480,"extension":481,"links":482,"meta":483,"navigation":484,"path":6,"seo":485,"stem":7,"__hash__":486},"docs/1.getting-started/1.index.md",{"type":148,"value":149,"toc":474},"minimark",[150,154,158,163,166,196,200,203,230,234,237,289,293,296,449,470],[151,152,10],"h1",{"id":153},"introduction",[155,156,157],"p",{},"OpenApe is the security layer for the Agentic Web. It consists of two independent systems:",[159,160,162],"h2",{"id":161},"openape-auth-identity-for-humans-and-agents","OpenApe Auth — Identity for Humans and Agents",[155,164,165],{},"DNS-based login using the DDISA protocol. Your domain becomes your identity provider — no OAuth servers to maintain, no SDKs to integrate. Just a DNS TXT record.",[167,168,169,181,190],"ul",{},[170,171,172,176,177,180],"li",{},[173,174,175],"strong",{},"Humans"," authenticate with ",[173,178,179],{},"Passkeys"," (WebAuthn/FIDO2) — phishing-proof by design",[170,182,183,176,186,189],{},[173,184,185],{},"Agents",[173,187,188],{},"Ed25519 challenge-response"," — same cryptographic strength, adapted for M2M",[170,191,192,195],{},[173,193,194],{},"Passwords are explicitly prohibited"," in the DDISA spec",[159,197,199],{"id":198},"openape-grants-permissions-for-agents","OpenApe Grants — Permissions for Agents",[155,201,202],{},"Human-in-the-loop permission system. When an agent needs to perform a privileged action, a human approves it.",[167,204,205,214,222],{},[170,206,207,213],{},[173,208,209],{},[210,211,212],"code",{},"allow_once"," — one-time approval, consumed after use",[170,215,216,221],{},[173,217,218],{},[210,219,220],{},"allow_ttl"," — time-limited grant (e.g. \"for the next 2 hours\")",[170,223,224,229],{},[173,225,226],{},[210,227,228],{},"allow_always"," — standing permission, revocable anytime",[159,231,233],{"id":232},"dual-role-enabler-gatekeeper","Dual Role: Enabler & Gatekeeper",[155,235,236],{},"OpenApe doesn't just secure agents — it makes them possible. The IdP controls which agents exist, and the grant system ensures humans stay in the loop where it matters. The IdP and its management credentials are controlled exclusively by humans — agents authenticate through cryptographic challenge-response, never through admin tokens.",[238,239,240,253],"table",{},[241,242,243],"thead",{},[244,245,246,250],"tr",{},[247,248,249],"th",{},"Without OpenApe",[247,251,252],{},"With OpenApe",[254,255,256,265,273,281],"tbody",{},[244,257,258,262],{},[259,260,261],"td",{},"Agents act, humans hope",[259,263,264],{},"Agents request, humans approve",[244,266,267,270],{},[259,268,269],{},"No standard identity",[259,271,272],{},"DNS-based, domain-scoped identity",[244,274,275,278],{},[259,276,277],{},"No audit trail",[259,279,280],{},"Signed JWTs, dual accountability",[244,282,283,286],{},[259,284,285],{},"Passwords everywhere",[259,287,288],{},"Passkeys only, phishing-proof",[159,290,292],{"id":291},"minimal-identity-token","Minimal Identity Token",[155,294,295],{},"The AuthN-JWT contains only what's needed:",[297,298,303],"pre",{"className":299,"code":300,"language":301,"meta":302,"style":302},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","{\n  \"sub\": \"alice@example.com\",\n  \"act\": \"human\",\n  \"iss\": \"https://id.example.com\",\n  \"aud\": \"sp.example.com\",\n  \"exp\": 1234567890,\n  \"nonce\": \"...\"\n}\n","json","",[210,304,305,314,342,363,384,405,423,443],{"__ignoreMap":302},[306,307,310],"span",{"class":308,"line":309},"line",1,[306,311,313],{"class":312},"sMK4o","{\n",[306,315,317,320,324,327,330,333,337,339],{"class":308,"line":316},2,[306,318,319],{"class":312},"  \"",[306,321,323],{"class":322},"spNyl","sub",[306,325,326],{"class":312},"\"",[306,328,329],{"class":312},":",[306,331,332],{"class":312}," \"",[306,334,336],{"class":335},"sfazB","alice@example.com",[306,338,326],{"class":312},[306,340,341],{"class":312},",\n",[306,343,345,347,350,352,354,356,359,361],{"class":308,"line":344},3,[306,346,319],{"class":312},[306,348,349],{"class":322},"act",[306,351,326],{"class":312},[306,353,329],{"class":312},[306,355,332],{"class":312},[306,357,358],{"class":335},"human",[306,360,326],{"class":312},[306,362,341],{"class":312},[306,364,366,368,371,373,375,377,380,382],{"class":308,"line":365},4,[306,367,319],{"class":312},[306,369,370],{"class":322},"iss",[306,372,326],{"class":312},[306,374,329],{"class":312},[306,376,332],{"class":312},[306,378,379],{"class":335},"https://id.example.com",[306,381,326],{"class":312},[306,383,341],{"class":312},[306,385,387,389,392,394,396,398,401,403],{"class":308,"line":386},5,[306,388,319],{"class":312},[306,390,391],{"class":322},"aud",[306,393,326],{"class":312},[306,395,329],{"class":312},[306,397,332],{"class":312},[306,399,400],{"class":335},"sp.example.com",[306,402,326],{"class":312},[306,404,341],{"class":312},[306,406,408,410,413,415,417,421],{"class":308,"line":407},6,[306,409,319],{"class":312},[306,411,412],{"class":322},"exp",[306,414,326],{"class":312},[306,416,329],{"class":312},[306,418,420],{"class":419},"sbssI"," 1234567890",[306,422,341],{"class":312},[306,424,426,428,431,433,435,437,440],{"class":308,"line":425},7,[306,427,319],{"class":312},[306,429,430],{"class":322},"nonce",[306,432,326],{"class":312},[306,434,329],{"class":312},[306,436,332],{"class":312},[306,438,439],{"class":335},"...",[306,441,442],{"class":312},"\"\n",[306,444,446],{"class":308,"line":445},8,[306,447,448],{"class":312},"}\n",[167,450,451,456,467],{},[170,452,453,455],{},[210,454,323],{}," — email address (same identifier used in the login request)",[170,457,458,460,461,463,464],{},[210,459,349],{}," — ",[210,462,358],{}," or ",[210,465,466],{},"agent",[170,468,469],{},"No name, no owner, no approver — those belong in the AuthZ layer",[471,472,473],"style",{},"html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":302,"searchDepth":344,"depth":316,"links":475},[476,477,478,479],{"id":161,"depth":316,"text":162},{"id":198,"depth":316,"text":199},{"id":232,"depth":316,"text":233},{"id":291,"depth":316,"text":292},"What is OpenApe and why does it exist?","md",null,{},true,{"title":10,"description":480},"9ylJurXHXOrvHZalmLMr6Iv5hCd0OrQJ2aL5sh-kJA4",[482,488],{"title":12,"path":13,"stem":14,"description":489,"children":-1},"Set up OpenApe agent gatekeeping for AI agents like OpenClaw.",1774221117376]