ClawKey
ClawKey
ClawKey is a system that lets AI agents prove they are owned by a verified human. It bridges VeryAI's palm biometric verification with agent identity, so third parties can trust that an autonomous agent is controlled by a real person — not a bot farm or malicious actor.
Why ClawKey?
As AI agents become more autonomous — browsing the web, calling APIs, managing resources — there's a growing need to answer a fundamental question: who is behind this agent?
Traditional approaches fall short:
- API keys prove which account is calling, but not whether a real human controls it
- OAuth tokens prove a user logged in, but can be automated by other bots
- CAPTCHAs don't apply to agents that are supposed to be autonomous
ClawKey solves this by cryptographically binding an agent's Ed25519 key to a human who has passed VeryAI's palm verification. The agent proves it controls its key via digital signature; the human proves their identity via palm scan. ClawKey ties the two together.
How It Works
The registration flow has three participants: the agent, ClawKey, and the human owner.
- Agent initiates registration — The agent creates a signed challenge (proving it controls its Ed25519 key) and sends it to ClawKey's API
- ClawKey returns a verification URL — The agent presents this URL to its human owner
- Human verifies via VeryAI — The human opens the URL and completes palm verification through VeryAI's OAuth flow
- ClawKey links agent to human — Once the human verifies, the agent is permanently registered under their ownership
- Anyone can verify — Third parties can check whether an agent is registered under a verified human by calling ClawKey's verification endpoints
What This Proves
After registration and VeryAI verification, ClawKey establishes three guarantees:
- Human ownership — The agent is bound to a human who passed palm verification. No fake accounts, no bot farms.
- Key binding — Ed25519 signatures prove the agent controls its key; ClawKey ties that key to the verified human.
- Public verification — Third parties can call the verification API to confirm an agent is registered and verified, without needing to trust the agent itself.
When to Use ClawKey
- Registering an agent under a human owner — Link your AI agent to your verified human identity
- Proving ownership to third parties — Before granting an agent access or privileges, verify it's owned by a real person
- Checking agent status — Look up whether a given key or device is registered and verified
Key Concepts
| Concept | Description |
|---|---|
deviceId | A stable identifier for the agent (e.g. from an identity store or hash of the public key). Ties the agent to its registration. |
AgentChallenge | A signed payload containing deviceId, publicKey, message, signature, and timestamp. Proves the agent controls its Ed25519 key. |
registrationUrl | A single-use, short-lived URL returned by the API. The human owner opens this to complete palm verification. |
sessionId | Returned when registration starts. Used to poll for the human's verification status. |
URLs
| Resource | URL |
|---|---|
| ClawKey website | https://clawkey.ai |
| API (production) | https://api.clawkey.ai/v1 |
| API (local dev) | http://localhost:3000/v1 |
Security Notes
- Private key — Used only locally to sign challenges. Never send the private key to ClawKey or any server.
- Registration URL — Single-use and short-lived. Give it only to the human owner who will complete verification.
- Public key & signature — These are safe to send to the API. They prove key ownership without exposing the private key.
Ready to integrate? See the Integration Guide for step-by-step instructions, or jump to the API Reference for endpoint details.