this is the certificate authority for the notme identity stack. it issues short-lived Ed25519 bridge certificates using the signet protocol. your key stays on your machine — this service only attests your identity.
signet is open source. this authority is a Cloudflare Worker with a Durable Object that generates and stores the CA key — no secrets to manage. fork, deploy, own your identity chain.
source: github.com/agentic-research/signet
request a GHA OIDC token (audience: notme.bot) and
exchange it for a 5-minute bridge cert. no stored secrets — the OIDC
JWT is the credential.
returns
{ certificate, private_key, expires_at, subject }. cert
is valid for 5 minutes — enough for one job.
authority base: https://auth.notme.bot
| method | path | description |
|---|---|---|
| POST | /exchange-token |
OIDC token → bridge cert human auth flow via signet CLI |
| POST | /cert/gha |
GHA OIDC → bridge cert audience: notme.bot · 5-min TTL · edge-handled |
| POST | /api/cert/register |
GitHub PAT → bridge cert agent / headless registration |
| GET | /.well-known/ca-bundle.pem |
CA trust anchor configure MCP servers to verify client certs |
| GET | /.well-known/signet-authority.json |
authority discovery endpoints, algorithms, documentation |
| GET | /login | OAuth flow (browser) |
| GET | /healthz | health check |
the signing chain from your long-lived identity to an agent's ephemeral session key.