Notme.bot: New Open-Source Specification Replaces Bearer Tokens with Cryptographic Provenance for AI Agents

Summary

A new open-source specification called notme.bot has been introduced to address critical security vulnerabilities in how AI agents and CLI tools handle authorization. The specification, developed by independent researchers, moves away from traditional bearer token authentication toward cryptographic provenance-based systems that enable humans to delegate specific, verifiable authority to AI agents in a local-first, privacy-preserving manner. The project was inspired by real-world constraints—specifically, the inability to use OAuth/Bearer token flows without internet connectivity—and recent security incidents including multiple Trivy vulnerabilities that exposed the dangers of storing secrets in centralized vaults where they can be exfiltrated. The reference implementation and full draft specification are now available on GitHub under the agentic-research/signet repository, offering developers and organizations an alternative approach to securing AI agent interactions.

• The open-source implementation prioritizes privacy and user control over institutional secret management practices

Editorial Opinion

Notme.bot addresses a genuine pain point in the emerging AI agent ecosystem—how to safely delegate authority to automated systems without replicating the security pitfalls of bearer token management. The cryptographic provenance approach is conceptually sound and timely, especially as AI agents become more autonomous. However, widespread adoption will require significant ecosystem changes and developer education, as the security model requires rethinking conventional authentication patterns built over decades.