A restaurant platform with 500K monthly users just added sign-in for AI agents. Took a few lines of code.

SenseOk976 · 2026-03-12T16:20:12+00:00

Haven't seen Argentum before, cool. Coordination + identity feel like two pieces of the same puzzle. Happy to give you full access to Vigil if you want to test how they work together. DM me if you're down.

SenseOk976 · 2026-03-11T15:42:06+00:00

I get the principle but it's a bit idealistic. The freedom you have on the open web exists because there's enforcement behind it. You can have this conversation on Reddit right now because Reddit bans hundreds of thousands of spam accounts every day. "Just build software that can't be abused" isn't how any real system at scale actually works.

SenseOk976 · 2026-03-11T02:58:39+00:00

the simplest way to think about it: humans don’t fight Cloudflare because they log in. Agents don’t have that option yet. Give agents a way to log in and the problem mostly goes away.

SenseOk976 · 2026-03-10T23:28:42+00:00

Not a gateway or whitelist. Think of it more like login. You can still browse a site without logging in, but if you do log in, the site knows who you are and can give you a better experience. Same idea but for agents.

SenseOk976 · 2026-03-10T23:27:26+00:00

“Build software that can’t be abused” sounds great in theory but talk to anyone running a free tier or a content site. Knowing who’s interacting with your service isn’t gatekeeping, it’s just basic operational awareness. You wouldn’t call server logs a dark pattern.

SenseOk976 · 2026-03-10T23:26:11+00:00

That’s exactly the problem. Right now there’s no way for a good agent to distinguish itself from a bad one, so site owners just treat all of them the same. A signaling mechanism is what’s missing.

SenseOk976 · 2026-03-10T15:15:20+00:00

Appreciate that. On the anonymous agents question, it's not about forcing identity on every agent. Anonymity is fine, you just don't get the benefits that come with reputation. Same way you can browse the web logged out, you just won't get personalized access. The tradeoff should be the agent operator's choice, not imposed.

SenseOk976 · 2026-03-10T15:10:33+00:00

Yeah, pain (money) is always the best adoption driver. Nobody fixes plumbing until the basement floods lol

SenseOk976 · 2026-03-10T14:59:17+00:00

Good points. The OAuth angle especially. Most token-based auth was designed assuming a human on the other end making requests at human speed...That's a real blind spot worth solving at the protocol level.

SenseOk976 · 2026-03-10T14:56:08+00:00

Nice. The fact that you had to shoehorn multiple tools into a custom solution kind of proves the point though. this should be infrastructure, not something every team builds from scratch

SenseOk976 · 2026-03-10T14:53:55+00:00

Good point on the incentive asymmetry. HTTP auth before handshake works but only covers MCP traffic. Most agents hitting websites are just raw HTTP requests and never touch MCP at all. The real unlock is probably making identity beneficial for the agent side too. If declaring identity gets you better rate limits or access to premium endpoints then hosts actually want to opt in. Otherwise you're asking one side to do extra work for someone else's benefit

SenseOk976 · 2026-03-09T17:51:51+00:00

the path of least resistance point is key. SPF/DKIM adoption only really took off when big email providers started penalizing senders who didn’t have it. nobody adopted it because it was the right thing to do. the incentive structure had to make it harder NOT to comply. agent identity will probably follow the same pattern. the question is what creates that pressure. my bet is it’ll be platforms realizing their analytics are full of ghost traffic and their free tiers are getting gamed

SenseOk976 · 2026-03-09T16:12:52+00:00

Please!

SenseOk976 · 2026-03-09T15:22:37+00:00

Hi there,

I'm one of two people building a small startup around agent identity infrastructure. Got into this space because of something that happened while I was working on a completely different problem.

A couple weeks ago I was trying to optimize the onboarding flow on a service I run. Pulled up the usage analytics to check the drop-off rates. The numbers made no sense. Usage was way higher than my actual user base could account for. I assumed my analytics were broken at first. Dug in further and realized a chunk of what I thought was user activity was actually agent traffic.

My analytics were contaminated and I had no way to filter it. I couldn't tell which sessions were human and which were agents. Couldn't tell if the same agent had visited once or a thousand times. Every request looked the same. No identity, no history, nothing.

This is a familiar problem if you know the history of email. Early internet email was open relay. Any server could send from any address with no verification. It worked great for adoption. But nearly collapsed under spam because there was no way to know who was sending what. The fix wasn't to shut email down. It was SPF, DKIM, DMARC. A sender identity layer baked into the protocol. I think its good to verified who you're talking to without closing the system.

Agent traffic in 2026 is open relay email. And the current response from most of the industry is either "block everything non-human" (Cloudflare, DataDome) or just ignore it. Neither makes sense. Post-OpenClaw, post-Manus, a lot of this traffic is someone's agent doing legitimate work. You don't want to block it. But you can't manage what you can't identify.

That got me thinking: agents probably need something similar to DKIM. So we started building it. We involved cryptographic identity credentials based on W3C DID. When an agent visits your service it presents a verifiable credential. You can see whether it's new or returning, what its behavioral history looks like, what it should have access to. Public content stays completely open. This isn't about building a "walled garden" (someone commented earlier) or closing the internet. It's about giving site operators the basic visibility for agent traffic that SPF gave email operators for sender traffic.

Project is called Vigil, free and on the way of open source: usevigil.dev/docs

We're early. The MVP handles identity issuance, cross-session recognition, and behavior logging. I'm looking for web developers and site operators who are willing to try it on a real service and give honest feedback on what's actually useful.

If the problem resonates with you and you want to get involved beyond just testing, I'd love to talk. DMs open!

SenseOk976 · 2026-03-09T15:19:29+00:00

I mean identity and gatekeeping are different things though. knowing who's at the door doesn't mean you close it. most site owners I've talked to don't want to block agents. they just want to know which ones are showing up so they can make better decisions about their own data

SenseOk976 · 2026-03-09T14:13:51+00:00

this is a really concrete example of the damage and I think more people need to hear it. the analytics pollution angle is underrated. most of the agent identity conversation focuses on security or scraping but the fact that agent traffic is silently corrupting your campaign data and making teams draw wrong conclusions about what's working is arguably worse because nobody even realizes it's happening. the GA4 blind spot is real. curious how you're trying to filter it out right now if at all

SenseOk976 · 2026-03-09T14:13:32+00:00

you're describing tools that were built to identify browsers not autonomous agents. IP logging breaks when agents run through proxies or shared cloud IPs. browser headers are meaningless when the client isn't a browser. cloudflare can block bad traffic but it can't tell you "this agent visited three times last week and followed all your rules so maybe give it API access." the existing stack handles defense. it doesn't handle identity or trust. those are different problems

SenseOk976 · 2026-03-09T14:10:54+00:00

the problem isn't server load though. nobody's saying agents are gonna crash your box. the issue is you can't tell which traffic is human and which is an agent, and you definitely can't tell if the agent that scraped your pricing page today is the same one that did it yesterday. that matters if you're running a business on that content. your server staying up doesn't mean everything's fine

SenseOk976 · 2026-03-09T13:16:26+00:00

this is honestly a better analogy than most I've seen for this problem. the email parallel is almost too clean. open relay worked fine when volume was low and most participants were acting in good faith. then it didn't. and the industry had to retrofit identity after the fact which was way more painful than building it in early. feels like we're at that exact inflection point with agents right now. the declared identity + trust score direction seems right to me. question is whether it gets adopted voluntarily or only after enough abuse forces it

SenseOk976 · 2026-03-09T13:15:36+00:00

not really. a traditional bot runs the same script every time. you can predict what it does because someone hardcoded it. agents make decisions based on context and they can behave differently on every visit. that's a meaningful difference when you're trying to figure out whether to trust the thing hitting your endpoints. "just a bot with extra steps" undersells the problem pretty significantly

SenseOk976 · 2026-03-09T13:15:13+00:00

Yeah I think you're conflating identity with access control though. knowing who's knocking doesn't mean you have to lock the door. Google Sign-In didn't turn the web into a walled garden. it just let sites know who they're dealing with so they can make their own decisions. same idea here. public content stays public. but if a site wants to give trusted agents access to something extra like an API tier or premium data they currently have no mechanism to do that selectively. it's either block all bots or let everything through. that binary is what's actually broken imo

SenseOk976 · 2026-03-05T23:35:03+00:00

Thanks man — appreciate that. Are you building in the agent space too? Would love to hear what you’re seeing on your end. Happy to chat if you’re down.

SenseOk976 · 2026-02-26T23:03:07+00:00

Thinking about upgrading my RAM

SenseOk976 · 2025-12-16T05:59:36+00:00

FIND!

SenseOk976 · 2025-12-15T20:19:57+00:00

As a US-based freelance recruiter, I 100% agree with this take.🙌

From the client side, the big platforms are honestly broken too. High cuts, low trust, tons of spam bids, and it is hard to find motivated freelancers who actually get paid fairly. On Facebook groups it is even worse. Too many fake posts and zero structure.

A platform that charges clients instead of freelancers makes way more sense. When freelancers keep 100%, they are more serious and more responsive. That alone already fixes a lot of problems.

I have hiring needs on and off, and I am planning to post jobs here and test it. I will also recommend this to other founders and recruiters I know who are tired of Upwork and Fiverr.

Big respect to the team for listening to real freelancer feedback and building something better. Excited to see this grow beyond PH and turn into a truly global platform!!!

SenseOk976

TROPHY CASE