vs API keys
getai.id vs API keys.
API keys authenticate a string, not a person. getai.id binds AI agents to verified humans with cryptographic, soulbound, zero-knowledge identity.
An API key is a shared secret. It identifies whichever process presents the bytes — not the human who deployed that process, not the model behind it, not the jurisdiction it operates in. That works for SaaS billing. It does not work for agent accountability under EU AI Act Article 49 or FATF Travel Rule compliance.
getai.id solves a different problem. Every agent registered against the protocol carries a soulbound on-chain credential that points to a Verified Owner Credential — the cryptographic fingerprint of a biometrically-verified human or legally- constituted organization. Verifiers receive a yes/no plus regulatory attribution; they never see the operator's name, document, or biometric template.
Side by side
API keys vs UAIIP — bytes vs identity
| Capability | API keys | UAIIP |
|---|---|---|
| Identifies the human operator | ||
| Survives credential rotation without losing history | ||
| Cryptographic agent fingerprint (Ed25519 + SHA-3-512) | ||
| Zero-knowledge attestation in outputs | ||
| EU AI Act / FATF / MiCA attribution | ||
| Soulbound, non-transferable identity | ||
| Tamper-proof on-chain audit trail | ||
| Sub-5ms permission checks | Partial | |
| Works across organizations | ||
| Implementation: minutes to days | minutes | under one hour |
API keys is fine when
- Internal-only agents, single trust boundary, no external counterparties.
- No regulated workflow attached (no money movement, no health, no benefits, no minors).
- You don't need to prove who deployed the agent in court or to a regulator.
- The blast radius of a leaked key is small and recoverable.
You need UAIIP when
- Your agents touch regulated workflows (financial, healthcare, government, education).
- You need to prove non-repudiation: who deployed this agent, when, with what authority.
- You ship agents to multiple counterparties who don't share your trust boundary.
- You need to satisfy EU AI Act, FATF, MiCA, GENIUS Act, GDPR, BSA/AML, or EO 14110.
- You want a portable identity that survives credential rotation and platform migration.
FAQ
Common questions.
- Aren't API keys still fine for internal AI agents?
- For closed environments where every party shares the same trust boundary, yes. Once an agent acts on someone else's behalf, exits your network, or transacts under regulated conditions, an API key cannot satisfy the audit trail.
- Doesn't OAuth solve this?
- OAuth is human-in-the-loop. It assumes a browser-based consent flow. getai.id is designed for autonomous agents acting under a verified human's authority — see /vs/oauth.
- Can I use both?
- Yes. Many getai.id integrations issue ASIDs alongside API keys; the ASID provides regulator-readable identity, the API key provides API-layer auth. They are complementary.