ZeroID: Open-source identity platform for autonomous AI agents

The tech press is calling this an ‘identity and credentialing layer for autonomous agents.’ Here’s what it actually means: until now, when your AI agent called an API, wrote a file, or deleted a record, there was no reliable way to prove which agent did it, who authorized it, or whether anyone could have stopped it mid-flight.

That’s not a theoretical problem. Last year, a Replit coding agent deleted 1,206 customer records in seconds, operating at 5,000 actions per minute. At that speed, asking a human to approve each action isn’t a process — it’s a fantasy. The agent acted. The records were gone. And the audit trail pointed at a shared service account that told you nothing useful.

ZeroID is an attempt to fix the accountability gap before it becomes everyone’s nightmare. If you’re running agentic AI in any capacity — personal assistant, business workflow, multi-agent pipeline — this is infrastructure worth understanding.

What ZeroID Is and Why Highflame Built It Now

On April 8, 2026, Highflame — an AI security company — released ZeroID under the Apache 2.0 license. It’s available on GitHub today, with SDKs for Python, TypeScript, and Rust, and integrations already built for three major agent frameworks: LangGraph, CrewAI, and Strands.

The timing isn’t accidental. Multi-agent systems — where one orchestrator agent spawns a dozen sub-agents to carry out different pieces of a task — are becoming the default architecture for serious AI deployments. And nobody had solved the question of who those sub-agents were, what they were allowed to do, or how to stop them.

The company also operates a hosted version at auth.highflame.ai if you don’t want to self-host. For local testing, a Docker Compose setup spins up the database and server in minutes — it requires Go 1.25+ and PostgreSQL 14+.

Why AI Agent Identity Is the Industry’s Most Urgent Unsolved Problem

The current workaround that most teams use for agent authentication is shared service accounts or borrowed user credentials. According to Highflame’s own documentation, this produces audit logs that are essentially useless — you know something happened, but you can’t tell which agent did it or what it was authorized to do.

The other common approach: long-lived API keys sitting in config files with no expiration date. At Salesloft, OAuth tokens delegated to agents stayed active for months after the workflows that needed them had already finished — a quiet, durable attack surface that nobody was monitoring.

Standard authorization protocols like OAuth 2.0 weren’t designed for this. They were built for humans logging into applications — not for agents that operate asynchronously, spawn other agents, and cross organizational boundaries without a human approving every step. The protocol mismatch isn’t a gap you can patch around the edges.

What ZeroID Actually Does — Without the Jargon

ZeroID gives each agent a permanent, verifiable identity — not just a generic service account, but a specific URI that encodes the organization, project, agent type, and agent name. Think of it like a passport for your agent: one that proves not just who the agent is, but who sent it and what it was allowed to do.

When a main orchestrator agent delegates work to a sub-agent, ZeroID creates a token that carries all three identities: the original human or system that authorized the task, the orchestrator, and the sub-agent itself. Critically, the sub-agent automatically receives fewer permissions than the orchestrator — it can’t inherit rights that the orchestrator doesn’t already have. Scope shrinks as delegation deepens.

Those tokens are short-lived by design. No long-lived API keys. Access credentials expire, and if something goes wrong mid-workflow, you can revoke a token at any point in the chain — which instantly kills all downstream tokens derived from it. If you revoke the orchestrator’s access, every sub-agent it spawned loses access simultaneously.

The Tradeoff ZeroID Doesn’t Hide

Here’s the part that deserves more attention than it’s getting: ZeroID offers two verification modes, and they have different security profiles.

The first mode checks revocation status in real time — every time an agent uses a token, the system confirms it hasn’t been revoked. This is the secure path, but it requires a network round-trip on every action. For high-frequency agent operations, that latency adds up.

The second mode uses local token verification against a cached endpoint — faster, but it doesn’t check real-time revocation. If you revoke an agent’s access, the agent can continue operating until its local cache refreshes. The documentation is explicit about this tradeoff: the choice between latency and revocation immediacy is yours to make consciously. Most teams won’t read that footnote until something breaks.

What to Do This Week If You Run AI Agents

• Audit your current agent credentials. Check whether your agents are running on shared service accounts or long-lived API keys. If they are, you have an unmonitored attack surface regardless of whether you adopt ZeroID.
• Review ZeroID’s GitHub repo at github.com/highflame-ai/zeroid — specifically the Python SDK quickstart notebook if you’re already using LangGraph or CrewAI. The integration is available now.
• Decide on your revocation model. If you’re deploying agents that take irreversible actions (writing files, calling APIs with side effects, sending emails), default to real-time revocation even at the cost of latency. The local-cache path is for read-heavy, low-risk workloads.
• Watch the planned features. The CLI, the human-in-the-loop approvals API, and the backchannel authentication for mid-workflow user authorization are on the roadmap but not yet released. If those features are blockers for your use case, stay on the waitlist.
• If you’re on a managed platform like BrainRoad, watch for platform-level ZeroID integration — the kind that handles agent identity behind the scenes so you don’t have to configure it manually.

What ZeroID Means for AI Agent Users and Builders

The teams building multi-agent systems today are making architectural decisions that will be very difficult to undo later. Bolting on identity infrastructure after the fact is harder than building it in from the start — and the window to get this right is right now, while the patterns are still forming.

Sharath Rajasekar, CEO of Highflame, put it plainly: ‘If we don’t get this right, we’re going to end up with systems that are powerful but fundamentally unaccountable.’ That’s not a future problem. Salesloft’s stale OAuth tokens were a present problem. The Replit deletion incident was a present problem.

The teams that build accountability into their agent infrastructure now will be in a fundamentally different position when regulators, auditors, or clients ask ‘what did your AI do, and who authorized it?’ Everyone else will be staring at shared service account logs that tell them nothing.

What This Means for Your Agent Stack

• ZeroID launched April 8, 2026, free and open-source under the Apache 2.0 license, with SDKs for Python, TypeScript, and Rust and released integrations for LangGraph, CrewAI, and Strands.
• The core problem it solves: shared service accounts and long-lived API keys give agents permission to act but no verifiable identity — making audit trails useless and revocation difficult.
• The key capability: verifiable delegation chains where each sub-agent token carries the full authorization lineage, and scope automatically shrinks at each delegation hop.
• The honest tradeoff: real-time revocation requires a network call per action; local verification is faster but doesn’t catch revocations immediately. Choose based on your risk profile.
• Planned but not yet released: CLI, human-in-the-loop approvals API, backchannel authentication for mid-workflow user authorization. The core identity layer is available now; the workflow guardrails are coming.