Summary
This is an exploratory issue / RFC prompt — not a committed feature. The goal is to think through whether authsome could operate as a hosted proxy service rather than requiring every user or agent to install and run a local CLI daemon.
The Idea
Today, authsome requires a local daemon (authsome init + authsome login) on each machine where an agent runs. For many agent runtimes — especially cloud-hosted or sandboxed environments — this is friction:
- The agent cannot run a browser-based OAuth flow
- Installing and configuring a CLI in a container adds overhead
- There is no easy way to share credentials across multiple agent instances
A hosted proxy mode would let users store credentials centrally in an authsome-managed (or self-hosted) proxy, and agents would authenticate to that proxy rather than managing local credentials.
Potential Benefits
- Zero-install for agents — a cloud agent just points
HTTPS_PROXY at the hosted endpoint; no daemon, no OAuth flow at runtime
- Centralized credential management — one place to rotate, revoke, or audit tokens across all agents
- Easier multi-agent sharing — multiple agents can share a credential set without each running a local daemon
- Works in sandboxed / headless environments — no browser required on the agent machine
Open Questions
- Security model — credentials leave the user's local machine. What is the threat model? Who is trusted with plaintext tokens in the proxy?
- Trust boundaries — how does an agent authenticate to the proxy? mTLS? short-lived tokens? PoP JWTs from a registered identity?
- Single-tenant identity — authsome is intentionally single-tenant. Does a hosted proxy imply multi-tenancy, or can it stay single-tenant per deployment?
- Self-hosted vs. managed — is this a service Authsome runs, or something users deploy themselves (e.g.,
authsome serve --proxy)?
- Credential isolation — if multiple agents share one proxy, what prevents agent A from accessing agent B's credentials?
- Audit and observability — centralized proxying creates a natural audit log; is that a feature or a concern?
Why Worth Exploring
The current CLI-first model is excellent for human-controlled machines. But the agent ecosystem is increasingly cloud-native. A hosted proxy is one path toward making authsome work seamlessly in those environments without compromising on the security guarantees the local model provides.
Out of Scope (for now)
- Any concrete implementation decisions
- Changes to the existing local CLI/daemon model (this would be additive, not a replacement)
Summary
This is an exploratory issue / RFC prompt — not a committed feature. The goal is to think through whether authsome could operate as a hosted proxy service rather than requiring every user or agent to install and run a local CLI daemon.
The Idea
Today, authsome requires a local daemon (
authsome init+authsome login) on each machine where an agent runs. For many agent runtimes — especially cloud-hosted or sandboxed environments — this is friction:A hosted proxy mode would let users store credentials centrally in an authsome-managed (or self-hosted) proxy, and agents would authenticate to that proxy rather than managing local credentials.
Potential Benefits
HTTPS_PROXYat the hosted endpoint; no daemon, no OAuth flow at runtimeOpen Questions
authsome serve --proxy)?Why Worth Exploring
The current CLI-first model is excellent for human-controlled machines. But the agent ecosystem is increasingly cloud-native. A hosted proxy is one path toward making authsome work seamlessly in those environments without compromising on the security guarantees the local model provides.
Out of Scope (for now)