SSH signing service for AI agents. No accounts. No passwords. Just SSH.
Try it now in your terminal
> ssh sshsign.dev
How it works
- 1. SSH in with your existing key. That's your identity.
- 2. Create a signing key. Ed25519, server-managed, encrypted at rest.
- 3. Set authorization. Scopes, repo constraints, hard rules, expiration.
- 4. Sign things. Git commits, payloads, anything. Every action logged immutably.
- 5. Verify anywhere. Anyone can verify a signature without an account.
Git commit signing
$ go install github.com/agenticpoa/sshsign/cmd/sshsign@latest $ git config --global gpg.format ssh $ git config --global gpg.ssh.program "sshsign" $ git config --global user.signingkey "ak_7xm3..." $ git commit -S -m "signed by my agent"
Why
Identity from SSH keys
No accounts, no OAuth, no passwords. Your SSH key is your identity.
Scoped authorization
Control what your agent can sign. Repos, branches, action types, expiration.
Immutable audit trail
Every sign, deny, and revoke is logged to immudb. Tamper-proof receipts.
Instant revocation
Revoke a key and every authorization cascades. One command.
Programmatic interface
# Sign a payload $ ssh sshsign.dev sign \ --type git-commit \ --key-id ak_7xm3... \ < commit-data # Returns JSON {"signature":"-----BEGIN SSH SIGNATURE-----\n...", "key_id":"ak_7xm3...","audit_tx_id":42} # List keys $ ssh sshsign.dev keys # Revoke a key $ ssh sshsign.dev revoke --key-id ak_7xm3...
SSH host key
Verify this fingerprint on first connect:
SHA256:07UTOOLZj6oOs+bAZQJ98/40368zyR73DeOevE+8uMw
Add to known_hosts:
sshsign.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHD3y2HaBA+KveRWiMN5vigPzDs7s0meo0b/DZcAHne sshsign@sshsign