Sessionless is an open-source authentication protocol designed to operate without long-lived server sessions, cookies, or shared secrets. Instead, it relies on **public-private key cryptography**, allowing identity to be verified through signed messages.
Its core goal is to enable **stateless, cross-platform, and privacy-preserving authentication** suitable for decentralized, federated, or agent-based systems. It provides lightweight primitives for key generation, message signing, and verification, and is designed to be transport-agnostic—usable over HTTP, WebSockets, or even peer-to-peer protocols - github.com 
# Key Features - **No Sessions Required** Authentication is handled entirely through signed messages—no need to store session state on the server. - **No Shared Secrets** Identity is established cryptographically without passwords or secret keys passed between client and server. - **Multi-language Support** Implementations are available in multiple languages including JavaScript, Python, Rust, Java, Kotlin, Swift, and C++. - **Cross-platform** Clients and servers in different environments can interoperate as long as they share the same cryptographic protocol. - **MIT Licensed** Freely usable and adaptable for both personal and commercial projects.
# Technical Summary Sessionless relies on a simple set of primitives: - `generateKeys`: Create a public/private keypair using secp256k1 elliptical curve - `sign`: Sign a message using the private key - `verifySignature`: Verify a signature with the public key - `generateUUID`: Create deterministic user/device identifiers
These allow participants to prove their identity or integrity of data without requiring any server-side session or database lookup.
It is especially well-suited for agentic systems where lightweight and autonomous identity mechanisms are needed.
# Use Cases - **Decentralized Agent Networks** Agents or nodes can verify signed messages from each other to establish trust. - **Identity for Homelab Agents** Sessionless provides a secure identity layer for individual homelab nodes without a centralized login system. - **Signed Plans & Vibelets** Each plan or Vibelet generated by an agent can be cryptographically signed, verifying its origin and enabling transparent review. - **Stateless APIs or Gateways** Lightweight services can authenticate users or agents without storing any per-session state. - **Multi-device Authentication** Devices or apps can identify themselves across platforms without requiring centralized account systems.
# Fit with the Hitchhiker’s Project Sessionless aligns closely with the design principles of Hitchhiker’s: - **Decentralization**: Identity is self-sovereign and does not depend on a central authority. - **Federation**: Signed forks and plans can be verified across wiki instances. - **Auditability**: Every agent action can be accompanied by a signed statement of origin. - **Security with Transparency**: Plans, Vibelets, and ghost pages can be both inspectable and cryptographically validated. It fits naturally as a **lightweight trust layer** between agents, wikis, and homelab participants.
# Limitations - **Key Revocation and Rotation** There is no built-in mechanism for revoking keys or rotating credentials. This must be layered externally. - **Authorization Not Included** Sessionless provides authentication but not permission logic. Who can do what must be defined separately. - **Storage of Private Keys** Safe storage of keys (especially on homelab devices) remains a challenge that must be addressed carefully. - **Early-Stage Adoption** The project is relatively new and has limited adoption at the time of writing.
# Future Directions - Integrate with **agent plans** and wiki tools for signed artifacts - Use in combination with **ghost pages** and **signed forks** to build trust chains - Develop UI components for key management and trust visualization - Encourage community contributions to harden and extend protocol features (e.g. key rotation)
[ht1]: ## "Many auth protocols are client-server, where the client supplies some secret information to authenticate requests. But there are other authentication needs, such as between processes on one machine, or server-server relationships. Sessionless works for all of these." [ht2]: ## "Many auth protocols rely on https for encryption of tokens and jwts. Sessionless sends no sensitive data so it can be used through unencrypted transports like BLE, NFC, straight TCP, etc."
# See
- Sessionless on github
- docs.planet-nine.io
[ht4]: ## "Randomness and storage are the two things to figure out with cryptographic stuff, and those are largely platform dependent. So we have typically made one implementation which works for servers in a language, and then other implementations which work for the clients."
[ht5]: ## "A shared secret is anything that is known between a client and a server that, along with an identifier, is used to authenticate a user. The two most common shared secrets are passwords and sessions"
[ht6]: ## "That's right. Not even email."