# authsome

> Local auth for AI agents. Log in once via OAuth2 or API key. Authsome keeps credentials fresh for every agent.

## Docs

- [Architecture](https://authsome.mbajaj.me/concepts/architecture.md): Five layers — identity, policy, vault, auth, audit — composed by an explicit orchestrator.
- [Credential storage](https://authsome.mbajaj.me/concepts/credential-storage.md): How authsome encrypts, namespaces, and locks the per-profile credential vault.
- [Provider registry](https://authsome.mbajaj.me/concepts/provider-registry.md): How authsome resolves provider definitions from bundled JSON, user overrides, and registered custom providers.
- [Proxy injection](https://authsome.mbajaj.me/concepts/proxy-injection.md): How `authsome run` injects auth headers into outbound HTTP requests without exposing secrets to the child process.
- [Custom providers](https://authsome.mbajaj.me/guides/custom-providers.md): Add any OAuth2 or API-key service that authsome doesn't ship as a bundled provider.
- [Headless setup with device code](https://authsome.mbajaj.me/guides/headless-device-code.md): Authenticate over SSH or in CI without a local browser by using the OAuth2 Device Authorization Grant.
- [Log in with OAuth](https://authsome.mbajaj.me/guides/login-with-oauth.md): Use the PKCE browser flow to authenticate with GitHub, Google, Linear, and other OAuth2 providers.
- [Profiles](https://authsome.mbajaj.me/guides/profiles.md): Isolate credential sets per identity context — personal, work, or per-agent.
- [Run agents with the proxy](https://authsome.mbajaj.me/guides/run-agents-with-proxy.md): Use `authsome run` to inject auth headers into outbound requests without exposing secrets to the child process.
- [Use API keys](https://authsome.mbajaj.me/guides/use-api-keys.md): Authenticate with OpenAI, Anthropic, and other API-key providers through a secure browser bridge.
- [Introduction](https://authsome.mbajaj.me/index.md): Local auth for AI agents. Log in once via OAuth2 or API key. Authsome keeps the credentials fresh for every agent.
- [Quickstart](https://authsome.mbajaj.me/quickstart.md): Install authsome, log in to a provider, and run an agent with injected credentials.
- [Bundled providers](https://authsome.mbajaj.me/reference/bundled-providers.md): Every provider that ships with authsome out of the box.
- [CLI reference](https://authsome.mbajaj.me/reference/cli.md): Every authsome command, flag, and exit code.
- [Environment variables](https://authsome.mbajaj.me/reference/environment-variables.md): Variables authsome reads, writes, and injects into subprocesses.
- [Provider schema](https://authsome.mbajaj.me/reference/provider-schema.md): Every field in a provider JSON definition.
- [Diagnose with `doctor`](https://authsome.mbajaj.me/troubleshooting/doctor.md): Run health checks on directory layout, encryption, and provider parsing — and read the output.
- [OAuth callback errors](https://authsome.mbajaj.me/troubleshooting/oauth-callbacks.md): Diagnose `redirect_uri_mismatch`, port-in-use, browser-not-opening, and timeout errors during PKCE login.
- [Proxy networking](https://authsome.mbajaj.me/troubleshooting/proxy-networking.md): Diagnose TLS errors, certificate trust, pinned-cert SDKs, and corporate proxy interactions.
- [Token refresh failures](https://authsome.mbajaj.me/troubleshooting/token-refresh.md): Diagnose why a stored OAuth2 token failed to refresh and recover the connection.