This technical note describes the operating principles of Project IDENTITY, hereinafter referred to as ID, a lightweight authentication subsystem developed to reduce the overhead of credential management across independently operated applications.
ID is a no-signup, no-password authentication service. Each user is assigned a UUID on first login; that UUID is the only value released to clients upon successful authentication. Users may attach any number of authentication methods to their account — email magic link, OTP, passkey, or trusted device — but those methods exist solely to verify identity, not to transfer it. Because UUIDs carry no sensitive information, the exposure from a compromised client flow is inherently bounded.
| Protocol | OpenID Connect (OIDC), Authorization Code Flow |
| Authentication methods | Email magic link, OTP, passkey, trusted device (user-configurable) |
| Claims released | Stable UUID (sub), verified email address. No additional claims. |
| Session persistence | Cookie-based; subsequent authentications proceed without user interaction |
| Discovery endpoint | https://id.rac.so/.well-known/openid-configuration |
| Agent reference | https://id.rac.so/AGENTS.md — full HTTP surface for developers and agents |
| LLM index | https://id.rac.so/llms.txt — curated endpoint index for language models |
Application developers wishing to integrate with ID may register a client programmatically. No prior approval or coordination with the operating authority is required.
The registration request is issued as follows:
POST /clients HTTP/1.1
Content-Type: application/json
{"redirect_uris": ["https://your-application.example/callback"]}
The authorization server responds with a client identifier and a client secret. The secret is returned exactly once at the moment of registration; standard secure-storage practice applies thereafter.
The attack surface of the protocol is intentionally narrow. The maximum information disclosure resulting from a fully compromised client integration is bounded to a single verified email address per user. No correspondence, profile data, or auxiliary claims are accessible through this channel. Overall risk classification: LOW.