Show HN: Continuity-auth – Respect-weighted rate limits for the open web
Identity is a missing piece for managing security in cyberspace where agents co-exist with humans. Traditional methods of managing open-access like captcha or anubis punish real humans while either being rapidly outclassed by computer-use agents or scaling poorly as the value of the site rises.
continuity-auth is my attempt to fix this from first principles by using device-continuity proof as a trust signal and time (enforced via rate-limiting) as the core resource to provide a graceful, zero-trust, login-less method to prevent abuse, supporting both browsers and CLI as first-class clients.
Built with Clojure/Script, babashka, and Datalevin. Work in progress. Happy to discuss.
Source: https://github.com/danieltanfh95/continuity-auth This doesn't stop the bots - it just makes them hold a private key in their headless browser. It heavily discourages bot farming, which is what makes bots economical. Proper bot operators already run long-lived sessions in order to avoid detection. So this inflicts additional financial penalities on basic bots (brute force) but not the more advanced ones, as they're already paying it. Not all bots are bad, and the economic incentive of playing nice in a long lived session bot is much more stronger otherwise, which is kind of the point. It is the same with humans.