P2P Connect any device to any device with a passkey — then talk directly, e2e encrypted, on Web, Mobile and Desktop.
Liquid Auth Cloud opens a direct, e2e encrypted WebRTC channel between two devices using a FIDO2 passkey bound to your decentralized identity (DID). Your identity is the account — no passwords, no central relay holding your data, zero cost when idle.
The web app asks Liquid Auth Cloud for a session — a QR code and deep link appear. No account, no password.
Liquid Auth Cloud is a cloud‑native fork of the Algorand Foundation's Liquid Auth — the same guarantees, rebuilt from the ground up for the edge.
The service issues a one‑time request id — shown as a QR code and deep link.
Your wallet authenticates with FIDO2/WebAuthn and co‑signs the same challenge with your identity key — both verified together, binding the passkey to you.
Both peers join the session's private room over WebSockets and exchange offer, answer and ICE.
An e2e encrypted DataChannel opens device‑to‑device — the relay steps out and never sees your messages or keys.
All on the cloud edge — 300+ locations · no servers to manage · nothing to pay when idle.
Same cryptography, same authentication flows — re‑imagined as a cloud‑native, identity‑first implementation. What changed:
Converging, not diverging — the Algorand Foundation dev team has agreed to add a WebSockets fallback to the Liquid Auth client and server. Once it lands, upstream Liquid Auth and Liquid Auth Cloud clients and servers interconnect directly.
Every piece runs at the edge and does exactly one job. Here's each one, in plain English.
The edge entry point. Handles every request at the nearest location — routing, CORS, session cookies, WebSocket upgrades.
Passwordless login with passkeys — Touch ID, Face ID, security keys — bound to your identity.
Globally-replicated, read-optimized storage for user records and credential→wallet lookups.
Keeps sessions in private, HMAC-signed storage with no dashboard, API, or CLI access.
The signaling relay — one private room per wallet. Relays the WebRTC handshake and broadcasts auth events.
After the handshake, devices talk directly — end-to-end encrypted.
All signing happens on your device. The Cloud only verifies signatures.
The Worker runs only on request; Durable Objects hibernate. Zero traffic, zero dollars.
Verification happens at the nearest of 300+ edge locations — close to every user.
No containers, no database, no Redis, no failover. Deploy is one command.
Sessions are HMAC-signed in opaque storage. Private keys never leave the device.
Signaling is ephemeral and maps perfectly to hibernating Durable Objects.
Once a Liquid Auth channel exists, the Agentic Communication and Control Protocol runs on top of it. Every peer is a DID; every approval happens in your wallet, gated by biometrics. The agent can ask — but the human always decides.
Message your agent from your wallet — replies come straight back.
The agent learns which identities and accounts it may use — nothing more.
The agent requests a signature; you approve with a fingerprint. Keys never leave the device.
Human-in-the-loopTool requests like "run this command" are relayed to your phone. You approve or deny.
Human-in-the-loopWatch what the agent is doing — tool calls, reasoning, token usage — in real time.
The agent pays for x402-protected APIs from your wallet — per request, with a spend cap. You approve every payment.
Human-in-the-loopEvery AC2 message is a DIDComm v2 plaintext envelope — the same message structure used across the decentralized-identity ecosystem — carried over the encrypted WebRTC channel.
// an AC2 signing request, on the wire { "@context": ["https://ac2.io/v1"], "type": "ac2/SigningRequest", "id": "0197f3a0-7c2e-7d41-b9c4-2f6a8f3d9e01", "from": "did:key:z6Mk...agent", "to": ["did:key:z6Mk...wallet"], "thid": "0197f3a0-11aa-7c02-8d55-40e2b7a91c22", "created_time": 1783121391, "expires_time": 1783125000, "body": { "payload_base64": "SGVsbG8sIEFDMiE=", "sig_hint": "raw-ed25519", "description": "Sign in to ExampleApp as your DID" } }
Pair once; the link is self-healing and reconnects automatically. After pairing, the controller persists and re-establishes on its own.
Runs inside the OpenClaw gateway. The setup wizard is idempotent — safe to re-run after every update.
# install or update from npm openclaw plugins install @goplausible/ac2-plugin-openclaw # restart the gateway, then run the one-time setup openclaw ac2 setup
Pairing is a slash command inside an OpenClaw session — scan the QR with Regent.
/ac2 pair # shows a QR + deep link
Note — pairing must be a slash command (the shell CLI exits too quickly to hold the socket). After pairing, the controller persists for 7 days and auto-reconnects.
/ac2 status # pairing record, online state, DID /ac2 forget # unpair
A Claude Code channel, distributed via the GoPlausible marketplace. Run inside Claude Code:
/plugin marketplace add GoPlausible/claude-algorand-plugin /plugin install ac2-plugin-claude@goplausible-claude-plugins
One-time setup auto-allows the AC2 tools, then start Claude Code with channels enabled:
/ac2:setup # auto-allow AC2 tools
claude --dangerously-load-development-channels server:plugin:ac2:ac2-channel
/ac2:pair # QR + deep link — scan with Regent
Requires — Claude Code v2.1.80+ on a claude.ai subscription (channels don't work with API-key auth) · Node 20+
A Codex plugin from the GoPlausible marketplace. Add the marketplace once, then install:
# one-time: add the marketplace codex plugin marketplace add https://github.com/GoPlausible/codex-plugins.git # install — to update later: codex plugin marketplace upgrade, then re-add codex plugin add ac2-plugin-codex@goplausible
Requires — Codex CLI or desktop app · Node 20+. Start a new thread after install or update.
Pairing is a natural ask inside any Codex thread — scan the QR with Regent.
Pair my AC2 wallet. # shows a QR + deep link
Note — pairing persists and auto-reconnects; future sessions need no QR.
Chat with Codex from Regent — signing, x402 payments and command approvals arrive on your phone. Slash commands, with autocomplete:
/ac2 # status · capabilities · version · forget /skill <name> # search + run any installed Codex skill /clear # start a fresh conversation
The phone app that pairs with agents, approves signing with biometrics, and chats with them. It's the human end of every AC2 conversation.
Illustrations of Regent's chat, signing approval and live activity trail.
This is the working Liquid Auth Cloud flow. Start a connection, scan with a Liquid Auth wallet, and a direct encrypted channel opens — multi-session, with its own chat tab each time.
Liquid Auth uses FIDO2 passkeys to bind AC2 client wallets to devices, then establishes WebRTC data channels for encrypted peer-to-peer communication — no passwords, no central relay.
How it works: