Liquid Auth Cloud  ·  Running on the edge  ·  300+ locations  ·  Zero idle cost  ·  No private keys, ever
Liquid Auth Cloud · Live AC2 · Live

Identifiable. Verifiable. Passwordless. Peer‑to‑peer. On the cloud edge.

P2P Connect any device to any device with a passkey — then talk directly, e2e encrypted, on Web, Mobile and Desktop.

Liquid Auth Cloud opens a direct, e2e encrypted WebRTC channel between two devices using a FIDO2 passkey bound to your decentralized identity (DID). Your identity is the account — no passwords, no central relay holding your data, zero cost when idle.

01 What is Liquid Auth Cloud

P2P connect securely and e2e encrypted on WebRTC — using identity and FIDO2/WebAuthn authentication.

Liquid Auth Cloud is a cloud‑native fork of the Algorand Foundation's Liquid Auth — the same guarantees, rebuilt from the ground up for the edge.

PasswordsNone
Central relay holding dataNone
Private keys on serverNever
Idle cost$0.00
Edge locations300+
TransportFIDO2 + WebRTC
Peer identityDIDs
Built onWebRTC · WebAuthn · WebSockets
How it works
Session

The service issues a one‑time request id — shown as a QR code and deep link.

Passkey, twice‑signed

Your wallet authenticates with FIDO2/WebAuthn and co‑signs the same challenge with your identity key — both verified together, binding the passkey to you.

Signaling

Both peers join the session's private room over WebSockets and exchange offer, answer and ICE.

Direct channel

An e2e encrypted DataChannel opens device‑to‑device — the relay steps out and never sees your messages or keys.

All on the cloud edge — 300+ locations · no servers to manage · nothing to pay when idle.

Forked from Algorand Foundation's Liquid Auth

Same cryptography, same authentication flows — re‑imagined as a cloud‑native, identity‑first implementation. What changed:

SignalingSocket.IO — a frameworkPlain WebSockets — a protocol. AC2 depends on a protocol, not a framework.
StateMongoDB + RedisCloud‑native KV + SQL connectors — nothing to host or operate.
RuntimeNestJS on NodeA reusable native‑Workers pattern, built for cloud‑native edges.
Runs onServersWeb browsers, native mobile, desktop, servers and cloud — as the live demo below shows.
AC2Identical. With GoPlausible's PR merging upstream, there is no AC2‑level difference at all.

Converging, not diverging — the Algorand Foundation dev team has agreed to add a WebSockets fallback to the Liquid Auth client and server. Once it lands, upstream Liquid Auth and Liquid Auth Cloud clients and servers interconnect directly.

02 The ingredients

Seven parts. One private dial tone.

Every piece runs at the edge and does exactly one job. Here's each one, in plain English.

/ 01

The Worker

The edge entry point. Handles every request at the nearest location — routing, CORS, session cookies, WebSocket upgrades.

Completely stateless. All state lives in KV or Durable Objects.
/ 02

FIDO2 identity binding

Passwordless login with passkeys — Touch ID, Face ID, security keys — bound to your identity.

Verifies the passkey attestation and your wallet's identity signature over the same challenge, together. Proves ownership, touches no private key.
/ 03

KV storage

Globally-replicated, read-optimized storage for user records and credential→wallet lookups.

No database to run. No migrations.
/ 04

SessionStore

Keeps sessions in private, HMAC-signed storage with no dashboard, API, or CLI access.

Tampered sessions are rejected on sight. Even a cloud admin can't read or forge them.
/ 05

WalletRoom

The signaling relay — one private room per wallet. Relays the WebRTC handshake and broadcasts auth events.

Hibernates to zero cost when idle. Never sees your data once the peer channel is open.
/ 06

WebRTC peer channel

After the handshake, devices talk directly — end-to-end encrypted.

The relay is fully out of the path.
/ 07

No private keys, ever

All signing happens on your device. The Cloud only verifies signatures.

A hard principle, not a setting.
03 Why the edge

Infrastructure that disappears when you're not using it.

Zero idle cost

The Worker runs only on request; Durable Objects hibernate. Zero traffic, zero dollars.

Global by default

Verification happens at the nearest of 300+ edge locations — close to every user.

No infrastructure

No containers, no database, no Redis, no failover. Deploy is one command.

Private by design

Sessions are HMAC-signed in opaque storage. Private keys never leave the device.

Built for WebRTC

Signaling is ephemeral and maps perfectly to hibernating Durable Objects.

04 The agentic layer

AC2 — your AI agent and your wallet, talking securely.

Once a Liquid Auth channel exists, the Agentic Communication and Control Protocol runs on top of it. Every peer is a DID; every approval happens in your wallet, gated by biometrics. The agent can ask — but the human always decides.

Two-way chat

Message your agent from your wallet — replies come straight back.

Capability discovery

The agent learns which identities and accounts it may use — nothing more.

Cryptographic signing

The agent requests a signature; you approve with a fingerprint. Keys never leave the device.

Human-in-the-loop

Permission approval

Tool requests like "run this command" are relayed to your phone. You approve or deny.

Human-in-the-loop

Live activity

Watch what the agent is doing — tool calls, reasoning, token usage — in real time.

x402 payments

The agent pays for x402-protected APIs from your wallet — per request, with a spend cap. You approve every payment.

Human-in-the-loop

On the wire: DIDComm v2 envelopes, versioned.

Every AC2 message is a DIDComm v2 plaintext envelope — the same message structure used across the decentralized-identity ecosystem — carried over the encrypted WebRTC channel.

  • Typed — every message declares a type URI in the ac2/ namespace (ac2/SigningRequest, ac2/Status, ac2/Capabilities, …).
  • Identity‑addressed — from and to are DIDs; no usernames, no sessions to hijack.
  • Threaded — thid / pthid correlate requests, replies and streams, exactly per DIDComm threading.
  • Versioned — the @context carries the protocol version in every envelope (https://ac2.io/v1 today). Unknown fields are ignored, so versions evolve additively.
  • Extensible — extensions ship their own context (https://ac2.io/ext/<name>/v<version>) and announce themselves via DIDComm discover‑features/2.0.
  • Time‑bounded — created_time / expires_time are Unix seconds, per DIDComm §3.2.
// an AC2 signing request, on the wire
{
  "@context": ["https://ac2.io/v1"],
  "type": "ac2/SigningRequest",
  "id": "0197f3a0-7c2e-7d41-b9c4-2f6a8f3d9e01",
  "from": "did:key:z6Mk...agent",
  "to": ["did:key:z6Mk...wallet"],
  "thid": "0197f3a0-11aa-7c02-8d55-40e2b7a91c22",
  "created_time": 1783121391,
  "expires_time": 1783125000,
  "body": {
    "payload_base64": "SGVsbG8sIEFDMiE=",
    "sig_hint": "raw-ed25519",
    "description": "Sign in to ExampleApp as your DID"
  }
}
05 AC2 plugins

Plug into the agent you already use.

Pair once; the link is self-healing and reconnects automatically. After pairing, the controller persists and re-establishes on its own.

OpenClaw logo

OpenClaw

@goplausible/ac2-plugin-openclaw
Available now

Runs inside the OpenClaw gateway. The setup wizard is idempotent — safe to re-run after every update.

# install or update from npm
openclaw plugins install @goplausible/ac2-plugin-openclaw
# restart the gateway, then run the one-time setup
openclaw ac2 setup

Pairing is a slash command inside an OpenClaw session — scan the QR with Regent.

/ac2 pair     # shows a QR + deep link

Note — pairing must be a slash command (the shell CLI exits too quickly to hold the socket). After pairing, the controller persists for 7 days and auto-reconnects.

/ac2 status   # pairing record, online state, DID
/ac2 forget   # unpair
Claude logo

Claude Code

@goplausible/ac2-plugin-claude
Available now

A Claude Code channel, distributed via the GoPlausible marketplace. Run inside Claude Code:

/plugin marketplace add GoPlausible/claude-algorand-plugin
/plugin install ac2-plugin-claude@goplausible-claude-plugins

One-time setup auto-allows the AC2 tools, then start Claude Code with channels enabled:

/ac2:setup   # auto-allow AC2 tools
claude --dangerously-load-development-channels   server:plugin:ac2:ac2-channel
/ac2:pair    # QR + deep link — scan with Regent

Requires — Claude Code v2.1.80+ on a claude.ai subscription (channels don't work with API-key auth) · Node 20+

OpenAI Codex logo

Codex

@goplausible/ac2-plugin-codex
Available now

A Codex plugin from the GoPlausible marketplace. Add the marketplace once, then install:

# one-time: add the marketplace
codex plugin marketplace add https://github.com/GoPlausible/codex-plugins.git
# install — to update later: codex plugin marketplace upgrade, then re-add
codex plugin add ac2-plugin-codex@goplausible

Requires — Codex CLI or desktop app · Node 20+. Start a new thread after install or update.

Pairing is a natural ask inside any Codex thread — scan the QR with Regent.

Pair my AC2 wallet.   # shows a QR + deep link

Note — pairing persists and auto-reconnects; future sessions need no QR.

Chat with Codex from Regent — signing, x402 payments and command approvals arrive on your phone. Slash commands, with autocomplete:

/ac2            # status · capabilities · version · forget
/skill <name>   # search + run any installed Codex skill
/clear          # start a fresh conversation
06 The wallet side
Regent Regent · controller wallet

Regent — the reference controller wallet.

The phone app that pairs with agents, approves signing with biometrics, and chats with them. It's the human end of every AC2 conversation.

Illustrations of Regent's chat, signing approval and live activity trail.

Sign this transfer of 5 ALGO?
Show me the details first
To VAULT…7QX · fee 0.001
Approve ✓
Chat
agent requests signature
SIGN · 1 transaction
Pay 5 ALGO → VAULT…7QX
Face ID
Deny
Signing approval
tool · read_file
reasoning…
tool · bash (approved)
idle
12.4k tokens
Activity trail
07 Live demo

Open a real channel, right now.

This is the working Liquid Auth Cloud flow. Start a connection, scan with a Liquid Auth wallet, and a direct encrypted channel opens — multi-session, with its own chat tab each time.

Connect a Wallet

Liquid Auth uses FIDO2 passkeys to bind AC2 client wallets to devices, then establishes WebRTC data channels for encrypted peer-to-peer communication — no passwords, no central relay.

How it works:

  1. Click Start Connection below to generate a session
  2. Scan the QR code with your phone, or open the wallet link in a new tab
  3. Authenticate with your passkey (Touch ID, Face ID, or security key)
  4. A peer-to-peer encrypted channel opens instantly
Liquid Auth APK Regent Wallet APK

Sessions