Show HN: Continuity-auth – Respect-weighted rate limits for the open web

[danieltanfh95]

Identity is a missing piece for managing security in cyberspace where agents co-exist with humans. Traditional methods of managing open-access like captcha or anubis punish real humans while either being rapidly outclassed by computer-use agents or scaling poorly as the value of the site rises.

continuity-auth is my attempt to fix this from first principles by using device-continuity proof as a trust signal and time (enforced via rate-limiting) as the core resource to provide a graceful, zero-trust, login-less method to prevent abuse, supporting both browsers and CLI as first-class clients.

Built with Clojure/Script, babashka, and Datalevin. Work in progress. Happy to discuss.

Source: https://github.com/danieltanfh95/continuity-auth

[arbol]

This doesn't stop the bots - it just makes them hold a private key in their headless browser.

[danieltanfh95]

It heavily discourages bot farming, which is what makes bots economical.

[arbol]

Proper bot operators already run long-lived sessions in order to avoid detection. So this inflicts additional financial penalities on basic bots (brute force) but not the more advanced ones, as they're already paying it.

[danieltanfh95]

Not all bots are bad, and the economic incentive of playing nice in a long lived session bot is much more stronger otherwise, which is kind of the point. It is the same with humans.