TL;DR

ERC-8128 is a proposed standard for "Signed HTTP Requests." It lets onchain agents log in to websites and verify their actions using their Ethereum wallet instead of passwords or API keys. It solves a major security flaw for autonomous bots: storing secret keys that can be stolen. By using this standard, an agent simply signs a request to prove it's legitimate, allowing it to interact with both crypto and standard web services securely.

What ERC-8128 Does

This standard creates a way for computer programs—specifically AI agents—to authenticate themselves when talking to servers.

Right now, if you run an automated bot that needs to fetch data or use a service, you usually have to give it an API key. This is risky. If someone hacks the bot or sees the code, they steal the key.

ERC-8128 changes this. Instead of a key, the agent uses its Ethereum wallet (private key) to sign the HTTP request it sends to a server. The server looks at the signature, verifies it matches the agent's wallet address, and approves the request.

This means:

• No stored secrets: You don't need to hide API keys in your code.
• Verifiable actions: Every request leaves a cryptographic proof that the specific agent authorized it.
• Universal login: Agents can technically log in to any service that adopts this standard without human help.

The Agent Infrastructure Stack

ERC-8128 is part of a growing set of standards designed to help AI agents operate independently on Ethereum. It works alongside two other key pieces of infrastructure recently discussed by developers.

1. Identity (ERC-8004): This standard gives an agent a specific onchain identity, like a passport. It lets others know "who" the agent is and what it's allowed to do.
2. Payments (x402): This is a protocol for machine-to-machine payments. It handles how the agent pays for the services it uses.
3. Authentication (ERC-8128): This handles the security check. It confirms that the agent sending a request is actually the owner of the identity and the funds.

Together, these allow an agent to discover a service, prove who it is, and pay for it, all without a human clicking buttons or copying passwords.

Market Context and Adoption

The standard is currently a draft and is being pushed by teams building agentic infrastructure, such as Slice and Use Case Lab.

• Slice introduced the concept to enable passwordless authentication for services and machines X: @slice__so.
• Developer Sentiment: Builders see this as the "missing piece" for autonomous workflows. The current method of giving agents API keys is viewed as the modern equivalent of storing passwords in plain text—security practice that needs to retire X: @jacopo_eth.

While promising, this is early-stage tech. It requires web servers to update how they handle login requests to support Ethereum signatures. Until widely adopted by service providers (data APIs, compute networks), its utility is limited to specific crypto-native platforms.**