Email as Identity: How AliasKit Works
Email is a universal channel—not always the canonical identifier for an agent. Here is how AliasKit separates identity, channels, and tokens.
For two decades, “email = identity” was a workable shortcut for humans. For software agents, that shortcut cracks the moment you need multiple channels, rotatable keys, or portable trust across vendors.
AliasKit uses email as a first-class channel bound to a durable identity—not as a stand-in for a complete security model.
The human pattern
Traditional SaaS:
- User signs up with email.
- Email becomes the username, recovery path, and audit trail.
- Sessions and OAuth tokens layer on top.
Agents inherit the same signup UIs, so email remains essential for interoperability. But agents also need programmatic credentials that do not reduce to “whatever inbox we scraped last.”
Identity, channels, tokens
We keep three ideas separate:
| Layer | Responsibility | Example |
|---|---|---|
| Identity | Stable record for an actor | Identity UUID + profile metadata |
| Channels | How the world reaches the actor | Inbound/outbound email, SMS numbers |
| Tokens | How the actor proves itself to partners | Agent Identity JWT, JWKS verification |
Email addresses and phone numbers attach to identities. They are how an agent completes human-shaped flows. Tokens are how the same agent authenticates to your API or a partner’s without replaying OTPs every hour.
This separation matters when you compare us to inbox-only vendors—see AliasKit vs AgentMail vs KeyID.
How mail moves
Outbound mail sends through provider APIs (Resend on the hosted stack). Inbound webhooks normalize messages into rows you can list and filter via REST—ideal for OTP extraction in tests (Testing agent signup flows with AliasKit) and for production automations.
# List recent inbound mail for an identity
curl -s "https://www.aliaskit.com/api/v1/identities/$ID/emails?direction=inbound&limit=10" \
-H "Authorization: Bearer $ALIASKIT_API_KEY"
Why not make email the primary key?
Email is transferable, phishable, and provider-bound. A serious agent platform needs identifiers that survive inbox changes, support multiple inboxes per agent, and map cleanly to reputation and policy. We cover scoring in Introducing agent reputation scores.
Agent profiles
When you need a handle that is easier to reason about than a raw UUID, create an agent profile and link channels to it. Profiles become the thing you reference in docs, marketplace listings, and MCP tool metadata—while the underlying identity still owns the credentials.
Takeaway
Email is not going away; it is the lingua franca of signup. AliasKit embraces that while still giving you the identity primitives agents need for auth, audit, and trust—starting from the ideas in Why AI agents need their own identity.