Introduction
What Ghost is, what it refuses to be, and where to start.
Ghost gives web applications persistent cryptographic identity without user accounts.
Most applications that build sign-up flows never needed to know who you are. They needed to know something smaller: is this the same browser that was here yesterday? Ghost answers exactly that question. The browser generates a keypair, keeps the private half where JavaScript cannot read it, and proves possession when your server asks. The Ghost ID is the stable identity; the public key is the active credential.
Ghost is not Auth0, Clerk, passkeys, OAuth, or "auth without passwords". It is not an account system at all. It is continuity without accounts — and it authenticates a key, not a person.
Where to start
- Installation — add the package and check runtime support.
- Your first identity — create, sign, verify, end to end.
- Identity — what a ghost ID is and why it belongs to one origin.
- Security model — the threat model, and what Ghost does not prove.