Dev Journal
Dev Journal #5 — Bigger Visions: What We're Really Building
You're not imagining it.
What Epheme is building _is_ a replacement for OAuth and the modern identity stack — done in a way that actually lines up with how software should work, not how it's convenient for vendors to build it.
Let me explain why.
---
OAuth isn't an identity protocol
OAuth and OIDC are delegated trust protocols. They assume a central authority. They require persistent accounts, global identifiers, cloud infrastructure, and long-term storage of who you are. They generate telemetry by design. They create lock-in on purpose.
OAuth is a perfect system — if you're the vendor.
You get accounts. You get tracking. You get cross-app identity correlation. You get monetization. You get centralized control of who can access what.
It's a terrible system if you're the user.
Epheme flips that power dynamic entirely.
---
What we're proposing instead
A distributed, device-based trust fabric where:
- Devices identify themselves with keys, not accounts
- Hubs vouch for devices, not users
- Trust is established locally and doesn't require a global registry
- Attestations are short-lived by design, not permanent by default
- No single hub is the identity provider
- No vendor owns the identity graph
- No cloud dependency for normal operation
- No login
- No OAuth redirect dance
- No tokens tied to human accounts
This is identity without identity.
Authentication without accounts.
Trust without centralization.
It's what OAuth should have been.
---
Where "blockchain" fits — and where it doesn't
A lot of people hear "distributed identity" and think blockchain. That's not this.
Epheme doesn't want a global, financialized, immutable ledger. That would violate the ethos immediately.
But some of the _ideas_ underneath blockchain are exactly right:
- append-only logs
- signed attestations
- verifiable, tamper-evident state
- optional replication between hubs
- no central authority
Think Merkle trees. Hash chains. CRDT-style synchronization. Local-first logs with optional gossip between trusted hubs. No tokens. No mining. No global ledger. No permanence beyond what the app needs.
Just distributed trust — and nothing else.
---
Why this can actually replace OAuth
OAuth solves a specific, limited problem:
"How do I trust that this user is who they say they are, so I can grant them access to a cloud resource?"
Epheme solves a different problem — a more modern one:
"How do I trust this _device_ enough to let it participate, without creating an account, without storing identity centrally, and without depending on any authority I don't control?"
OAuth is built for cloud apps, user accounts, persistent identity, and vendor control.
Epheme Hubs are built for local apps, device identity, ephemeral trust, and user control.
Those are different categories of problem. OAuth was never designed to answer the Epheme question. That's not a criticism — it's a recognition that the world has changed and the tools haven't caught up.
---
The bigger picture
We're not building a login system. We're building a sovereign trust fabric.
A world where devices can authenticate to each other, apps can coordinate, and trust can be established — without identity providers, without accounts, without cloud infrastructure, without surveillance, and without SaaS dependencies.
This is the missing middle between two categories that software has been stuck in:
- Desktop apps — fully local, no network identity, hard to share or coordinate
- SaaS apps — fully cloud, persistent identity, surveillance by default
Epheme is the third category: local-first distributed apps with no identity layer imposed on the user.
The identity exists — it's just yours. It lives on your device. It answers to no vendor.
That's what we're building.