Specimen · People · port :8083

Turnip — Identity, plain and patient.

Turnip is the identity layer. It speaks OIDC and SAML for humans, OAS DIDs and Arsenal capability tokens for agents, and FIDO2 / WebAuthn / TOTP / hardware keys for the second factor. It binds an agent's identity to its principal — the human, organization, or autonomous org that authorized it — so every action carries clear lineage. Sessions are short, refreshable, and revocable, with anomaly detection on impossible-travel, replayed tokens, and behavioral drift.

Open Garden See capabilities

Brassica rapa

SESSION  ses_9c…   Active  expires in 37m
  Principal   alex@acme.com (human)
  Acting as   agent:billing-bot v0.4.1 (delegated)
  ACT         arsenal:act_7d…  scope=cabbage:invoice:*
  Lineage     human → org:acme → agent:billing-bot
  Risk        device known · location stable · 2FA fresh

Capabilities

What it does.

8 capabilities, summarized.

01OIDC, SAML, OAuth 2.1 for humans
02OAS DID + Arsenal ACT for agents
03WebAuthn, FIDO2, TOTP, hardware keys
04Step-up auth on sensitive actions
05Session anomaly detection and replay protection
06Lineage binding from agent → principal
07Org / project / role / scope hierarchy
08Audit trail of every authentication decision

Specs

The technical surface.

Audience: both
APIs: OIDC · SAML 2.0 · REST · MCP
Standards: NIST 800-63 · ISO 27001 A.9 · SOC 2 CC6
Partners: Ory Hydra/Kratos/Keto · WebAuthn · Yubico

Companions in People

What it works with.

Sage — Compliance, automated and audit-ready.

KYC, KYB, AML, OFAC and global sanctions screening, transaction monitoring, suspicious activity, and disputes — all wired into Bean's audit chain.

Read field guide

← Greenhouse All twelve specimens Sage →

Turnip is one service. Twelve, planted together, are an OS.

Open Garden See all twelve