Challenge-response authentication is a protocol where the server issues a challenge (a random nonce) and the client proves its identity by producing a valid response (a cryptographic signature). The secret key never leaves the client.
Each challenge nonce is unique and expires after use. A captured signature can't be reused because the nonce won't be valid for a second attempt.
The agent requests a nonce from GitHat, signs it with its Ethereum wallet private key, and submits the signature. GitHat verifies the signature and issues a 2-minute token.
API keys are static secrets — if leaked, they work until revoked. Challenge-response signatures are dynamic and time-bound. The private key is never transmitted.
Ship authenticated apps in minutes, not weeks.