We built an age compliance API called A3 (Arcadia Age API) for California's AB 1043 law, which takes effect January 2027. The short version: if your app serves California users, you'll need to handle OS-level age signals and treat them as legal knowledge of a user's age. Penalties are $2,500–$7,500 per affected child.
We didn't think compliance costs should be a barrier for open source, so we set up a program specifically for OSS projects.
What you get:
- Pro-tier API access (normally $99/month)
- 50,000 age checks per month
- Evidence tags, confidence scores, cryptographic audit receipts
- No credit card required
What we ask:
- OSI-approved license (MIT, Apache 2.0, GPL, etc.)
- Public repo with active maintenance (commits in the last 6 months)
- User-facing application (not a library/framework)
- Include "Powered by A3" in your age gate UI or project README
That last point is the only real "cost" — we want other maintainers to discover the program through projects already using it.
How it works (briefly):
Instead of ID uploads or selfie scans, A3 uses passive behavioral signal fusion. Our browser SDK (<5 KB) collects anonymized behavioral scores from standard DOM events — things like scroll velocity, typing rhythm, touch precision — and the API returns an age bracket verdict. No PII is stored or transmitted. The API is fully stateless.
On native (iOS/Android), we normalize Apple and Google age signals into the same response format. On the web — where no OS signal exists — the behavioral signals are the primary assessment.
To be transparent: this is probabilistic estimation, not identity verification. It's built for the "commercially reasonable" standard the statute requires. Behavioral signals can't tell you someone's exact age, but cross-validated across five signal categories they're strong enough to meet the legal bar.
Apply here: https://www.a3api.io/open-source
We review applications within 5 business days. Happy to answer questions about the program, the API, or AB 1043 in general.
Top comments (0)