Beta · MIT Licensed · Changelog →

Stop managing API keys. Let your device prove identity.

amesh replaces static secrets with cryptographic device identity. Private keys stay on the device — protected by Keychain, TPM, or encrypted file.

Install amesh

$ brew install ameshdev/tap/amesh

Read the docs →

View on GitHub →

// No .env. No secrets anywhere.
import { amesh } from '@authmesh/sdk';

amesh.fetch("/api/orders", {
  method: "POST",
  body: JSON.stringify({
    amount: 100
  })
});

Built on audited open-source cryptography

@noble/curves P-256 ECDSA · ECDH

@noble/hashes SHA-256 · HMAC · HKDF

@noble/ciphers ChaCha20-Poly1305

Hardware-backed Secure Enclave · TPM 2.0

What amesh replaces

Everything you store in .env files and pass around in Slack.

.env files Secrets on disk

API keys Static strings

Bearer tokens Shared secrets

JWT secrets Rotated manually

OAuth secrets Client credentials

mTLS certs CA infrastructure

How it works

Four steps. Then every request is signed with your device key and verified cryptographically.

Create a device identity

Each machine gets a unique keypair. The private key stays on the device.

$ amesh init --name "prod-api"

Identity created.
  Device ID     : am_cOixWcOdI8-pLh4P
  Backend       : Secure Enclave
  Friendly Name : prod-api

Pair two machines

The server runs amesh listen, your laptop runs amesh invite. Trust is one-way: your laptop controls the server, not the other way around.

$ amesh listen

  Pairing code: 482916

✔ Controller connected.
  Enter the 6-digit code shown on the Controller.
  Verification code: 847291
✔ "Dev Laptop" added as controller.

Sign requests — 2 lines

Import amesh and call amesh.fetch(). It signs every request automatically.

import { amesh } from '@authmesh/sdk';

amesh.fetch("/api/orders", {
  method: "POST",
  body: JSON.stringify({ amount: 100 })
});

Verify requests — 2 lines

One line of middleware. Checks signature, timestamp, nonce, and allow list.

import { amesh } from '@authmesh/sdk';

app.use(amesh.verify());
// req.authMesh.deviceId available

How amesh compares

amesh is not the first approach to machine-to-machine auth. But it is the simplest that binds identity to hardware.

	amesh	API Keys	mTLS	Secrets Manager	OAuth
Secrets on disk	None (hardware) / encrypted (file)	Yes	Cert files	Token	Client secret
Manual rotation	Never (revoke instead)	Required	Cert renewal	Token TTL	Secret rotation
Blast radius of leak	One device	Unlimited	Per-cert	Token scope	Client scope
Setup complexity	2 CLI commands	Copy-paste	CA + cert infra	Server + policies	Auth server
Per-device identity	Yes	No	Per-cert	No	Per-client
Device-bound key	Keychain / TPM / file	No	No	No	No

Why this is better

Security that comes from cryptographic identity, not from keeping secrets.

No shared secrets

No .env file. No secret in CI. No token in Slack. Each device holds its own key.

Nothing to rotate

Device keys don't expire. Revoke a device instantly with amesh revoke.

Replay protection

Every request has a unique nonce and a 30-second timestamp window.

One-way trust

Controllers authenticate to targets, never the reverse. A compromised server can't call back to your laptop.

MITM-resistant pairing

ECDH key exchange with 6-digit SAS verification (similar to Bluetooth pairing) and HMAC-sealed allow list.

Open source

MIT licensed. Audit the crypto, fork the relay, self-host everything.

Manage devices from the terminal

Terminal — zsh

$ amesh list

  This device
  ───────────────────────────────────────────────────────
  Device ID     : am_cOixWcOd
  Friendly Name : prod-api
  Backend       : Secure Enclave

  Trusted Devices (2)
  ───────────────────────────────────────────────────────
  am_1a2b3c4d  Dev Laptop     [controller]   added 2026-03-28
  am_9f8e7d6c  staging-api    [target]       added 2026-03-29
  ───────────────────────────────────────────────────────

$ amesh revoke am_1a2b3c4d

  Are you sure? (y/N): y
✔ Removed. Access revoked immediately.

Ready to drop the `.env` file?

Get started in under 5 minutes.