Documentation

Everything you need to replace static API keys with device-bound identity — from your first 5-minute setup to self-hosting the relay.

Start here

Introduction

What amesh is, the problem it solves, and its design philosophy.

Quickstart

Install, pair two machines, and sign your first request — in under 5 minutes.

Start here

Integration Guide

Step-by-step recipes for Express, microservices, webhooks, and remote pairing.

Guides

Key Storage

How private keys are protected: Secure Enclave, Keychain, TPM 2.0, and encrypted file.

Self-Hosting

Run your own relay with Docker, Cloud Run, Fly.io, Kubernetes, or plain Bun.

Remote Shell

SSH-like remote access using device identity. Agent setup, permissions, security model.

Reference

FAQ

Common questions about device identity, comparisons to mTLS, OAuth, and secrets managers, and compliance.

Troubleshooting

Common errors and how to fix them — signing, pairing, key storage, shell, relay.

Changelog

Release notes and version history. Security fixes, new features, breaking changes.

Deep reference

Protocol Specification
v2.0.0 — full wire format, crypto details, and threat model
Architecture Decisions
10 ADRs: P-256 over Ed25519, SAS verification, Bun.serve(), and more
Usage Guide
Full CLI reference with every command and flag

Packages

@authmesh/sdk
Signing client + Express middleware
@authmesh/cli
Device management CLI
@authmesh/core
Crypto primitives
@authmesh/keystore
Device key storage
@authmesh/relay
Pairing relay server

See also: Use Cases — real-world patterns for microservices, webhooks, cron jobs, internal tools, and remote shell.