What is amesh

Device-bound machine-to-machine authentication. No static secrets, no rotation, no leaks.

On this page

What it is The problem with static secrets How amesh is different Design philosophy What amesh is not for

What it is

amesh is a drop-in replacement for API keys, Bearer tokens, and shared secrets in service-to-service communication. Instead of passing a static string, each machine proves its identity with a cryptographic signature generated by a private key that never leaves the device.

Private keys are protected by the OS keychain, TPM 2.0, or — on cloud VMs without hardware storage — encrypted with Argon2id. The signing happens on the device; only a 64-byte signature crosses the wire.

The problem with static secrets

Almost every backend authenticates other services using static strings stored in .env files, environment variables, or secrets managers. The model has a fundamental flaw: the secret IS the identity. Anyone who has the string is authenticated. There is no way to prove which machine used it, whether it was copied, or where it's been.

GitHub secret scanning detected over 1 million leaked secrets in public repos in 2024 alone.

Every year, major breaches trace back to leaked credentials. The leak vectors are mundane: .env files committed to git, secrets printed to logs, Docker images pushed to public registries, CI/CD build logs.

Rotation is painful, there's no per-machine identity, and secrets managers only move the problem — the secret still exists as a copyable string, still needs its own authentication, and still adds latency on every cold start.

How amesh is different

No string to leak

The private key is generated on the device and never exported. You can commit your entire codebase to a public repo and nothing is compromised.

No rotation

Device keys don't expire. If a device is compromised, revoke it instantly with amesh revoke — only that device loses access.

Per-machine identity

Every request arrives with a verified device ID. You know exactly which machine sent it, when, and with what payload. Per-device audit trail comes for free.

Cryptographic proof of origin

Each request is signed with a key bound to the device. The signature is non-repudiable — the device can't deny it sent the request, and no other device could have produced the same signature.

Design philosophy

▸ Private keys never leave the device. The KeyStore interface takes a message and returns a signature — the key itself is never exposed to application code.
▸ Hardware-first, graceful fallback. Secure Enclave on Apple Silicon, TPM 2.0 on Linux, macOS Keychain as a second tier, encrypted file (Argon2id) only on cloud VMs where hardware isn't available.
▸ One-way trust. Controllers authenticate TO targets, never the reverse. A compromised server cannot call back to your laptop.
▸ Open cryptography only. Built on audited @noble/curves, @noble/hashes, and @noble/ciphers. P-256 ECDSA, SHA-256 HMAC, ChaCha20-Poly1305.
▸ Stateless relay. The pairing relay holds no persistent state — it just brokers a WebSocket handshake. You can shut it down after pairing.

What amesh is not for

amesh authenticates machines, not humans. If you need:

• User login — use OAuth, WebAuthn, or passkeys
• Ephemeral compute (serverless functions, short-lived containers) — device-bound identity only makes sense on machines with stable hardware or persistent filesystems
• Browser-to-server auth — browsers don't have device identities

amesh shines for service-to-service auth on long-running machines: API servers, microservices, cron job hosts, developer laptops, CI runners with persistent state, and edge devices.

Getting Started

Quickstart

Doc Quickstart

Install, pair, and sign your first request

Doc Integration Guide

Express, microservices, webhooks