Quickstart

Install amesh, pair two machines, and sign your first request in under 5 minutes.

On this page

1. Install 2. Create an identity 3. Pair two machines 4. Sign your first request 5. Verify on the server Next steps

1. Install

Install the amesh CLI and SDK. Pick whichever matches your environment.

Homebrew (macOS / Linux)

# CLI
brew install ameshdev/tap/amesh

# SDK (in your project)
bun add @authmesh/sdk

npm

# CLI (global)
npm install -g @authmesh/cli

# SDK (in your project)
npm install @authmesh/sdk

2. Create an identity

Run amesh init on the machine. This generates a P-256 keypair and picks the best available key storage — Secure Enclave, macOS Keychain, TPM, or encrypted file.

$ amesh init --name "api-server"

Detecting key storage backend:
  Secure Enclave    not available
  macOS Keychain    selected

Identity created.
  Device ID     : am_cOixWcOdI8-pLh4P
  Backend       : macOS Keychain
  Friendly Name : api-server

Do this on both machines you want to connect — for example, your laptop (controller) and your server (target).

3. Pair two machines

Pairing exchanges public keys over a relay using a 6-digit code. Trust is one-way: the controller authenticates TO the target, never the reverse.

On the target (e.g. api-server)

$ amesh listen

  Pairing code: 482916
  Waiting for controller...

On the controller (e.g. laptop)

$ amesh invite 482916

✔ Peer found.
  Verification code: 847291
  Enter this code on the Target device.
✔ "api-server" added as target.

The verification code (shown on both sides) must match — this defeats man-in-the-middle attacks on the relay.

4. Sign your first request

From the controller machine, import the SDK and call amesh.fetch(). It signs every outgoing request automatically with your device key.

client.ts (on the controller)

import { amesh } from '@authmesh/sdk';

const res = await amesh.fetch(
  'https://api-server.internal/orders',
  {
    method: 'POST',
    body: JSON.stringify({ amount: 100 }),
  }
);

5. Verify on the server

One middleware line on the target verifies signature, timestamp, nonce, and allow list. Every request arrives with a verified device ID.

server.ts (on the target)

import express from 'express';
import { amesh } from '@authmesh/sdk';

const app = express();
app.use(express.json());
app.use(amesh.verify());

app.post('/orders', (req, res) => {
  // req.authMesh.deviceId is the verified caller
  console.log(`Order from ${req.authMesh.friendlyName}`);
  res.json({ ok: true });
});

app.listen(3000);

That's it. Every request now carries a cryptographic proof of origin bound to the controller's device key.

Next steps

• Read the Integration Guide for microservices, webhooks, and Redis nonce store patterns.
• Learn about Key Storage — how your private key is protected on each platform.
• Deploy the relay with Self-Hosting guide (Docker, Cloud Run, Fly.io, Kubernetes).
• Hit an error? Check Troubleshooting.

Doc Integration Guide

Express, microservices, webhooks

Doc Key Storage

How keys are protected