SSH-like remote access using amesh device identity. No SSH keys, no authorized_keys, instant revocation.
Two binaries: amesh for the controller (your laptop), amesh-agent for the server.
brew install ameshdev/tap/amesh brew install ameshdev/tap/amesh Three steps: pair the devices (if not already), grant shell access, start the agent.
# On the target (server) amesh listen # On the controller (your laptop) amesh invite 482916
# On the target — grant shell access to the controller amesh grant am_3d9f1a2e --shell # Verify amesh list # Shows: am_3d9f1a2e alice-macbook [controller] [shell] added 2026-04-03
Shell access is opt-in. Pairing for HTTP API auth does not automatically grant shell access.
# On the target (server) — start the agent daemon amesh-agent agent start # Or with options amesh-agent agent start --relay wss://relay.authmesh.dev/ws --idle-timeout 60
Note the binary name: controller commands run through amesh; the agent daemon runs through amesh-agent. They are separate packages (@authmesh/cli and @authmesh/agent), but brew install ameshdev/tap/amesh installs both.
The amesh-agent daemon ships as a prebuilt binary on all supported platforms — no runtime install needed.
| Platform | Install via | Notes |
|---|---|---|
| macOS (arm64) | Homebrew · npm · tarball | Apple Silicon; uses Secure Enclave when signed |
| macOS (x64) | Homebrew · npm · tarball | Intel macs; falls back to Keychain |
| Linux (x64) | Homebrew · npm · tarball · .deb | Most cloud VMs; uses TPM 2.0 when available |
| Linux (arm64) | Homebrew · npm · tarball | Raspberry Pi 4/5 on 64-bit Pi OS, Ampere, Graviton |
| Linux (armv7, 32-bit) | Bun wrapper only | Raspberry Pi 3 and earlier — see note below |
Linux armv7 (Raspberry Pi 3 and earlier): Bun does not ship for 32-bit ARM. If you must run the agent on these devices, install Bun manually (if a third-party build is available for your arch) and run as bun $(which amesh-agent) agent start. Everything else (Pi 4/5 on 64-bit Pi OS, all modern ARM servers) is supported out of the box.
$ amesh shell prod-api Connecting to prod-api (am_7f2e8a1b)... Connected. Shell session started. user@prod-api:~$ whoami user user@prod-api:~$ exit Session closed (exit code 0, duration 2m 14s).
$ amesh shell prod-api -c "df -h"
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 50G 12G 35G 26% /amesh grant --shell.--allow-root is passed. The spawned shell inherits the agent's user permissions.AUTH_MESH_DIR AUTH_MESH_PASSPHRASE AMESH_PASSPHRASE_FILE AMESH_RELAY_URL amesh grant <device-id> --shell on the target.amesh-agent agent start and verify the relay is reachable from both sides.bun $(which amesh-agent) agent start. On supported architectures (macOS arm64/x64, Linux x64/arm64) this error should not appear — if it does, see the Troubleshooting page for the full diagnostic flow.--allow-root if you understand the risk (grants root shells to all controllers).