Microservices

Your services share a password. That's not identity.

When every service uses the same API key to call every other service, you don't have authentication — you have a shared secret that grants universal access.

The problem with shared API keys

No per-service audit trail
If the orders service and the billing service use the same key, your logs can't tell who made a request. Incident response becomes guesswork.
One compromised key = everything compromised
A leaked key from any service grants access to all services that accept it. Blast radius is unlimited.
Rotation is a coordination nightmare
Rotating a key shared by 15 services requires updating all 15 simultaneously. One missed deployment and the mesh breaks.

The solution

// Client side — signs every outgoing request
import { amesh } from '@authmesh/sdk';

const inventory = await amesh.fetch(
  'https://inventory.internal/check',
  { method: 'POST', body: JSON.stringify({ sku: 'KB-001' }) }
);

What changes

Before
Shared API key across services
No caller identification
Rotate key = redeploy everything
After
Unique identity per service
req.authMesh.deviceId on every request
Revoke one device, others unaffected
Related
Doc Integration Guide
Express setup, remote pairing, Redis nonce store
Doc Self-Hosting Guide
Deploy the relay for production pairing
Use Cases
Webhooks