Loading...
private.me Docs
Get AutoGen xLink
private.me · AutoGen Integration

Identity-Based Authentication for Multi-Agent Systems

Replace API keys, OAuth tokens, and credentials with cryptographic identity for AutoGen multi-agent coordination. Zero-config setup, no cascading failures, 603× faster authentication.

15s
Setup time
603×
Faster auth
Zero
Cascading failures
0.36ms
Auth overhead
AutoGen Compatible Identity-Based No Credentials Production Ready
15 seconds to production

Quick Start

Create AutoGen agents with cryptographic identity. No API keys, no OAuth setup, no configuration files.

Installation
# Install both packages
npm install @private.me/autogen-xlink autogen-js
Basic Usage
import { AutoGenXLinkAgent } from '@private.me/autogen-xlink';

// Create agents (identity generated automatically)
const researcher = new AutoGenXLinkAgent({ name: 'researcher' });
const writer = new AutoGenXLinkAgent({ name: 'writer' });

// Agent-to-agent call (no credentials needed!)
const result = await researcher.call(writer.getDID(), {
  task: 'write-summary',
  topic: 'AI trends'
});

if (result.ok) {
  console.log('Result:', result.value);
}
That's it
No API keys, no OAuth, no configuration files. Identity is generated automatically and can't be stolen.
Cascading failures

The Problem with Traditional Auth

Multi-agent systems using API keys or OAuth tokens face cascading failures when credentials expire.

Traditional Approach

Token-Based Auth (Problematic)
// OAuth token expires
let accessToken = await getAccessToken();

// All agents retry simultaneously when token expires
if (isExpired(accessToken)) {
  try {
    accessToken = await refreshAccessToken(); // 54,853ms latency
  } catch (error) {
    throw new Error('Re-authentication required');
  }
}

// System-wide slowdown as all agents hit refresh endpoint
Cascading Failure
When one OAuth token expires, all agents retry simultaneously. Refresh server overloads, causing exponential backoff and system-wide slowdown.

Problems

  • Token refresh adds 54,853ms latency on average
  • Refresh failures cascade to all concurrent requests
  • Complex token lifecycle management per agent
  • Race conditions in parallel requests
  • API keys can be stolen from environment variables
  • Manual credential rotation required periodically
Identity-based

The xLink Solution

Agents use cryptographic identity instead of tokens. No expiry, no refresh, no cascades.

Identity-Based Auth (xLink)
// Create agent with cryptographic identity
const agent = new AutoGenXLinkAgent();

// Make request (identity-based, can't be stolen)
const result = await agent.call(serviceName, payload);

// 0.36ms auth overhead, no refresh logic, no cascades

How It Works

  1. Identity Generation: Agent creates Ed25519 keypair and derives DID
  2. Authentication Flow: Agent signs request, recipient verifies signature
  3. No Token Lifecycle: Identity never expires, no refresh needed
Stateless Authentication
Identity can't be stolen (cryptographic proof), never expires (no rotation), and eliminates cascading failures (each agent independent).
Performance

Benchmarks

Measured performance improvements from xLink core identity layer.

Operation Traditional Auth xLink Identity Speedup
Initial auth 54,853ms 91ms 603×
Subsequent requests 50ms 0.36ms 139×
Total E2E latency 55,000ms 14,634ms 3.76×
Auth overhead 99.8% 0.6% -99.4%

Test environment: 500 concurrent agents, 1000 requests each

603×
Faster than OAuth
73.4%
Faster E2E
0.36ms
Auth overhead
Pricing & Subscription

Purchase AutoGen xLink

Start with a 3-month trial. Upgrade as your multi-agent system scales.

Pricing Tiers

Standard pricing: $5/month Basic • $10/month Middle • $15/month Enterprise

Basic
$5/month
AutoGen integration, agent identity, group chat security, basic trust registry
Best for development
Middle
$10/month
Everything in Basic plus advanced agent policies, custom conversation controls, enhanced monitoring
Best for production
Enterprise
$15/month
Everything in Middle plus air-gapped deployment, white-label branding, dedicated support, SLA
Best for scale
Volume Discounts
  • 5-9 ACIs: 10% off all tiers
  • 10-19 ACIs: 20% off all tiers
  • 20+ ACIs: 30% off all tiers
  • Annual prepay: Additional 10-15% discount

How to Purchase

Subscribe to AutoGen xLink via our secure checkout. All subscriptions include 3-month trial.

Purchase Endpoint (RFC 7807 Errors)
// POST to purchase endpoint with product ID
const response = await fetch('https://private.me/aci/checkout', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    product: 'autogen-xlink',
    tier: 'basic' // or 'middle', 'enterprise'
  })
});

// Returns Stripe Checkout URL
const { url } = await response.json();
window.location = url; // Redirect to Stripe

Start 3-Month Free Trial

Real-world applications

Use Cases

AutoGen xLink powers identity-based authentication for multi-agent coordination across industries.

Multi-Agent Orchestration
Agent Coordination
Multiple AutoGen agents collaborate on complex tasks without shared API keys. Each agent has its own identity.
Group Chat Security
Secure Conversations
Group chat between agents with cryptographic verification. No central auth server, no token sharing.
Agent Pipelines
Sequential Workflows
Chain agents in pipelines where each step authenticates the next using identity, not credentials.
Dynamic Agent Networks
Self-Organizing Systems
Agents discover and authenticate each other dynamically using trust registry. No pre-shared secrets.
Setup

Installation

npm
npm install @private.me/autogen-xlink autogen-js
yarn
yarn add @private.me/autogen-xlink autogen-js
pnpm
pnpm add @private.me/autogen-xlink autogen-js
Code examples

Usage Examples

Basic Multi-Agent Setup

Create Multiple Agents
import { AutoGenXLinkAgent } from '@private.me/autogen-xlink';

const researcher = new AutoGenXLinkAgent({
  name: 'researcher',
  verbose: true
});

const writer = new AutoGenXLinkAgent({
  name: 'writer',
  verbose: true
});

console.log(`Researcher DID: ${researcher.getDID()}`);
// Output: Researcher DID: did:key:z6Mkh...

console.log(`Writer DID: ${writer.getDID()}`);
// Output: Writer DID: did:key:z6Mke...

Agent-to-Agent Calls

Make Authenticated Calls
// Call another agent using its DID
const result = await researcher.call(writer.getDID(), {
  task: 'write-summary',
  topic: 'AI trends',
  data: {
    finding1: 'Large models improving efficiency',
    finding2: 'Reduced hallucination rates'
  }
});

if (result.ok) {
  console.log('Result:', result.value);
} else {
  console.error('Error:', result.error);
}

Agent Messaging

Send/Receive Messages
// Send message to another agent
await researcher.send(writer.getDID(), {
  type: 'notification',
  message: 'Research complete, ready for writing'
});

// Receive messages
const messages = await writer.receive();
if (messages.ok) {
  for (const msg of messages.value) {
    console.log('Received:', msg);
  }
}

Identity Persistence

Export/Import Identity
// Export identity for storage
const exportResult = await researcher.exportIdentity();
if (exportResult.ok) {
  await fs.writeFile('researcher.key', exportResult.value);
}

// Import identity on restart
const identityBytes = await fs.readFile('researcher.key');
const importResult = await AutoGenXLinkAgent.fromIdentity(identityBytes);

if (importResult.ok) {
  const restoredResearcher = importResult.value;
  console.log(`Restored: ${restoredResearcher.getDID()}`);
}
Technical reference

API Reference

AutoGenXLinkAgent

Main agent class with xLink identity-based authentication.

new AutoGenXLinkAgent(config?: AutoGenXLinkConfig)
Create a new AutoGen agent with cryptographic identity. Identity is generated automatically if not provided.

Config options:
  • name?: string - Agent name (for logging/debugging)
  • agentOptions?: AgentOptions - xLink agent options
  • verbose?: boolean - Enable verbose logging
  • identityProvider?: XLinkIdentityProvider - Custom identity provider
getDID(): string
Get the agent's DID (Decentralized Identifier). Returns a string like did:key:z6Mkh...
call<T>(agentName: string, payload: unknown): Promise<Result<T, Error>>
Call another agent using identity-based authentication. No credentials required.

Parameters:
  • agentName - Name or DID of the agent to call
  • payload - Request payload (task data, parameters, etc.)

Returns: Result<T, Error> - Operation result with ok flag
send(to: string, payload: unknown): Promise<Result<void, Error>>
Send a message to another agent. Fire-and-forget messaging.

Parameters:
  • to - Recipient agent name or DID
  • payload - Message payload
receive<T>(): Promise<Result<T[], Error>>
Receive messages from other agents. Returns array of all pending messages.
register(registryUrl?: string): Promise<Result<void, Error>>
Register this agent with a trust registry for service discovery. Optional for basic usage.

Parameters:
  • registryUrl - Optional trust registry URL
exportIdentity(): Promise<Result<Uint8Array, Error>>
Export agent identity for persistence. Returns PKCS#8 private key bytes.
static fromIdentity(pkcs8: Uint8Array, config?: AutoGenXLinkConfig): Promise<Result<AutoGenXLinkAgent, Error>>
Create agent from existing identity. Use this to restore a previously saved agent.

Parameters:
  • pkcs8 - PKCS#8 private key bytes (from exportIdentity)
  • config - Agent configuration
Transition path

Migration from Traditional Auth

Before: API Keys

Token-Based (Old)
// Configure credentials
const apiKey = process.env.AUTOGEN_API_KEY;
if (!apiKey) throw new Error('API key not configured');

// Every agent needs credentials
const agent1ApiKey = process.env.AGENT1_API_KEY;
const agent2ApiKey = process.env.AGENT2_API_KEY;

// Make request with credentials
const response = await fetch(agentUrl, {
  headers: { 'Authorization': `Bearer ${apiKey}` }
});

if (response.status === 401) {
  throw new Error('Authentication failed');
}

Problems: API keys can be stolen, keys expire and require rotation, revoked keys cascade to all agents, manual credential management per agent.

After: xLink Identity

Identity-Based (New)
// Create agents (identity generated automatically)
const agent1 = new AutoGenXLinkAgent({ name: 'agent1' });
const agent2 = new AutoGenXLinkAgent({ name: 'agent2' });

// Make request (identity-based, can't be stolen)
const result = await agent1.call(agent2.getDID(), payload);

if (!result.ok) {
  // Handle error (but never "key expired")
  console.error(result.error);
}

Benefits: Identity can't be stolen (cryptographic proof), never expires (no rotation needed), no cascading failures (each agent independent), zero credential management.

Feature comparison

xLink vs Traditional Auth

Feature API Keys OAuth 2.0 xLink Identity
Setup Time Minutes Hours 15 seconds
Auth Latency ~50ms ~55,000ms 0.36ms
Can Expire? Yes Yes No
Can Be Stolen? Yes Yes No
Cascading Failures? Yes Yes No
Rotation Required? Yes Yes No
Credential Storage? Required Required Optional
Revocation Support? Manual Automatic Trust Registry
Cryptographic security

Security

Identity Storage

Development (File Storage)
// Store identity in file (for testing only)
const identity = await agent.exportIdentity();
if (identity.ok) {
  await fs.writeFile('agent.key', identity.value);
}
Production (KMS)
// Store in secure key management system
const identity = await agent.exportIdentity();
if (identity.ok) {
  await kms.storeSecret('agent-identity', identity.value);
}

Recommended Storage

  • AWS KMS / Secrets Manager
  • HashiCorp Vault
  • Azure Key Vault
  • Google Cloud Secret Manager

Best Practices

  1. Never commit identity files to git - Add *.key to .gitignore
  2. Encrypt identities at rest - Use KMS or similar encryption service
  3. Rotate identities periodically - Create new identity, update registry, revoke old
  4. Use trust registries in production - Enable discovery and revocation
Security Warning
Private keys are sensitive. Never log them, never commit them to version control, and always encrypt them at rest.
How it works

Architecture

Identity Generation

Agent creates Ed25519 keypair and derives DID. Ready to authenticate immediately.

Authentication Flow

  1. Agent signs request with private key
  2. Recipient extracts DID from request
  3. Recipient verifies signature using public key from DID
  4. Request authorized if signature valid

No Token Lifecycle

Traditional vs xLink
Traditional: Generate → Use → Refresh → Expire → Repeat
xLink:       Generate → Use → (forever, no expiry)

Identity Format

DID Structure
did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK
│   │   └─────────────────────────────┬─────────────────────────┘
│   │                                  │
│   │                          Public key (base58)
│   │
│   method (key or privateme)
│
scheme (did)

No Cascading Failures

In traditional auth systems, one expired token causes all agents to retry simultaneously, overloading the refresh server and triggering exponential backoff.

With xLink identity, each agent has independent cryptographic identity. No tokens expire, so cascading failures are impossible.

Common issues

Troubleshooting

Agent creation fails

Solution
// Wrap in try/catch
try {
  const agent = new AutoGenXLinkAgent();
  console.log(`Created: ${agent.getDID()}`);
} catch (error) {
  console.error('Agent creation failed:', error);
}

Agent-to-agent calls fail

Solution
// Always check result.ok
const result = await agent.call('service', data);
if (result.ok) {
  console.log('Success:', result.value);
} else {
  console.error('Failed:', result.error);
}

Identity persistence issues

Solution
// First run: export identity
const agent = new AutoGenXLinkAgent();
const identity = await agent.exportIdentity();
await fs.writeFile('agent.key', identity.value);

// Subsequent runs: import identity
const identityBytes = await fs.readFile('agent.key');
const result = await AutoGenXLinkAgent.fromIdentity(identityBytes);
const agent = result.value;
Metrics

Performance

Memory Usage

  • Agent creation: ~2KB per agent
  • Identity storage: 64 bytes (PKCS#8)
  • Provider: ~1KB

Latency Breakdown

Traditional (OAuth)
Token check:     10ms
Token expired:   yes
Refresh token:   54,853ms ← BOTTLENECK
Retry request:   50ms
────────────────────────
Total:           54,913ms
xLink
Sign request:    0.36ms
Send request:    50ms
────────────────────────
Total:           50.36ms (1091× faster)