Identity-Based Authentication for Haystack RAG Pipelines
Replace API keys in Haystack RAG pipelines with cryptographic identity. Zero-config setup, enterprise-grade access control, no cascading failures. Secure document retrieval with three-tier classification.
Quick Start (15 seconds)
Get started with Haystack xLink in 15 seconds. Create a RAG pipeline with identity-based authentication and enterprise-grade access control.
npm install @private.me/haystack-xlink haystack
import { HaystackXLinkRAG, createXLinkDocument } from '@private.me/haystack-xlink'; // Create RAG pipeline (generates identity automatically) const rag = new HaystackXLinkRAG({ verbose: true }); // Add documents with access control const doc = createXLinkDocument( 'Sensitive information', rag.getDID(), 'confidential' // Access level: public | internal | confidential ); await rag.addDocument(doc); // Retrieve with identity-based access const result = await rag.retrieve('query', agentDID); // Returns only documents the requestor has access to
The Problem: API Key Proliferation
Traditional RAG systems require credential management at every layer. Each credential can be lost, stolen, or rotated independently, causing cascading failures and outages.
| Traditional Approach | Problem |
|---|---|
| Database API Key | Lost credentials → data unavailable |
| Document API Key | Rotation → pipeline breaks |
| Vector DB Key | Expiry → search fails |
| LLM Key | Stolen key → unauthorized access |
| Auth Server Key | Compromise → entire system at risk |
The core issue: Each key is an independent failure point. Cascading failures occur when one expired token restarts hundreds of AI agents simultaneously.
Solution: Identity-Based Authentication
xLink replaces all credentials with cryptographic identity. No API keys to manage, no tokens to refresh, no cascading failures.
How It Works
Each RAG pipeline has a cryptographic identity (DID). Documents are tagged with owner DIDs and access levels. Queries include the requestor's DID. The system verifies identity and returns only authorized documents.
┌─────────────┐
│ Agent A │
│ DID: z6Mk.. │
└──────┬──────┘
│
├── Query: "financial"
│
▼
┌────────────────────────────┐
│ HaystackXLinkRAG │
│ - Receives query │
│ - Checks access_level │
│ - Validates DID │
│ - Returns filtered results │
└────────────────────────────┘
│
├── Returns only documents
│ Agent A has access to
│
▼
┌─────────────┐
│ Results │
│ Filtered │
│ by access │
└─────────────┘
Features
Zero-Config Identity
const rag = new HaystackXLinkRAG(); // Automatically: // - Generates cryptographic key pair // - Creates decentralized identifier (DID) // - Ready for secure communication
Three-Tier Access Control
| Level | Accessible To | Use Case |
|---|---|---|
| public | Everyone | Company handbook, privacy policy |
| internal | Team members | API docs, technical specs |
| confidential | Owner + authorized | Financial reports, customer data |
Document Metadata
const doc = createXLinkDocument( 'Sensitive data', rag.getDID(), 'confidential', { title: 'Q4 Revenue Report', category: 'financial', authorized_dids: ['did:key:z6Mkcollaborator...'], } );
Identity Persistence
// Export identity const identity = await rag.exportIdentity(); // Store securely... // Restore later const restored = await HaystackXLinkRAG.fromIdentity(identity.value); // Same DID, same access rights
Use Cases
Retrieve sensitive financial data with cryptographic identity instead of API keys. Documents include account balances, transactions, loan applications. Access via cryptographic DID, not API keys. Zero credentials to compromise.
confidential access levelPatient records, diagnoses, treatment plans with identity-based control. Doctor's DID verified cryptographically. Every access signed and logged. Satisfies HIPAA BAA requirements.
audit trail + BAAMulti-level classified document retrieval. Government employee DIDs with clearance verification. No shared keys or OAuth tokens to manage. Satisfies FISMA requirements.
3-tier classificationSecure retrieval across teams and departments. Employee handbook, technical specs, customer data. Access by employee role and department (via authorized_dids). Compliance trail for SOC2, ISO27001.
role-based accessPurchase & Subscription
Pricing
Standard pricing: $5/month Basic • $10/month Middle • $15/month Enterprise
| Tier | Price | Features |
|---|---|---|
| Basic | $5/month | Haystack integration, identity auth for pipelines, component security |
| Middle | $10/month | Everything in Basic + advanced node authentication, custom pipeline policies |
| Enterprise | $15/month | Everything in Middle + air-gapped deployment + white-label |
3-month trial - No credit card required
API Purchase Endpoint
curl -X POST https://private.me/api/purchase \ -H "Content-Type: application/json" \ -d '{ "product": "haystack-xlink", "tier": "basic", "customer": { "email": "user@example.com", "connection_id": "conn_abc123" } }'
Error Handling
All errors follow RFC 7807 Problem Details format:
{
"type": "https://private.me/errors/invalid-tier",
"title": "Invalid subscription tier",
"status": 400,
"fields": {
"tier": "Provided value 'premium' is not valid"
}
}
API Reference
HaystackXLinkRAG
Main class for creating RAG pipelines with identity-based access control.
createXLinkDocument()
function createXLinkDocument( content: string, owner_did: string, access_level?: 'public' | 'internal' | 'confidential', metadata?: Record<string, unknown> ): HaystackXLinkDocument
Architecture
Information Flow
┌─────────────┐
│ Agent A │
│ DID: z6Mk.. │
└──────┬──────┘
│
├── Query: "financial"
│
▼
┌────────────────────────────┐
│ HaystackXLinkRAG │
│ - Receives query │
│ - Checks access_level │
│ - Validates DID │
│ - Returns filtered results │
└────────────────────────────┘
│
├── Returns only documents
│ Agent A has access to
│
▼
┌─────────────┐
│ Results │
│ Filtered │
│ by access │
└─────────────┘
Multi-Agent Document Sharing
// Create two independent agents const finance = new HaystackXLinkRAG({ name: 'finance' }); const engineering = new HaystackXLinkRAG({ name: 'engineering' }); // Finance adds confidential document const doc = createXLinkDocument( 'Budget allocation for Q4', finance.getDID(), 'confidential', { authorized_dids: [engineering.getDID()] } // Grant access ); await finance.addDocument(doc); // Engineering can access the shared document const result = await finance.retrieve('budget', engineering.getDID()); // Returns shared document
Security Model
Five-Layer Security
- Document Storage: All documents stored with owner_did + access_level
- Query Processing: Incoming query includes requestor's DID
- Access Check: Server-side verification (not client-side)
- Result Filtering: Only matching documents with granted access returned
- Audit Trail: Every access logged with DID + timestamp
Security Considerations
- Identity Storage: Store identity file securely (OS keychain, secrets manager)
- Access Control: Always enable
enforce_access_control: truein production - Document Metadata: Never store secrets in metadata (use encryption)
- Query Validation: Sanitize search queries before document matching
- Audit Logging: Log all document access with DID + timestamp
Performance
Scaling
- Single instance: Handles up to 10,000 documents
- Multiple instances: Share identity file (read-only mount)
- Vector search: Integrate with Haystack vector backends
- Distributed: Use xLink trust registry for federation