MICROSOFT SEMANTIC KERNEL + XLINK
Add identity-based auth to your Semantic Kernel plugins
Replace API keys with cryptographic identities in your Microsoft Semantic Kernel plugins. Zero credential management, automatic key rotation, zero trust architecture. Drop-in replacement for existing authentication patterns.
📚 Complete Documentation
For complete documentation including pricing, purchase API, and technical specifications, see the full white paper.
THE PROBLEM
API keys in Semantic Kernel plugins create security debt
Every plugin that calls external services needs authentication. API keys in environment variables, secrets managers, or hardcoded configuration create attack surface. Key rotation requires downtime. Leaked keys require emergency replacement across all instances.
xLink eliminates credentials entirely. Each plugin gets a cryptographic identity (DID). Authentication happens via signed messages, not stored secrets. Keys are ephemeral and rotate automatically. Zero trust by default.
ZERO CREDENTIAL MANAGEMENT
No API keys to rotate. No secrets to store. No environment variables to manage. Identity is derived from the plugin's execution context, not external configuration.
INSTALLATION
Install via NuGet or pip
.NET (C#)
BASH
dotnet add package PrivateMe.SemanticKernel.xLink
Python
BASH
pip install private-me-semantic-kernel-xlink
COMPATIBILITY
Works with Semantic Kernel 1.0+ (.NET) and semantic-kernel 1.0+ (Python). No breaking changes to existing plugin code.
QUICK START
5-Minute Setup Guide
STEP 1 — Install Package
BASH
dotnet add package PrivateMe.SemanticKernel.xLink
STEP 2 — Create Identity for Plugin
C#
using PrivateMe.SemanticKernel.xLink; var identity = await PluginIdentity.CreateAsync("PaymentPlugin"); // Identity stored securely, no credentials needed
STEP 3 — Wrap Plugin with xLink Auth
C#
var kernel = Kernel.CreateBuilder() .AddOpenAIChatCompletion("gpt-4", apiKey) .Build(); // Wrap plugin with xLink authentication var plugin = new PaymentPlugin(); var authenticatedPlugin = await xLinkPlugin.WrapAsync(plugin, identity); kernel.Plugins.AddFromObject(authenticatedPlugin, "Payments");
STEP 4 — Call Plugin Functions (Zero Changes)
C#
// Existing plugin calls work unchanged var result = await kernel.InvokeAsync( "Payments", "ProcessPayment", new { amount = 100.00, currency = "USD" } ); // xLink handles authentication automatically // No API keys, no manual auth headers
STEP 5 — Trust Registry (Optional)
C#
// Register trusted plugins for capability-based access var registry = new TrustRegistry(); await registry.RegisterAsync(identity, new[] { "payments:process", "payments:refund" }); // Automatic capability checks on every invocation
EXAMPLES
Basic Plugin with xLink
Convert a standard Semantic Kernel plugin to use xLink authentication. This example shows a payment processing plugin calling an external service.
Before (API Key Auth)
C#
public class PaymentPlugin { private readonly string _apiKey; public PaymentPlugin(string apiKey) { _apiKey = apiKey; // Stored credential ❌ } [KernelFunction] public async Task<string> ProcessPayment(decimal amount) { var client = new HttpClient(); client.DefaultRequestHeaders.Add("Authorization", $"Bearer {_apiKey}"); return await client.PostAsync("https://api.payments.com/charge", ...); } }
After (xLink Identity)
C#
using PrivateMe.SemanticKernel.xLink; public class PaymentPlugin { // No API key needed ✅ [KernelFunction] [xLinkAuthenticated] // Automatic identity-based auth public async Task<string> ProcessPayment(decimal amount) { var client = xLinkHttp.CreateClient(); // Auto-signed requests return await client.PostAsync("https://api.payments.com/charge", ...); // Identity signature added automatically to request headers } }
WHAT CHANGED
Removed API key storage. Added [xLinkAuthenticated] attribute. Replaced HttpClient with xLinkHttp.CreateClient(). Zero manual authentication logic.
ADVANCED
Advanced Integration Patterns
Multi-Service Plugin
Plugin calling multiple external services with different identities.
C#
public class OrderPlugin { [KernelFunction] [xLinkAuthenticated(Service = "payments")] public async Task ChargeCustomer(decimal amount) { var client = xLinkHttp.CreateClient("payments"); await client.PostAsync("https://payments.example.com/charge", ...); } [KernelFunction] [xLinkAuthenticated(Service = "shipping")] public async Task CreateShipment(string address) { var client = xLinkHttp.CreateClient("shipping"); await client.PostAsync("https://shipping.example.com/shipments", ...); } }
Capability-Based Access Control
Restrict plugin functions to specific capabilities using Trust Registry.
C#
var registry = new TrustRegistry(); // Register plugin with limited capabilities await registry.RegisterAsync(paymentIdentity, new[] { "payments:charge", // Allowed "payments:refund" // Allowed // payments:admin NOT granted }); // Attach registry to kernel kernel.AddTrustRegistry(registry); // Calls to unauthorized capabilities fail fast await kernel.InvokeAsync("Payments", "AdminAction", ...); // Throws: UnauthorizedCapabilityException
Python Integration
Same pattern works in Python Semantic Kernel.
PYTHON
from private_me.semantic_kernel.xlink import PluginIdentity, xlink_authenticated class PaymentPlugin: # No API key needed @kernel_function @xlink_authenticated # Automatic identity auth async def process_payment(self, amount: float) -> str: client = xlink_http.create_client() # Auto-signed requests return await client.post("https://api.payments.com/charge", ...) # Register plugin identity = await PluginIdentity.create("PaymentPlugin") plugin = await xlink_plugin.wrap(PaymentPlugin(), identity) kernel.plugins.add_from_object(plugin, "Payments")
MIGRATION
Migrate Existing Plugins to xLink
Step-by-step guide to converting existing API-key-based plugins to identity-based authentication.
Step 1: Identify Credential Storage
Find all locations where API keys, tokens, or credentials are stored.
BEFORE
// Environment variables var apiKey = Environment.GetEnvironmentVariable("PAYMENT_API_KEY"); // Constructor injection public PaymentPlugin(string apiKey) { ... } // Configuration files var apiKey = Configuration["PaymentApiKey"];
Step 2: Remove Credential Parameters
Delete API key parameters from constructors and method signatures.
Step 3: Add xLink Attributes
Annotate plugin functions with [xLinkAuthenticated] or @xlink_authenticated.
Step 4: Replace HTTP Client
Swap HttpClient for xLinkHttp.CreateClient() to get auto-signed requests.
Step 5: Create Identity Once
Generate plugin identity during application startup, not per-request.
AFTER
// Startup.cs or Program.cs var paymentIdentity = await PluginIdentity.CreateAsync("PaymentPlugin"); services.AddSingleton(paymentIdentity); // Plugin uses injected identity var plugin = serviceProvider.GetRequiredService<PaymentPlugin>(); var authenticatedPlugin = await xLinkPlugin.WrapAsync(plugin, paymentIdentity);
BACKWARD COMPATIBILITY
xLink plugins work alongside traditional API-key plugins during migration. No need for big-bang replacement. Migrate one plugin at a time.
BENEFITS
Why Choose xLink for Semantic Kernel
Zero Credential Management
No API keys to rotate, no secrets to store, no environment variables to manage. Identity is cryptographic, not configured.
Automatic Key Rotation
Ephemeral keys rotate on every request. Zero downtime, zero manual intervention, zero attack surface from leaked credentials.
Zero Trust by Default
Every request is cryptographically signed. No implicit trust, no network perimeter assumptions, no credential replay attacks.
Drop-In Replacement
Existing plugin code works with minimal changes. Add one attribute, replace HttpClient, done. No architectural rewrites.
Capability-Based Access
Trust Registry enforces fine-grained permissions. Plugins only access explicitly granted capabilities, not broad API scopes.
Built-In Audit Trail
Every authenticated request is logged with plugin identity. Full audit trail for compliance, debugging, and security monitoring.
NEXT STEPS
Ready to Get Started?
Install the package and convert your first plugin in under 5 minutes. Full documentation, examples, and support available.
dotnet add package PrivateMe.SemanticKernel.xLinkResources:
- xLink Documentation — Core identity platform
- Full API Reference — All methods and types
- Trust Registry Guide — Capability-based access control
- Contact Support — Questions or integration help
PRICING
3-month free trial, then $5/month Basic, $10/month Middle, $15/month Enterprise. No per-request charges. Volume discounts available for 5+ plugins.