Identity-based authentication for Semantic Kernel plugins
Replace API keys, OAuth tokens, and credentials with cryptographic identity. Zero-config setup, no cascading failures, 603× faster authentication. Drop-in integration for Microsoft Semantic Kernel.
Token Cascades Kill Production Systems
Traditional authentication creates cascading failures that bring down entire agent systems. One expired OAuth token can trigger 500+ simultaneous agent restarts, overwhelming your infrastructure.
OAuth token expires ↓ Refresh fails (server down, network issue, quota exceeded) ↓ All dependent agents restart simultaneously ↓ System overload or data loss
This happens at scale. One expired token can trigger 500+ agent restarts. xLink eliminates tokens entirely.
Agent has cryptographic identity (DID) ↓ No tokens to expire ↓ No refresh logic needed ↓ No cascading failures
73.4% faster E2E — Total request latency including authentication overhead
0.36ms overhead — xLink identity check is negligible
Zero failures — No token expiry, no credential rotation, no cascades
Install and Use in 15 Seconds
Installation
npm install @private.me/semantic-kernel-xlink @microsoft/semantickernel
Basic Usage
import { SemanticKernelXLinkPlugin } from '@private.me/semantic-kernel-xlink'; // Create plugin (generates identity automatically) const plugin = new SemanticKernelXLinkPlugin(); await plugin.initialize(); // Agent has DID automatically console.log(`Agent DID: ${plugin.getDID()}`); // Make authenticated service calls (no credentials needed!) const result = await plugin.call('payments', { amount: 100 });
That's it. No API keys, no OAuth, no configuration files.
Purchase & Subscription
3-month trial — No credit card required. Start authenticating plugins with cryptographic identity immediately.
Tiers
Standard pricing: $5/month Basic • $10/month Middle • $15/month Enterprise
- Basic ($5/month) — Semantic Kernel integration, identity auth for functions, plugin security
- Middle ($10/month) — Everything in Basic + advanced skill authentication, custom kernel policies
- Enterprise ($15/month) — Everything in Middle + air-gapped deployment + white-label + compliance support
Volume discounts: 10-30% off for 5+ ACIs
Annual prepay: Additional 10-15% discount
Purchase API
Programmatic subscription via REST API (endpoint: POST /api/purchase or POST /aci/checkout):
POST https://private.me/aci/checkout Content-Type: application/json { "product": "semantic-kernel-xlink", "tier": "basic", "email": "user@example.com" }
Success Response
{
"status": "success",
"subscription_id": "sub_1TQvQXBMvV...",
"tier": "basic",
"trial_end": "2026-07-28T12:00:00Z",
"billing_start": "2026-07-29T00:00:00Z"
}
Error Responses (RFC 7807)
{
"type": "https://private.me/errors/invalid-tier",
"title": "Invalid Subscription Tier",
"status": 400,
"detail": "Tier must be 'basic', 'middle', or 'enterprise'",
"instance": "/aci/checkout/req-abc123"
}
Common Error Types
- invalid-tier — Tier must be 'basic', 'middle', or 'enterprise'
- invalid-email — Email format validation failed
- duplicate-subscription — Active subscription already exists for this email
Subscription Management
All subscription management (upgrade, downgrade, cancel, payment method) handled via Stripe Customer Portal:
https://billing.stripe.com/p/login/...
Users receive portal link via email after purchase. Portal handles: billing history, payment method updates, plan changes, cancellation.
Volume Discounts
- 5-9 ACIs: 10% off total
- 10-19 ACIs: 20% off total
- 20+ ACIs: 30% off total
Annual Prepay Discount
Additional 10-15% off when paying annually upfront. Combines with volume discounts. Example: 10 ACIs at $5/month = $50/month = $600/year. With 20% volume discount + 15% annual discount = $408/year (32% total savings).
Subscription Model Summary
Semantic Kernel xLink follows the standard Private.Me ACI subscription model:
- Free trial: 3 months (admin-controlled, default 90 days)
- Basic tier: $5/month — Function auth, plugin security
- Middle tier: $10/month — Basic + skill policies, advanced auth
- Enterprise tier: $15/month — Middle + air-gapped + white-label
- Volume discounts: 10-30% off for 5+ ACIs
- Annual prepay: Additional 10-15% off
- Billing: Monthly recurring via Stripe
- Management: Stripe Customer Portal (upgrade/downgrade/cancel)
Basic Plugin
import { SemanticKernelXLinkPlugin } from '@private.me/semantic-kernel-xlink'; const plugin = new SemanticKernelXLinkPlugin({ name: 'my-plugin', verbose: true }); await plugin.initialize(); console.log(`DID: ${plugin.getDID()}`); // Output: DID: did:key:z6Mkh...
Service Calls
// Call a service using identity-based auth const result = await plugin.call('data-processing', { action: 'analyze', dataset: 'user-behavior' }); if (result.ok) { console.log('Result:', result.value); } else { console.error('Error:', result.error); }
Agent-to-Agent Communication
// Send message to another agent await plugin.send('did:key:z6MkhaXg...', { type: 'task', data: { task: 'process-data' } }); // Receive messages const messages = await plugin.receive(); console.log(`Received ${messages.length} messages`);
Export and Restore Identity
// Export identity (PKCS#8 private key) const exportResult = await plugin.exportIdentity(); if (exportResult.ok) { // Store exportResult.value securely (OS keychain, encrypted file, etc.) } // Restore from PKCS#8 key later const restoreResult = await SemanticKernelXLinkPlugin.fromIdentity( savedPrivateKey ); if (restoreResult.ok) { const restoredPlugin = restoreResult.value; console.log(`Restored DID: ${restoredPlugin.getDID()}`); }
Core API
SemanticKernelXLinkPlugin
- constructor(options?) — Create plugin with optional configuration
- initialize() — Generate cryptographic identity (async)
- getDID() — Get decentralized identifier (DID)
- call(service, payload) — Call authenticated service
- send(to, payload) — Send message to another agent
- receive() — Receive pending messages
- exportIdentity() — Export PKCS#8 private key
- fromIdentity(pkcs8Key) — Restore from PKCS#8 key (static)
- getIdentity() — Get underlying identity object
XLinkToolkit Methods
import { XLinkToolkit } from '@private.me/semantic-kernel-xlink'; const identity = plugin.getIdentity(); const toolkit = new XLinkToolkit(identity); // Get all tools const tools = toolkit.getAllTools(); // [ // { name: 'get_did', ... }, // { name: 'call_service', ... }, // { name: 'send_message', ... }, // { name: 'receive_messages', ... }, // { name: 'sign_data', ... } // ] // Use specific tool const didTool = toolkit.getDIDTool(); const didResult = await didTool.invoke({});
Available Tools
- get_did — Get agent's DID
- call_service — Call authenticated service
- send_message — Send message to another agent
- receive_messages — Receive pending messages
- sign_data — Sign data with cryptographic signature
Result Type Pattern
All async operations return Result<T, Error>:
const result = await plugin.call('service', {}); if (result.ok) { // result.value contains the response console.log('Success:', result.value); } else { // result.error contains the error console.error('Failed:', result.error.message); }
Real-World Use Cases
LLM Function Calling
Authenticate external API calls triggered by LLM function calling. Every function call uses cryptographic identity instead of API keys.
// LLM decides to call external payment API const result = await plugin.call('payments', { action: 'charge', amount: 99.99, currency: 'USD' }); // No API keys needed — identity proves authorization
Plugin Systems
Secure authentication between Semantic Kernel plugins. Each plugin has its own cryptographic identity, eliminating shared API keys.
Skill Orchestration
Chain multiple skills with identity-based trust. Skills communicate directly via DIDs, with capability-based access control enforced by Trust Registry.