Identity-based authentication for Semantic Kernel plugins
Replace API keys, OAuth tokens, and credentials with cryptographic identity. Zero-config setup, no cascading failures, 603× faster authentication. Drop-in integration for Microsoft Semantic Kernel.
Token Cascades Kill Production Systems
Traditional authentication creates cascading failures that bring down entire agent systems. One expired OAuth token can trigger 500+ simultaneous agent restarts, overwhelming your infrastructure.
OAuth token expires ↓ Refresh fails (server down, network issue, quota exceeded) ↓ All dependent agents restart simultaneously ↓ System overload or data loss
This happens at scale. One expired token can trigger 500+ agent restarts. xBind eliminates tokens entirely.
Agent has cryptographic identity (DID) ↓ No tokens to expire ↓ No refresh logic needed ↓ No cascading failures
73.4% faster E2E — Total request latency including authentication overhead
0.36ms overhead — xBind identity check is negligible
Zero failures — No token expiry, no credential rotation, no cascades
Install and Use in 15 Seconds
add to your project to enable identity-based authentication. Works with existing code.
Installation (npm)
npm install @private.me/semantic-kernel @microsoft/semantickernel
Installation (PyPI)
pip install private-me-semantic-kernel
Basic Usage (TypeScript)
import { SemanticKernelxBindPlugin } from '@private.me/semantic-kernel'; // Create plugin (generates identity automatically) const plugin = new SemanticKernelxBindPlugin(); await plugin.initialize(); // Agent has DID automatically console.log(`Agent DID: ${plugin.getDID()}`); // Make authenticated service calls (no credentials needed!) const result = await plugin.call('payments', { amount: 100 });
Basic Usage (Python)
from private_me import semantic_kernel # Create plugin (generates identity automatically) plugin = await semantic_kernel.create_plugin(name='my-plugin') # Agent has DID automatically print(f"Agent DID: {plugin.get_did()}") # Make authenticated service calls (no credentials needed!) result = await plugin.call('payments', {'amount': 100})
That's it. No API keys, no OAuth, no configuration files.
Why AI Agents Choose xBind
xBind reduces cognitive load for AI agents by consolidating authentication into a single package. Instead of navigating 36 error surfaces across 5-10 fragmented packages, agents work with one unified interface.
Integration Complexity Comparison
| Metric | Fragmented (5-10 packages) | xBind (1 package) | Improvement |
|---|---|---|---|
| Token Cost to Debug | 800 tokens | 240 tokens | 70% lower |
| Error Surfaces | 36 | 1 | 97% reduction |
| Recovery Time | 132.8ms | 45.9ms | 65% faster |
| Setup Steps | 9 | 2 | 77% fewer |
xBind was designed from the ground up for AI agent consumption. Structured errors, minimal setup, and zero credential rotation make it the natural choice for LLM-driven workflows.
Purchase & Subscription
3-month trial — No credit card required. Start authenticating plugins with cryptographic identity immediately.
Tiers
Standard pricing: $5/month Basic • $10/month Pro • $15/month Enterprise
- Basic ($5/month) — Semantic Kernel integration, identity auth for functions, plugin security
- Pro ($10/month) — Everything in Basic + advanced skill authentication, custom kernel policies
- Enterprise ($15/month) — Everything in Pro + air-gapped deployment + white-label + compliance support
Volume discounts: 10-30% off for 5+ ACIs
Annual prepay: Additional 10-15% discount
Purchase API
Programmatic subscription via REST API (endpoint: POST /api/purchase or POST /aci/checkout):
POST https://private.me/aci/checkout Content-Type: application/json { "product": "semantic-kernel", "tier": "basic", "email": "user@example.com" }
Success Response
{
"status": "success",
"subscription_id": "sub_1TQvQXBMvV...",
"tier": "basic",
"trial_end": "2026-07-28T12:00:00Z",
"billing_start": "2026-07-29T00:00:00Z"
}
Error Responses (RFC 7807)
{
"type": "https://private.me/errors/invalid-tier",
"title": "Invalid Subscription Tier",
"status": 400,
"detail": "Tier must be 'basic', 'middle', or 'enterprise'",
"instance": "/aci/checkout/req-abc123"
}
Common Error Types
- invalid-tier — Tier must be 'basic', 'middle', or 'enterprise'
- invalid-email — Email format validation failed
- duplicate-subscription — Active subscription already exists for this email
Subscription Management
All subscription management (upgrade, downgrade, cancel, payment method) handled via Stripe Customer Portal:
https://billing.stripe.com/p/login/...
Users receive portal link via email after purchase. Portal handles: billing history, payment method updates, plan changes, cancellation.
Volume Discounts
- 5-9 ACIs: 10% off total
- 10-19 ACIs: 20% off total
- 20+ ACIs: 30% off total
Annual Prepay Discount
Additional 10-15% off when paying annually upfront. Combines with volume discounts. Example: 10 ACIs at $5/month = $50/month = $600/year. With 20% volume discount + 15% annual discount = $408/year (32% total savings).
Subscription Model Summary
Semantic Kernel follows the standard Private.Me ACI subscription model:
- Free trial: 3 months (admin-controlled, default 90 days)
- Basic tier: $5/month — Function auth, plugin security
- Pro tier: $10/month — Basic + skill policies, advanced auth
- Enterprise tier: $15/month — Pro + air-gapped + white-label
- Volume discounts: 10-30% off for 5+ ACIs
- Annual prepay: Additional 10-15% off
- Billing: Monthly recurring via Stripe
- Management: Stripe Customer Portal (upgrade/downgrade/cancel)
Basic Plugin
import { SemanticKernelxBindPlugin } from '@private.me/semantic-kernel'; const plugin = new SemanticKernelxBindPlugin({ name: 'my-plugin', verbose: true }); await plugin.initialize(); console.log(`DID: ${plugin.getDID()}`); // Output: DID: did:key:z6Mkh...
from private_me import semantic_kernel plugin = await semantic_kernel.create_plugin( name='my-plugin', verbose=True ) print(f"DID: {plugin.get_did()}") # Output: DID: did:key:z6Mkh...
Service Calls
// Call a service using identity-based auth const result = await plugin.call('data-processing', { action: 'analyze', dataset: 'user-behavior' }); if (result.ok) { console.log('Result:', result.value); } else { console.error('Error:', result.error); }
# Call a service using identity-based auth result = await plugin.call('data-processing', { 'action': 'analyze', 'dataset': 'user-behavior' }) if result.ok: print('Result:', result.value) else: print('Error:', result.error)
Agent-to-Agent Communication
// Send message to another agent await plugin.send('did:key:z6MkhaXg...', { type: 'task', data: { task: 'process-data' } }); // Receive messages const messages = await plugin.receive(); console.log(`Received ${messages.length} messages`);
# Send message to another agent await plugin.send('did:key:z6MkhaXg...', { 'type': 'task', 'data': {'task': 'process-data'} }) # Receive messages messages = await plugin.receive() print(f"Received {len(messages)} messages")
Export and Restore Identity
// Export identity (PKCS#8 private key) const exportResult = await plugin.exportIdentity(); if (exportResult.ok) { // Store exportResult.value securely (OS keychain, encrypted file, etc.) } // Restore from PKCS#8 key later const restoreResult = await SemanticKernelxBindPlugin.fromIdentity( savedPrivateKey ); if (restoreResult.ok) { const restoredPlugin = restoreResult.value; console.log(`Restored DID: ${restoredPlugin.getDID()}`); }
# Export identity (PKCS#8 private key) export_result = await plugin.export_identity() if export_result.ok: # Store export_result.value securely (OS keychain, encrypted file, etc.) saved_key = export_result.value # Restore from PKCS#8 key later restore_result = await semantic_kernel.from_identity( saved_key ) if restore_result.ok: restored_plugin = restore_result.value print(f"Restored DID: {restored_plugin.get_did()}")
Core API
SemanticKernelxBindPlugin
- constructor(options?) — Create plugin with optional configuration
- initialize() — Generate cryptographic identity (async)
- getDID() — Get decentralized identifier (DID)
- call(service, payload) — Call authenticated service
- send(to, payload) — Send message to another agent
- receive() — Receive pending messages
- exportIdentity() — Export PKCS#8 private key
- fromIdentity(pkcs8Key) — Restore from PKCS#8 key (static)
- getIdentity() — Get underlying identity object
xBindToolkit Methods
import { xBindToolkit } from '@private.me/semantic-kernel'; const identity = plugin.getIdentity(); const toolkit = new xBindToolkit(identity); // Get all tools const tools = toolkit.getAllTools(); // [ // { name: 'get_did', ... }, // { name: 'call_service', ... }, // { name: 'send_message', ... }, // { name: 'receive_messages', ... }, // { name: 'sign_data', ... } // ] // Use specific tool const didTool = toolkit.getDIDTool(); const didResult = await didTool.invoke({});
Available Tools
- get_did — Get agent's DID
- call_service — Call authenticated service
- send_message — Send message to another agent
- receive_messages — Receive pending messages
- sign_data — Sign data with cryptographic signature
Result Type Pattern
All async operations return Result<T, Error>:
const result = await plugin.call('service', {}); if (result.ok) { // result.value contains the response console.log('Success:', result.value); } else { // result.error contains the error console.error('Failed:', result.error.message); }
Real-World Use Cases
LLM Function Calling
Authenticate external API calls triggered by LLM function calling. Every function call uses cryptographic identity instead of API keys.
// LLM decides to call external payment API const result = await plugin.call('payments', { action: 'charge', amount: 99.99, currency: 'USD' }); // No API keys needed — identity proves authorization
Plugin Systems
Secure authentication between Semantic Kernel plugins. Each plugin has its own cryptographic identity, eliminating shared API keys.
Skill Orchestration
Chain multiple skills with identity-based trust. Skills communicate directly via DIDs, with capability-based access control enforced by Trust Registry.