Platform Philosophy

APIs Have Keys. ACIs Have Identity.

The fundamental architectural difference between API keys (shared secrets) and ACIs (cryptographic identity).

What's an API Key?

An API key is a shared secret. You generate a random string, give it to a client, and the client sends it with every request. If the key matches, the request is authenticated.

This model was designed in 2000 when machines talked to centralized servers. It breaks down when machines talk to each other at scale.

The Core Difference

API (Keys)

  • Shared secrets (both parties know the key)
  • Manual rotation required
  • Revocation requires coordination
  • One key = one quota (shared)
  • Key sprawl at scale
  • Leaks require rotating all copies

ACI (Identity)

  • Public/private key pairs (zero shared secrets)
  • No rotation needed
  • Instant revocation (one DID)
  • One identity = one quota (isolated)
  • Zero key management
  • Compromise affects one identity only

Why Identity Wins

API keys were never designed for M2M at scale. They worked when you had 5 microservices. They break when you have 500.

With ACIs, each machine gets a DID (cryptographic identity). No shared secrets. No rotation schedule. No "which key belongs to which service?" spreadsheet. When you revoke a DID, exactly one agent stops working. Everything else keeps running.

The rate limiting advantage: 1,000 workers with API keys = 1 shared quota. 1,000 workers with DIDs = 1,000 separate quotas. Your throughput scales linearly.

Canonical Code — xLink Quickstart
const conn = await connect('payments')
await conn.value.agent.send({ to, payload })

Deep Dive: Technical Architecture

How identity-based M2M authentication works under the hood. Benchmarks, comparisons, and migration guides.

Read White Paper →