Stop saying "Trust me, I have the key." Prove who you are with cryptographic signatures.
An API request arrives with a valid key. You have no idea who sent it. You don't know if it's the legitimate service or an attacker who stole the key. The key is a bearer token — whoever has it can use it. There's no proof of identity. Just possession.
This is the fundamental flaw of shared secrets. A key says "Trust me, I have the secret." It doesn't say "I am Service A and I can prove it." Anyone who copies the key can impersonate the owner. Forever. Until you rotate.
When a breach happens, you can't even tell which requests were real and which were the attacker. The audit log shows the same key used everywhere. No attribution. No proof. Just a compromised credential and a security incident report that starts with "We don't know..."
Cryptographic signatures prove identity. Every message is signed with the sender's private key. The signature mathematically proves the message came from the holder of that specific DID. You can verify it. You can't fake it. You can't impersonate.
If an attacker steals a signature, it's worthless. The signature is tied to the message content and a nonce. It only works once, for that specific message. The attacker can't replay it. They can't modify it. They can't use it to send new messages.
Post-quantum ready: Hybrid signatures (Ed25519 + ML-DSA-65) protect against both classical and quantum attacks. Your proof of identity survives the quantum computing era.
const conn = await connect('payments') await conn.value.agent.send({ to, payload })
Learn how cryptographic proof of identity works under the hood. Signature schemes, verification, and post-quantum protection.
Read White Paper →