PRIVATE.ME / xLink vs API Keys
Why identity-based connections replace static credentials for AI agents and M2M systems.
API keys are static secrets. Once issued, they persist indefinitely unless manually rotated. 44% of enterprises use static API keys for AI agents. The result: $87 billion in API breaches annually, doubling year-over-year.
Every API key is a liability:
xLink replaces API keys with Decentralized Identifiers (DIDs) backed by Ed25519 signing and X25519 key agreement. Every system and AI agent gets a unique cryptographic identity at creation. No secrets are issued, stored, or rotated.
Authentication is a cryptographic handshake, not a secret comparison:
did:key:z6Mk... — no registry required| Property | API Keys | xLink (DIDs) |
|---|---|---|
| Secret storage | Required — env vars, vaults, configs | None — the DID is public, the private key never leaves the agent |
| Rotation | Manual, coordination-heavy, error-prone | Not required — ephemeral keys per session |
| Revocation | Requires reissuing a new key to all valid parties | Remove DID from trust registry — immediate, cryptographic |
| Agent identity | Keys are shared — no per-agent accountability | Every agent has a unique DID — individually identifiable and auditable |
| Leak impact | Full access until discovered and rotated | Private key never transmitted — nothing to leak |
| Forward secrecy | Not provided | X25519 ECDH — each session uses ephemeral key material |
| Post-quantum | Not provided | X25519 + ML-KEM-768 hybrid KEM (FIPS 203) deployed |
| Audit trail | Key ID only — cannot distinguish agents sharing a key | DID-signed requests — tamper-evident, per-agent attribution |
| AI agent support | Static tokens — no lifecycle management | Native — each agent gets a DID at creation, ~50µs |
npm install @xail/agent-sdk
const agent = await Agent.create();
console.log(agent.did);
// did:key:z6MkhaXg... — no API key requiredEach agent gets a DID automatically. No key issuance, no secret storage, no rotation schedule.