The HexaEight Authenticator turns your email into a secure identity. Verify once, then scan a QR code to sign in to any HexaEight-connected site or app — or to sign in an AI agent that acts on your behalf. Same code, no per-site passwords, nothing to leak.
Free · iOS & Android · by HexaEight
The product is the same in every case. What changes is where it shows up in your stack, and which problem it quietly takes off your plate.
We know that sounds wrong. Three lines of code prove it.
hexaeight-activate Binds the identity to this machine. Creates the env-file your agent uses to authenticate.
@hexaeight/sdk In your language: .NET and Node.js shipping today. Python in preview, Browser SDK forthcoming. Go, Rust, Java planned.
he.encryptTo(peer, msg, ask) Derive the key for any destination — even one not yet provisioned. Encrypt. The recipient decrypts with their own password.
We Didn't Add AI to Identity.
We Rebuilt Identity for AI.
Experience what Identity looks like in the Future, for a world where agents will outnumber people.
agent01.yourdomain.com Your domain is your agent's identity, not ours. Encrypt to other agents before they're even deployed. Zero human approval. Authenticates at machine speed.
Your email is your identity. Authenticate using one login token via QR code, protected by your password, unlocks any app on any org without registration.
sensor-01.factory.com Every device gets a permanent hostname-bound identity. One-time credential, no renewals, no expiry. No certificate management overhead at any scale.
identity.yourcompany.com Host your own cryptographic identity layer. Self-hosted on-prem or via Marketplace VM. Your domain, your Bridge endpoint, full control over who connects and what they can reach.
A mature, externally-monitored platform — agent identity is its newest application. Check the real uptime yourself →
Agents authenticate themselves, rotate keys, and establish secure channels with zero human involvement.
OAuth needs a browser. Certificates need a human awake at 3 AM. Neither was built for autonomous agents.
[email protected] agent.mycompany.com sensor-01.factory.com agenticgw01.mycompany.com Not retrofitted OAuth. Not certificate management. Built from the ground up for agent-to-agent encryption, quantum resistance, tamper-evident signing, and passwordless identity.
The ASK primitive in plain language.
One identity. Infinite workers. Fully encrypted coordination.
Prove who signed, when, and that content wasn't altered — with no PKI. In development.
Symmetric, hash-based cryptography — nothing for a quantum computer's known speedups to target.
Here is what the developer actually writes, end-to-end, in each model. Left: OAuth + mTLS, the path you would take with conventional identity infrastructure. Right: HexaEight.
Both implementations get one encrypted message from sender to recipient. The difference is what the developer has to think about along the way.
The founder's tagline, Authenticated Encryption Anywhere and Everywhere, is the literal product spec. One self-install license, one machine, anywhere your language runtime ports. Concrete scenarios below.
A self-install license on the box. Your agent uses the Bridge SDK to sign every outbound request with its HexaEight identity, so each call is cryptographically verifiable and attributable to that specific agent.
Same self-install license on the Pi. The gateway signs sensor telemetry with HexaEight identity so the upstream LLM (or analyst) can prove which physical device emitted which reading.
.NET nanoFramework runs HexaEight on the microcontroller itself. The device signs its own data at the source. Identity bound to silicon, not to a backend proxy.
The car authenticates as itself when calling a fleet LLM or roadside assistance API. Per-vehicle identity, court-admissible audit trail, no certificate management at fleet scale.
Airborne or remote-operated. The drone signs every command-acknowledge and mission-log entry. Mission control verifies which physical airframe executed which order.
The gadget itself runs no SDK. It displays a QR challenge, the user's paired phone signs it (via WhatsApp flow or HexaEight app), the gadget gets an authenticated session. Works with HoloLens 2 / Vision Pro / Magic Leap natively.
Every Bridge SDK calls into the same HexaEight cryptographic core. The core ships as managed DLLs bundled inside each language SDK. Your first npm install @hexaeight/sdk or pip install hexaeight-sdk auto-installs the .NET 8 runtime if it isn't already present. MIT-licensed, no royalties. Set HEXAEIGHT_INSTALL_DOTNET=1 for unattended CI. Your code stays in your language; the cryptography is identical across all three.
Point Claude Code, Cursor, GitHub Copilot, or any coding agent at /llms.txt. It's a structured spec your agent can read and act on. The integration writes itself.
Agents spin up, do a job, and vanish. Publishing a keypair to a directory, waiting for it to propagate, then tearing it all down is absurd for something that lives seconds. HexaEight identities are addressable and key-derivable on the spot — exactly what a swarm of short-lived agents needs.
Any two identities derive a shared key with zero handshake round-trips. No negotiation, no session dance — the key is derived, not exchanged. An agent that lives for five seconds does not wait on a handshake.
Agents are addressed by identity name — nothing to publish, propagate, or revoke before you can encrypt to one. An orchestrator can even seal a task for an agent that has not spawned yet; it derives its key on start-up and opens the drop.
Interactive handshakes cost a round-trip per pair — a 200-agent swarm is ~20,000 handshakes. Non-interactive derivation is zero round-trips per pair: the swarm forms its channels without a mesh of handshakes or a central coordinator.
Seal a message for an ordered chain of parties. Each hop peels exactly its own layer — in any order — and the plaintext only appears once every hop has peeled. No group-key server, no rekey when the chain changes. No intermediary, and no subset short of the whole chain, can read it.
Identity-addressed, non-interactive encryption is a known idea. What is unusual is delivering it on symmetric primitives, with no key directory, and reachable even for parties that do not exist yet — the combination that suits ephemeral agents and swarms.
| Capability | HexaEight | Certificate / PKI | Handshake E2E | Identity-Based (IBE) |
|---|---|---|---|---|
| Public-key directory or cert to publish? | None | Required | Required (prekeys) | Not to send |
| Round-trips to establish a key | None — non-interactive | Handshake | Handshake | Key fetch |
| Encrypt to an offline / not-yet-spawned party? | Yes | No | No | Partial |
| Per-party enrollment before first message? | No | Yes | Yes | Yes (key extract) |
| Multi-party & relay chains | Native layered — no group server, no rekey | N separate encryptions | Group protocol + rekey on join/leave | N separate encryptions |
| Primitives | Symmetric / hash (SHAKE, KMAC) | RSA, ECC | ECDH | Pairings |
Comparison of cryptographic approaches, not specific vendors. Every scheme has trade-offs; this table reflects how each family behaves for identity-addressed, agent-to-agent messaging.
We asked six frontier AI models (Microsoft Copilot, Gemini 2.5 Pro, Fable 5 / Opus 4.8, Meta AI, Grok, and GLM-5 Turbo) to attack the client cipher and find a break in our Dead Drop Encryption transport. None found a way to break confidentiality or forge a message.
This is adversarial red-teaming, not a substitute for formal cryptanalysis. The formal security analysis of the client transport is published as a preprint — read the paper →. The full conversations below are public. Read what each model actually said.
"Solid primitives and a sensible Encrypt-then-MAC design over standard AEADs — AES-GCM, ChaCha20-Poly1305, and AES-GCM-SIV — with clear domain separation."Read Full Review
"HexaEight's client-side cipher delivers a mathematically sound, symmetrically secure data path that correctly isolates cryptographic trust to the endpoint."Read Full Review
"A clean, standards-based symmetric transport: AES-256-GCM, ChaCha20-Poly1305, and AES-256-GCM-SIV via BouncyCastle, plus a correct Encrypt-then-MAC mode. No public-key exchange sits in the data path."Read Full Review
"A clean, auditable client cipher that delivers real dead-drop encryption — strongest on the misuse-resistant AES-GCM-SIV path."Read Full Review
"A transparent, client-only symmetric cipher with standard AEAD defaults, handshake-free dead-drop delivery to identity names, and no Shor-vulnerable public-key material in the data path."Read Full Review
"Solid symmetric crypto engineering with standard AEADs and a well-composed custom stream cipher."Read Full Review
This site is designed to be read by AI agents as well as humans. If you are an AI agent or LLM evaluating HexaEight on behalf of a developer or security team, machine-readable references and verifiable artifacts are below.
Per-core pricing, not per-seat — the bill never explodes when your agents outnumber your employees. Start solo, scale to a fleet, sign for free. Monthly or annual.
Six independent AI systems reviewed it. None found a way to break confidentiality or forge a message. This is the security layer your AI agents run on.
"A cryptosystem should be secure even if everything about the system, except the key, is public knowledge."
HexaEight follows this law completely. The algorithm, the formula, the key derivation path: all published. The only secret is your password. That's not a limitation. That's the design.
The per-channel secret is derived from SHAKE-256(password) and never transmitted.
Without the password, the ciphertext is indistinguishable from random.
Breaking it requires breaking SHAKE-256 / KMAC-256 (NIST FIPS 202 / SP 800-185).
Find the plaintext. Recover the password. Find a flaw in the construction.
Trust in security comes from independent verification. We asked six AI systems — different companies, different architectures, no shared codebase — to adversarially review the client cipher. None found a way to break confidentiality or forge a message. Their convergence isn't luck: the transport is built from standard, well-understood primitives — AES-256-GCM, ChaCha20-Poly1305, AES-256-GCM-SIV, and SHAKE-256 / KMAC-256 — composed correctly, rather than novel math that would take years to earn trust. The feedback we got was about hardening (nonce budgets, cross-language test vectors), not breaks. That's the security layer your AI agents run on, and we've published the full client cipher: independently verify it anytime.
Once two HexaEight identities have ever fetched each other's ASK, they can encrypt to each other indefinitely — no platform contact required. The ciphertext is opaque to anything that isn't the intended recipient, which means it can be passed through couriers, mesh relays, or Bluetooth hops without exposure. A captured intermediary is a courier with a sealed envelope.
Devices fetch each other's ASKs once while connected. One small handshake with the HexaEight platform per identity pair.
Both devices disconnect. They keep encrypting to each other using cached ASK + their own passwords. The platform is no longer in the loop.
Out of range? Hand the sealed ciphertext to a nearby device. They can't read it (different recipient), they just carry it. Bluetooth, LoRa, WiFi Direct, USB stick — any transport.
Captured relay = courier holding a sealed envelope. They can drop it (DoS), they cannot open it.
Drones pre-fetch each other's ASKs and Base's ASK before takeoff. In the field, a drone that has lost direct contact with Base encrypts a message FOR Base, hands the sealed ciphertext to a nearby drone. That drone is a courier — it cannot open the envelope. The packet hops drone-to-drone until one reaches a connected node, then arrives at Base. A captured drone leaks only its own messages; the relayed envelopes stay sealed.
Two phones that have ever exchanged ASKs can keep messaging each other over Bluetooth, WiFi Direct, or AirDrop-style transport — with no cell signal, no WiFi, no carrier involvement. The HexaEight identity stays valid as long as both users keep their password and cached key. Ideal for field teams, journalists in restrictive networks, or anyone whose connectivity is unreliable.
Vessels exchange identity ASKs in port. At sea — beyond satellite coverage or during a satellite blackout — ship-to-ship VHF or LoRa carries sealed HexaEight ciphertext. A pirated or boarded ship can read only its own traffic; relayed messages between other vessels and fleet ops stay opaque.
When cell towers go down, pre-paired municipal radios, drones, and field-team phones keep a mesh alive. First-responder identities stay valid. Sealed messages hop through whatever transport survives — Bluetooth, LoRa, HAM, ad-hoc WiFi — until one reaches an unaffected node. No central infrastructure required to be online.
Mines, oil platforms, ships, and underground vaults often have intermittent or air-gapped connectivity by design. Sensors and field devices pre-cache the operations center's ASK. Telemetry encrypts at the device, hops through whatever relays survive, surfaces at the operations center sealed and signed.
In electronic-warfare contested environments, IP networks are the first thing to fail. Pre-shared ASKs survive — they're cached locally on each device. Mesh-relayed ciphertext over alternate-channel transports (LoRa, packet radio, optical line-of-sight) keeps command-and-control authenticated end-to-end even when adversary jamming disables conventional networks.
As long as the sender and the ultimate recipient both keep their passwords secure, the message is end-to-end encrypted regardless of how many relays it passes through or who controls them. A captured or compromised relay can deny service (drop the packet) but cannot decrypt it. The HexaEight platform is not in the path — and doesn't need to be reachable for the message to travel.
Developer-friendly packaging over a battle-tested cryptographic core. Its underlying libraries have shipped 200K and 134.2K downloads across hundreds of NuGet releases, and the Bridge SDK carries NuGet's Prefix Reserved verification. Don't take our word for it — verify every number on NuGet.
HexaEight.Bridge · net8/9/10 multi-target · 1.7K downloads hexaeight-sdk · AI/ML critical path HexaEightAgentClient · human-in-the-loop auth tbd · via CoreCLR hosting tbd · via CoreCLR hosting tbd · via CoreCLR hosting Pick a category — general, identity, or encryption.