Concept

Overview

Applies to: .NET SDK, Node.js SDK Last updated: 2026-06-11

HexaEight provides cryptographic identity and end-to-end encrypted messaging for AI Assistants and Agents, humans, and machines. Every message your application sends or receives carries a verifiable identity, and every message can be authorised against a set of rules — without certificates, without OAuth, without a central key directory.

What you can build with HexaEight

Once you integrate the SDK, your application can:

How the documentation is organised

These docs are arranged for a developer learning HexaEight from scratch. Work through them in order if you are new; jump to the section you need if you are not.

SectionWhat it containsWhen to use it
Concepts The problems HexaEight solves and the mental model behind the SDK Read first, before writing any code
Get Started Install, activate an identity, send a working message Hands-on tutorial, end to end in about 15 minutes
How-to Focused, single-task pages with working code (encrypt a message, allow a sender, enable swarm mode, etc.) Look up any specific task you need to do
Reference Complete API listings, wire format spec, glossary, error codes Lookup of specific methods, types, or formats

Identity comes first

Every HexaEight integration begins with an identity. An identity is either:

Identities are issued once and remain valid for the duration of the underlying HexaEight license — for the term of a standalone license, or for as long as an Azure Marketplace VM remains running. Within that period, there is no certificate enrolment, no key rotation, no OAuth flow, and no re-keying cycle. See Identity model for the full lifecycle.

Authorisation is built in

The SDK does not stop at encryption. Every message that arrives is also checked against a set of policy rules before being delivered to your code. By default, the SDK is in a friendly bootstrap mode that lets every message through. As soon as you add your first rule, enforcement starts.

Rules describe who can send messages to your agent, who you can send messages to, and under what conditions. The model is small (four levels of rules), built around cryptographic identity, and has no external dependencies. If you have an existing authorisation system (LDAP, OAuth, OPA), you can plug it in instead.

One model, many languages

The cryptographic core is implemented in .NET. Other language SDKs wrap that core so the same identities and policies work everywhere:

LanguageStatus
.NETStable — shipping
Node.jsStable — shipping (Linux, macOS, WSL2)
PythonIn development
Browser (WASM)Planned

Every page in this documentation that contains code shows examples in each SDK that is currently available.

See also