Get Started

Quickstart

Round-trip a sessioned envelope between two HexaEight identities in under 5 minutes. No PKI, no key exchange — both sides just need each other's identity name.

1. Get one (or two) identities

Buy a license at hexaeight.com/pricing. Each identity ships as a folder containing:

env-file — plain text with HEXAEIGHT_LICENSECODE, HEXAEIGHT_MACHINETOKEN, HEXAEIGHT_RESOURCENAME, HEXAEIGHT_SECRET.
hexaeight.mac — binary, machine-bound. Must be hard-linked into the identity directory, not copied.

For this quickstart you need two identities (Alice and Bob). One is enough if you only want to see encrypt-to-self.

2. Install the Bridge

.NET

dotnet add package HexaEight.Bridge --prerelease

Node.js

npm install @hexaeight/sdk@preview

The Node SDK requires .NET 8+ on the host. For unattended installs: HEXAEIGHT_INSTALL_DOTNET=1.

3. Two-party round-trip (.NET)

Both parties know each other's Name (the RESOURCENAME) and agree on a sessionId out of band (a UUID exchanged via your application channel of choice).

Alice — sender

using HexaEight.Bridge;

var alice = new Client();                    // loads Alice's env-file + hexaeight.mac
string bobName   = "bob.example.com";
string sessionId = Guid.NewGuid().ToString();
long   kgt       = CurrentKgt();             // see KGT helper below

string ask = await alice.FetchAskAsync(bobName, kgt);
alice.PinAskForSession(sessionId, ask);

string envelope = await alice.EncryptEnvelopeAsync(
    recipient: bobName,
    body:      "Hello Bob!",
    sessionId: sessionId);

// Send `envelope` and `sessionId` to Bob over any transport — HTTP, queue, file, ntfy.

Bob — recipient

using HexaEight.Bridge;

var bob = new Client();                      // loads Bob's env-file + hexaeight.mac
string aliceName = "alice.example.com";

string ask = await bob.FetchAskAsync(aliceName, kgt);   // Bob's half of the pair
bob.PinAskForSession(sessionId, ask);

DecryptedEnvelope msg = await bob.DecryptEnvelopeAsync(envelope);

Console.WriteLine($"From: {msg.Sender}");      // "alice.example.com"
Console.WriteLine($"Body: {msg.Body}");        // "Hello Bob!"
Console.WriteLine($"FromSession: {msg.FromSession}");  // True

KGT helper

static long CurrentKgt()
{
    long m = (long)(DateTime.UtcNow - DateTime.UnixEpoch).TotalMinutes;
    return m - (m % 15);
}

What just happened?

ASK derivation: The platform issued each side their half of an Asymmetric Shared Key pair. Alice got the encrypt-side; Bob got the decrypt-side. The platform cannot derive a key it can decrypt with.
Session binding: Each side pinned its half of the ASK against sha256(sessionId). The wire envelope therefore carries only the session hash — not the sender or recipient identity.
Encryption: Quantum-resistant MQ-V4 trapdoor with HMAC-SHA256 integrity. Tested up to 250 MB plaintext.
Sender verification: Bob learns the sender's identity from msg.Sender, which comes from inside the encrypted JSON — cryptographically unforgeable. This is the trustworthy field, not the wire metadata.

Note: Anonymous-sender mode (where the recipient cannot identify the sender at all) is in the API surface but not yet recommended for production. For now, use sessioned envelopes between known parties — both sides know each other's Name.

Encrypt-to-self (single identity, optional)

If you only have one identity and want to see the round-trip:

var me = new Client();
string sessionId = Guid.NewGuid().ToString();
string ask = await me.FetchAskAsync(me.Name, CurrentKgt());
me.PinAskForSession(sessionId, ask);

string envelope = await me.EncryptEnvelopeAsync(me.Name, "secret", sessionId: sessionId);
var msg = await me.DecryptEnvelopeAsync(envelope);
Console.WriteLine(msg.Body);   // "secret"

Next steps

Two-party agent guide — full bidirectional flow.
Sessioned messages guide — handshake patterns and steady-state.
ASK concept — how the derivation works.
Full Bridge API reference.