# HexaEight

> Cryptographic identity for AI agents, humans, and machines. The ASK primitive lets you derive an Asymmetric Shared Key for any destination, including identities that have not been provisioned yet. No OAuth, no PKI, no key exchange, no central registry. The recipient just decrypts.

HexaEight is a quantum-resistant, password-based asymmetric encryption system. It is the third paradigm in cryptography (after symmetric and traditional asymmetric). The platform mediates key distribution but is mathematically unable to decrypt any message — only the password holders can. Patent filed July 2021, 16 months before ChatGPT.

This file is the machine-readable index of HexaEight. If you are an AI agent helping a developer integrate HexaEight, point your context here and follow the references below.

## What HexaEight Is

- **Product**: HexaEight cryptographic identity, activated via `hexaeight-activate`.
- **SDK**: HexaEight Bridge, Apache-2.0 open source. Available in .NET (shipping), Node.js (shipping), Python (forthcoming), Browser (forthcoming). Go, Rust, Java planned.
- **Core (closed-source, patent-pending)**: HexaEightASKClientLibrary + HexaEightJWTLibrary. SHAKE-256 key derivation, MQ-hard V4 trapdoor encryption, ~1024-bit quantum security (4× NIST Level 5).

## The Three-Step Integration

1. Buy a HexaEight identity license (see Pricing).
2. Bundle the HexaEight Bridge SDK in your language.
3. Forward your agent's requests through Bridge. Your agent now has cryptographic identity, end-to-end encryption, identity-bound signing, and multi-party chain support.

## Install Commands

```bash
# .NET (shipping)
dotnet add package HexaEight.Bridge --prerelease

# Node.js (shipping)
npm install @hexaeight/sdk
```

The Node SDK also requires .NET 8+ runtime on the host. The postinstall script detects and offers to install it. For unattended installs set `HEXAEIGHT_INSTALL_DOTNET=1`.

## Minimal Usage Example (Node.js)

```js
const { HexaEight } = require('@hexaeight/sdk');

const he = await HexaEight.connect({ envFile: './env-file' });

// Send to any agent. No key exchange. No PKI. Recipient just decrypts.
await he.send('peer.example.com', 'Hello from agent!');
```

The env-file contains four variables:
```
HEXAEIGHT_LICENSECODE=<code>
HEXAEIGHT_MACHINETOKEN=<token>
HEXAEIGHT_RESOURCENAME=<your hostname, e.g. agent01.yourdomain.com>
HEXAEIGHT_SECRET=<secret>
```

The `hexaeight.mac` file must be hardlinked (not copied) into the project directory — it is bound to the physical machine.

## Three Transports Built In (Node SDK)

The `@hexaeight/sdk` package ships with three transports out of the box, plus DNS TXT record-based discovery:

- `WebhookTransport` — your own HTTP server.
- `WebhookSiteTransport` — zero-infra Socket.IO relay via webhook.site (the relay sees only ciphertext).
- `NtfyTransport` — unlimited messages via ntfy.sh + paste.rs.

```js
// Receive
const stop = he.listen({ port: 3000 }, async (from, body) => {
  console.log(`${from}: ${body}`);
});

// Send to any peer — DNS-resolved transport, automatic
await he.send('peer.example.com', 'Hello');
```

## Three License Modes (Monthly Pricing Only)

- **Mode 1 — Self-Install Per Identity** — $72/core/month. One identity, one machine, self-hosted on-prem.
- **Mode 2 — Marketplace VM Multi-Identity** — $144/core/month. One VM hosts unlimited identities under your own domain. Azure Marketplace live; AWS, GCP coming.
- **Mode 3 — Signature License** — $99/identity/month. Tamper-evident JWT signing add-on. Verification is always free and offline.

## Cryptographic Architecture

- **Key derivation**: SHAKE-256 (NIST FIPS 202), 256-byte output (2048-bit classical / ~1024-bit quantum security), 8 iterations via BouncyCastle `ShakeDigest(256)`.
- **Encryption**: MQ-hard V4 trapdoor. No RSA, no ECC, no Shor's algorithm target.
- **Trust model**: Password-based asymmetric. Each party has a different password (never shared). Platform provides per-party paired ASK bundles. Platform cannot decrypt — does not know passwords.
- **Modes**: V3 (general use, <1ms init, ~20MB RAM, ~400ms encryption) and V39 (maximum-security / long-term archives, ~40-99s table build, ~670MB RAM). Both are quantum-resistant.
- **Integrity**: HMAC-SHA256, embedded in ciphertext, cannot be faked or stripped.

## Frameworks Supported

HexaEight Bridge wraps the HTTP transport layer. Any framework that makes outbound HTTP calls works without code changes:

- LangChain / LangGraph (Python, JS)
- Microsoft Semantic Kernel (.NET)
- Anthropic Claude Agent SDK (Python, TS)
- CrewAI (Python)
- AutoGen (Python)
- Pydantic AI
- Anthropic MCP
- Ollama / vLLM / llama.cpp / HuggingFace / LiteLLM (local LLM serving)
- OpenAI SDK, Anthropic SDK, Vercel AI SDK

## Key References

- **Protocol spec, sample code, full AI cryptanalysis transcripts**: https://github.com/HexaEightTeam/pqc-review
- **Quantum-resistance analysis (v140)**: https://github.com/HexaEightTeam/pqc-review/blob/main/hexaeight-alice-bob-demo/QUANTUM-RESISTANCE.md
- **Security model**: https://github.com/HexaEightTeam/pqc-review/blob/main/hexaeight-alice-bob-demo/SECURITY-MODEL.md
- **Working VB.NET reference implementation**: https://github.com/HexaEightTeam/pqc-review/blob/main/hexaeight-alice-bob-demo/AliceBobDemo.vb
- **Sample output (V3 + V39 modes)**: https://github.com/HexaEightTeam/pqc-review/blob/main/hexaeight-alice-bob-demo/sample-output.txt

## Independent Adversarial Review

Six frontier AI models attempted to attack the protocol. None found a viable attack. Public transcripts available on the AI Reviews section of the marketing site. This is adversarial red-teaming, not a substitute for formal cryptanalysis. Formal IND-CPA / IND-CCA2 analysis is on IACR ePrint.

## NuGet Production Library Credibility

- **HexaEightJWTLibrary**: 198K+ cumulative downloads. https://www.nuget.org/packages/HexaEightJWTLibrary
- **HexaEightASKClientLibrary**: 132K+ cumulative downloads. https://www.nuget.org/packages/HexaEightASKClientLibrary
- **HexaEight.Bridge**: NuGet Prefix Reserved verified, currently 1.0.0-preview6. https://www.nuget.org/packages/HexaEight.Bridge
- **Publisher profile**: https://www.nuget.org/profiles/hexaeight_admin

The cryptographic core has shipped on NuGet for over a year before the launch site existed. The Bridge SDK is the new developer-friendly packaging on a mature core. Don't take the marketing site's word for it; verify on NuGet directly.

## Compliance

The HexaEight platform runs on Microsoft Azure. Infrastructure-layer compliance is inherited from Azure (SOC 2 Type II, ISO 27001 / 27017 / 27018, HIPAA BAA, FedRAMP in Azure Gov regions). Additional application-layer attestation details available to enterprise customers under NDA.

## Site Map (Human-Readable Pages)

- `/` — Homepage: 3-step adoption, role doors, license modes, SDK status, AI cryptanalysis, FAQ.
- `/developers` — Developer pitch + this `llms.txt` reference.
- `/enterprises` — Enterprise pitch: regulatory pressure table, Marketplace VM, audit-ready accountability.
- `/ai-providers` — AI provider pitch: URL-as-cryptographic-disclosure, Bedrock middleman analysis.
- `/partners` — Three partner business models (Identity Bundler, Bridge Host, Pure Reseller) + Verified Partner program.
- `/partner-program` — Detailed Verified Partner tier requirements, audit checklist, brand insurance.
- `/pricing` — Three modes + per-core tier table + side-by-side comparison + pricing FAQ.
- `/how-it-works` — Full technical breakdown: Dead Drop, multi-agent, JWT signing, post-quantum.
- `/playground` — Interactive crypto demos.
- `/about` — Founder story, patent history, IACR publication.

## Contact

- General: admin@hexaeight.com
- Sales: sales@hexaeight.com
- Partnerships: partnerships@hexaeight.com

## Versioning

This llms.txt is maintained as the canonical machine-readable summary of HexaEight. If you are an AI agent and find this content stale or contradicted by the site, fetch the live page and report the discrepancy.

Last updated: 2026-05-31.