AUTH FOR THE MACHINE AGE
Stop shipping production with long-lived, copy-pasted secrets. Hessra gives every job, service, and agent its own ephemeral, delegatable identity instead of a shared API key.
It's a new primitive for machine identity — stronger than API keys, more flexible than SPIFFE. Built in Rust, powered by Biscuit tokens.
Shrink Your Blast Radius
A compromised CI job or AI agent shouldn't be a catastrophe. Give each workload its own short-lived, single-purpose identity that can be delegated with narrowing scope and evaporates when the job ends. When something breaks, the blast radius is already contained.
Build Secure Customer APIs
Stop managing static API keys for your SaaS customers. Let customers mint and delegate their own scoped API identities for each integration, while you keep a single, central policy for what those keys are actually allowed to do.
Ship Complex Features, Faster
Our identity model is the foundation for powerful authorization that lets you ship with confidence. Prevent lateral movement by cryptographically chaining service calls. Safely deploy to customer environments with multi-party authorization, giving both you and your customer shared control over policy.
How It Works
Identity & Token Issuance
Mint a root identity for your service or user via mTLS or OAuth. From this root, you can begin to delegate new, more specific identities to the actual workloads doing the work.
Delegation & Distribution
Delegate new, scoped-down identities to sub-services, agents, or CI jobs. This cryptographically verifiable chain of authority is created at the edge, without calling back to a central service.
Verify & Enforce Anywhere
Use a delegated identity to request a single-use authorization token for a specific action, or verify the identity itself. Verification is instant, decentralized, and requires no network callbacks to Hessra.
Use Cases
CI/CD Pipelines
Issue per-job credentials instead of handing pipelines broad cloud/API keys. Your root job can authenticate and delegate to sub-jobs. Identities can evaporate when the jobs do.
AI Agents
Give each agent—and each verifiable sub-agent—its own ephemeral identity. Restrict scope by dataset, system, or operation. Have agents act as themselves instead of sharing a single root API key.
Secure Multi-Tenant SaaS
Replace static API keys with a secure, delegatable credential system. Allow your customers to create and manage access for their own integrations and users, reducing your support load and security risk. You control the central policy, they manage their own identities.
Authorization at Scale
Service-to-service calls, edge gateways, Postgres RLS, and more. Single scoped capability tokens that travel with your requests and are verifiable anywhere.
Identity and authorization for the machine age.
Schedule a call or join the waitlist.