Same topologies, different identity model

An eight-service mesh, authenticated two ways. Both panels show identical connectivity. The difference is what each model has to manage to make it work — and what happens when one node is compromised.

Bearer-credential model

API keys

0 stored secrets
8 services

Each glyph is one stored API key — provisioned per service pair, per direction

A mesh of 8 services authenticating to each other requires up to 56 stored credentials.

Cryptographic identity

xBind ACIs

0 identities
8 services

One DID per service — the identity itself Each pulse is one signed message — verified per-message, not per-connection

The same mesh, where each service holds a single keypair as its identity.

Scene 1 / 4 · Topology

Connection (mesh edge — same on both sides)

Compromise event (Scene 4)

The topology is identical. The credential surface is not. With shared bearer credentials, compromise propagates along every relationship that key authorized. With cryptographic identity, compromise is bounded to the ACI whose private key was lost — every other identity in the mesh is unaffected.

Same topology. Different identity model.