MagicEndpoint · Architecture

The Architectural Novelty of the Live Key

Presence is validity.

Online access today is trapped in a loop of token rotation. A bearer token is just a static string: steal it and it works anywhere until it expires. The MagicEndpoint Live Key replaces timed expiration with conditional existence, presence is validity.

The Live Key is a long-lived cryptographic key, sealed in the device's secure hardware, bound to its user at enrollment, and released only while the user is present, the device is verified, and the security posture holds. The moment any of that fails, the user logs off, walks away, the device falls out of policy, it is no longer available to sign: not revoked, not expired, simply absent. In its narrowest form, it is the next-generation passkey: where a passkey asks for a tap at login and often syncs across your devices, the Live Key confirms you continuously with nothing to do, and never leaves the one device it lives on. More broadly, it makes certificates and their complex management optional.

This eliminates the login event. Traditional architectures treat login as a barrier: the user stops working to prove who they are. Instead, the endpoint maintains a trusted channel, a persistent, verified connection, and authentication happens across it as machine-to-machine communication. Verification starts the moment the device boots and runs continuously. You get the security of an ultra-short session without the churn of minting and refreshing short-lived credentials.

How mTLS + Live Key Redefines the DBSC and DPoP Debate

The industry invented Device Bound Session Credentials (DBSC), tying a session cookie to a device key, and DPoP (Demonstrating Proof of Possession), binding a token to a key the client must prove it holds. Both keep a stolen artifact from being replayed elsewhere. The Live Key, instead, pushes deterministic identity assurance, user, device, and posture, directly into the transport layer. Because mTLS authenticates through an active cryptographic operation with the Live Key, there is nothing static to replay or steal, the infostealer finds nothing. With no token to bind, the problem DBSC, DPoP, and token binding address simply dissolves.

The same model covers non-human actors, service accounts, modern machines, OT, and IoT, in possibly disconnected environments. For workloads and AI agents, the current standard, SPIFFE, which gives software workloads their own cryptographic identities, already promotes mTLS. The Live Key adds a hardware-based, simpler approach without certs or rotation where applicable.

None of the cryptography here is new, mTLS, hardware-bound keys, raw public keys, and real-time posture all exist today. The single new step is a key both rooted in hardware and gated by live conditions, so its existence is its validity. That removes rotation, and removing rotation collapses the machinery built to manage it.

Across human users, machines, workloads, and agents, it is the same architecture, the blueprint for zero-trust infrastructure.

FAQ

Live Key, in plain terms

What is the Live Key?

A long-lived cryptographic key, sealed in the device's secure hardware, bound to its user at enrollment, and released only while the user is present, the device is verified and the security posture holds. When any of those conditions fails, it is no longer available to sign: not revoked, not expired, simply absent.

How is the Live Key different from a passkey?

A passkey asks for a tap at login and often syncs across your devices. The Live Key confirms you continuously with nothing to do, and never leaves the one device it lives on.

How does the Live Key compare to DBSC and DPoP?

DBSC and DPoP keep a stolen artifact from being replayed elsewhere by binding it to a key. The Live Key pushes user, device and posture assurance into the transport layer through an active mTLS operation, so there is nothing static to replay or steal.

Does the Live Key require certificates or rotation?

No. Because the key's existence is its validity, there is nothing to mint, refresh or rotate, and certificates and their management become optional where applicable.

How does it secure machines, workloads and AI agents?

The same model covers service accounts, machines, OT, IoT, workloads and AI agents, including in disconnected environments. Where SPIFFE gives workloads cryptographic identities over mTLS, the Live Key adds a hardware-based, simpler approach without certificates or rotation where applicable.

keyboard_arrow_up