ACE Passport
AI-native authentication that never expires. Your passport is a device-bound cryptographic identity.
Traditional JWT tokens and API keys have fundamental issues when used with AI tools:
JWT tokens expire after 30 days, breaking your workflow unexpectedly.
Token in shell vs config file vs MCP get out of sync constantly.
Wrong organization ID in token means database routing fails.
Environment variables don't inherit properly to child processes.
ACE Passport is like a real passport - issued once, never expires, gets stamped by services:
Your passport is permanent until you revoke it. No more token refresh issues.
Cryptographically tied to your device. Can't be copied or stolen.
Everything in ~/.ace/passport.json. All tools read the same file.
Trust score grows over time based on your usage patterns.
Create Passport
When you run ace passport create, ACE generates:
- Fingerprint - Hash of machine ID + install path + platform + entropy
- Keypair - Ed25519 public/private key for signing
- Passport ID - Unique identifier (ace_XXXXXXXXXXXX)
Link to Account (Optional)
Run ace passport link to connect your passport to your ACE account. This enables cloud access and syncs your subscription tier.
Note: Passports work locally without linking - great for offline development!
Get Stamped
When you connect to a service, it verifies your passport and adds a visa stamp:
Authenticate Requests
Every API request is signed with your private key:
1. Create your passport
This creates ~/.ace/passport.json and ~/.ace/.passport.key
2. View your passport
3. Link to your account (optional)
Links your passport to your ACE account for cloud access
4. Check status
Shows trust score, stamps, and server-side info
| Feature | JWT Token | API Key | Passport |
|---|---|---|---|
| Expiration | 30 days | 1 year | Never |
| Device-bound | No | No | Yes |
| Cryptographic | HMAC | Hash only | Ed25519 |
| Works offline | Until expiry | Needs server | Always |
| Trust building | No | No | Yes |
| Config sync | Multiple files | Env vars | One file |
Fingerprint Generation
The fingerprint is a SHA-256 hash of:
Request Signing
Each request is signed with Ed25519:
File Locations
Unlike traditional binary auth (yes/no), your passport builds trust over time:
0-9
10-99
100-499
500+
Trust score increases with consistent usage patterns, memories created, and API requests. Higher trust can unlock advanced features in the future.
ace passport createCreate a new passport for this device. Generates fingerprint and keypair.
ace passport showDisplay current passport info with visual card format.
ace passport linkLink passport to your ACE account. Requires prior ace login.
ace passport statusCheck server-side passport status, trust score, and stamps.
ace passport revoke [--force]Permanently revoke this passport. Use --force to skip confirmation.
Do I need a passport to use ACE?
No, JWT tokens and API keys still work. Passport is an optional upgrade for a better experience.
Can I use one passport on multiple devices?
No, each device gets its own passport. You can link multiple passports to the same account.
What happens if I reinstall ACE?
Your passport files in ~/.ace are preserved. If you delete them, create a new passport.
Is my private key secure?
Yes, it's stored in ~/.ace/.passport.key with 0600 permissions (owner read/write only). The key never leaves your device.