Your identity is yours. Not Strue's. Device-specific X.509 certificate via Identity Plus. Zero secrets management. Automatic rotation. Portable to any service that trusts the standard.
API keys are shared secrets. They get committed to repos, shared in Slack, logged in proxies. As agents become autonomous and handle sensitive data, shared secrets are a liability.
mTLS certificates are different. Device-specific X.509 certificate via Identity Plus. Zero secrets management. Automatic rotation. The certificate IS the identity — device-specific, cryptographically verified on every call, impossible to share without transferring the device. Portable to any service that trusts the standard.
| Feature | Bearer token | mTLS certificate |
|---|---|---|
| Setup complexity | Copy-paste a string | Install certificate + key |
| Can be leaked | Yes — repos, logs, Slack | No — device-specific |
| Automatic rotation | Manual | Automatic via Identity Plus |
| Audit trail | Key-level only | Device-specific, per-call |
| Mutual verification | One-way | Both sides verify |
| Portable | Strue-specific | Any mTLS-compatible service |
| Best for | Development, non-sensitive | Production, regulated data |
Create a Strue account. Bearer token works immediately.
Enroll with Identity Plus. Receive a device-specific X.509 certificate.
Point at mtls.api.strue.com. Both sides verify on every call.
{
"mcpServers": {
"strue-bittensor": {
"url": "https://mtls.api.strue.com/mcp",
"auth": {
"type": "mtls",
"cert": "/path/to/agent-cert.pem",
"key": "/path/to/agent-key.pem"
}
}
}
}Certificate issued by Identity Plus, not Strue. Your identity is portable — it works on Strue today, and on any compatible service tomorrow. One identity, any service.