Skip to content

Broker: revocation for signed op1 tokens #83

Description

@adamcohenhillel

Signed op1 tokens (mint_signed_token :541, validate_signed_token :551) carry a nonce that is never persisted or checked. A leaked token is valid until it expires, with no way to revoke it.

Fix options (pick one or combine)

  • Nonce blacklist: persist rejected nonces (SQLite, small on-disk set) until each nonce's expiry. Cheap; short-window mitigation.
  • Key-version prefix: include a signing-key version in the token payload; rotate the key to invalidate every outstanding token in one operation.
  • Refresh-token model: short-lived access tokens (minutes) + refresh tokens (revocable).

Ship at minimum the key-version prefix; it's the smallest durable revocation surface.

Size: M

Metadata

Metadata

Assignees

No one assigned

    Labels

    M4-runtimeM4: Provider & Runtime MaturityenhancementNew feature or requestsecuritySecurity-relevant issue

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions