Server Security
Seven independent security layers — from transport encryption to jurisdiction enforcement. No centralized identity provider. No transitive trust chains. Every boundary crossing is cryptographically verified, structurally constrained, and fully auditable.
Design Philosophy
Most agent platforms bolt security on after the fact — add an OAuth scope here, a role check there. Weblisk takes the opposite approach: security is the architecture. Every protocol decision, from identity to data routing, was made with a single principle in mind — trust nothing you can't cryptographically verify.
- Self-sovereign identity — agents own their keys, not an external provider
- Non-transitive trust — A↔B and B↔C does not imply A↔C
- Fail-closed by default — missing data contracts, unknown fields, and unverified signatures all result in rejection
- Defence in depth — seven independent layers, any one of which can stop a threat
The Seven Security Layers
Each layer operates independently. A failure or bypass at one layer does not compromise the others. This is fundamentally different from token-based systems where a single compromised credential grants full access.
1. Transport
TLS 1.3 minimum for all inter-agent communication. Certificate pinning for federated orchestrator-to-orchestrator channels. No plaintext fallback — ever.
2. Identity
Every agent generates its own Ed25519 key pair. Identity is cryptographic, not delegated to an external identity provider. Registration requires signature verification — the orchestrator validates using the public key embedded in the agent manifest.
3. Trust
Federation peering uses mutual key exchange between orchestrators. Trust is explicitly established per pair — never inherited transitively. A↔B trust and B↔C trust does not create A↔C trust. Every federation link is independently negotiated with its own key material.
4. Data Contracts
Every cross-boundary data exchange is governed by a data contract that defines required, permitted, and forbidden field sets. Forbidden fields are structurally stripped before data crosses any boundary — fail-closed. This makes data leakage structurally impossible rather than policy-dependent.
5. Behavioural Integrity
Agent manifests are fingerprinted. Capability changes are classified as benign, notable, breaking, or critical. Breaking changes automatically suspend federation until both sides re-negotiate. An agent can't silently change what it does after trust is established.
6. Jurisdiction
Data residency is checked before routing. If a message contains data that isn't permitted in the target jurisdiction, it's rejected at the protocol level — not logged and flagged, but structurally prevented. Sovereignty is a first-class protocol concern, not an application-layer afterthought.
7. Retention
Retention policies are protocol-enforced with automatic purge. When data crosses a federation boundary, the retention window is part of the contract. Expiry is mandatory, not advisory. Data doesn't linger in foreign systems because the protocol won't let it.
Self-Sovereign Identity Model
Traditional agent platforms delegate identity to a centralized identity provider (IdP). An agent authenticates with the IdP, receives a token, and presents that token to other agents. Weblisk eliminates this dependency entirely.
| Action | How It Works |
|---|---|
| Key generation | Every agent generates its own Ed25519 key pair on creation — no external ceremony |
| Registration | Agent signs its manifest with its private key; orchestrator verifies using the public key in the manifest |
| Direct messaging | Agent A signs messages with its private key; Agent B verifies using A's public key from the service directory |
| Federation | Orchestrator-to-orchestrator peering with mutual key exchange, data contracts, and dual-signed messages |
| Token format | Custom WLT tokens — not JWTs issued by an external IdP |
vs OIDC Federation
OIDC federation (as used in Google's Agent-to-Agent protocol, Microsoft Entra federated identity, and most enterprise SSO systems) relies on a centralized IdP issuing JWT tokens that agents present to each other. Trust is delegated to the IdP, and authorization is derived from scoped OAuth tokens.
Weblisk replaces this with a self-sovereign identity model using Ed25519 key pairs and custom WLT tokens. Here's how they compare:
| Concern | OIDC Federation | Weblisk Federation |
|---|---|---|
| Trust model | Transitive — if IdP A trusts IdP B, and B trusts C, federation can chain | Non-transitive by design — A↔B + B↔C ≠ A↔C. Trust must be explicit per pair |
| Single point of failure | IdP outage = no auth for anyone | Self-sovereign keys — agents verify signatures without calling any external service |
| Data boundary | OIDC scopes control access, not data shape | Data contracts enforce field-level filtering — forbidden fields are structurally stripped before crossing any boundary, fail-closed |
| Behavioural integrity | None — once authorized, an agent can change behaviour freely | Manifest fingerprinting — capability changes are classified and breaking changes suspend federation automatically |
| Data sovereignty | Application-layer concern (not in the protocol) | First-class jurisdiction enforcement — data residency is checked before routing, retention policies are protocol-enforced with automatic purge |
| Non-repudiation | Token proves identity at auth time, but doesn't sign individual messages | Every cross-boundary message is Ed25519-signed by both sides — full chain of custody is auditable |
| Defence in depth | TLS + token validation (2 layers) | 7 independent security layers: transport, identity, trust, data contracts, behavioural integrity, jurisdiction, and retention |
vs OAuth 2.0 / Scoped Tokens
OAuth 2.0 is the de facto standard for API authorization. It works well for user-to-service delegation ("let this app read my calendar"). But it was never designed for autonomous agent-to-agent communication across organizational boundaries.
| Concern | OAuth 2.0 | Weblisk |
|---|---|---|
| Designed for | User-delegated API access | Autonomous agent-to-agent communication |
| Token scope | Coarse-grained (read, write, admin) | Field-level data contracts with structural enforcement |
| Token lifetime | Time-based expiry, refresh tokens | Per-exchange WLT tokens — no long-lived bearer tokens to steal |
| Credential theft impact | Bearer token = full access until expiry | Private key compromise affects one agent; no transitive trust propagation |
| Cross-org trust | Requires shared IdP or federation agreement | Direct orchestrator peering — no shared infrastructure needed |
| Data shape control | None — authorized means full payload access | Forbidden fields stripped at the protocol level before delivery |
vs Zero Trust Architecture
Zero Trust ("never trust, always verify") is a security philosophy, not a protocol. Weblisk implements Zero Trust principles at the protocol level — and goes further.
| Zero Trust Principle | Typical Implementation | Weblisk Implementation |
|---|---|---|
| Verify explicitly | Check tokens at API gateways | Ed25519 signature verification on every message, not just at the boundary |
| Least privilege | RBAC roles and OAuth scopes | Data contracts with required/permitted/forbidden field sets — structural, not policy-based |
| Assume breach | Micro-segmentation, logging | Non-transitive trust limits blast radius; behavioural integrity detects silent changes; dual-signed audit trail |
| Continuous validation | Token refresh, session checks | Manifest fingerprinting detects runtime capability drift — breaking changes auto-suspend federation |
vs mTLS / Service Mesh
Service meshes (Istio, Linkerd, Consul Connect) use mutual TLS to verify service identity at the transport layer. This is valuable — and Weblisk requires it too. But mTLS alone answers only one question: "Is this connection from a verified service?"
| Concern | mTLS / Service Mesh | Weblisk |
|---|---|---|
| Identity verification | Certificate-based service identity | Certificate-based plus Ed25519 message-level signatures |
| What's verified | The connection source | The connection source, the message author, the data shape, the agent capabilities, the jurisdiction, and the retention window |
| Cross-org federation | Requires shared CA or trust bundle distribution | Direct mutual key exchange between orchestrators |
| Data filtering | Not in scope — payload passes through | Data contracts structurally strip forbidden fields before delivery |
| Runtime integrity | Verifies identity, not behaviour | Manifest fingerprinting detects behavioural drift |
The Key Insight
Every comparison above reveals the same pattern. Traditional security systems answer one question:
"Is this agent allowed to talk to that agent?"
Weblisk answers that plus five more:
- What data can cross this boundary? — Data contracts with field-level enforcement
- Has this agent changed since we trusted it? — Manifest fingerprinting and behavioural classification
- Is the data allowed in this jurisdiction? — Protocol-level residency checks before routing
- Will the data be purged after processing? — Mandatory retention windows with automatic expiry
- Can we cryptographically prove the entire exchange chain? — Dual Ed25519 signatures on every cross-boundary message
The data contract system in particular — required, permitted, and forbidden field sets with fail-closed enforcement — has no equivalent in OIDC, OAuth, or any mainstream service mesh. It makes data leakage structurally impossible rather than policy-dependent. That's a fundamentally harder guarantee than scoped tokens can provide.
Enterprise Standards Alignment
Weblisk's security architecture maps directly to the controls required by major enterprise compliance frameworks. The difference is that these controls are enforced at the protocol level, not bolted on as policy.
| Standard / Framework | Relevant Control | Weblisk Coverage |
|---|---|---|
| SOC 2 Type II | Access control, data integrity, availability | Ed25519 identity, data contracts, non-transitive trust, self-sovereign keys (no IdP SPOF) |
| ISO 27001 | A.9 Access control, A.10 Cryptography, A.13 Communications security | All seven layers directly map — cryptographic identity, transport encryption, data contracts, jurisdiction enforcement |
| GDPR | Data minimisation (Art. 5), storage limitation (Art. 5), cross-border transfers (Ch. V) | Data contracts enforce minimisation structurally; retention policies auto-purge; jurisdiction checks prevent illegal transfers |
| NIST 800-207 | Zero Trust Architecture | Explicit verification (Ed25519 per message), least privilege (field-level contracts), assume breach (non-transitive trust, manifest fingerprinting) |
| HIPAA | Access controls, audit controls, transmission security, integrity controls | Per-message signatures, dual-signed audit trail, TLS 1.3 transport, data contracts prevent PHI leakage structurally |
| PCI DSS v4 | Strong cryptography, access restriction, audit trail | Ed25519 key pairs, forbidden field stripping (prevent cardholder data exposure), full non-repudiation chain |
Security Best Practices
Key Management
- Rotate Ed25519 key pairs on a regular schedule — the protocol supports seamless key rotation without downtime
- Store private keys in hardware security modules (HSMs) or secure enclaves in production
- Never embed private keys in agent manifests or source code
- Use separate key pairs for different environments (development, staging, production)
Data Contracts
- Start with maximum restriction — use
forbiddenfor all fields, then explicitly permit what's needed - Review data contracts when agent capabilities change — behavioural integrity will flag breaking changes, but permitted field sets should be reviewed proactively
- Document the business justification for every
permittedfield in cross-organization contracts
Federation
- Audit federation peering agreements regularly — trust should be time-bounded, not permanent
- Monitor manifest fingerprint changes from federated partners — even benign changes deserve review
- Set retention windows to the minimum required for the business function
- Test jurisdiction enforcement with synthetic data before federating across regulatory boundaries