Skip to content

NodleCode/trust-relay

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.github/workflows
.github/workflows
 
 
config
config
 
 
docs
docs
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
AGENTS.md
AGENTS.md
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 
rust-toolchain.toml
rust-toolchain.toml
 
 

Repository files navigation

Trust Relay

Trust Relay is the wallet-signature session authority for Nodle backend services. It turns a one-time Sign-In with Ethereum (EIP-4361 / SIWE) challenge into a short-lived, asymmetrically-signed JWT bearer token that any Nodle backend can verify locally — no callback to this service on the hot path.

It is the phase-0 predecessor to the attestation-based device onboarding designed in beacon-relay. Phase 0 gives the backend a stable, revocable, attributable per-caller identity (the wallet address) so that paid surfaces — the AI agent, NFT minting — can be quota'd, rate-limited, billed, and abuse-blocked. It deliberately does not attempt device identity, proof of humanity, or Sybil resistance; those arrive with platform attestation (phase 1) and hardware-backed keys (phase 2).

Metaphor: a relay station that converts a wallet signature into a portable trust credential (bearer token). The relay runs once per session; every backend (an OAuth2 resource server) then verifies that credential independently using the relay's public keys — it never phones home.

Why a standalone service

  • One issuer, many verifiers. Centralizing token issuance (nonce store, SIWE verification, signing key, revocation, quotas, wallet heuristics) keeps that sensitive state in exactly one place. Token verification is local, stateless JWT validation that every service does in-process.
  • No coupling to the data plane. The AI and mint services must not depend on the high-throughput BLE ingest gateway (beacon-relay) being up. Trust Relay is its own small, independently scalable service; beacon-relay is simply its first consumer.
  • Standards, not lock-in. Trust Relay is an OAuth2-shaped Authorization Server with a custom SIWE grant. Tokens are standard JWTs (RFC 7519) advertised via a JWKS endpoint (RFC 7517), so polyglot backends verify them with their own ecosystem's mature libraries (jose, golang-jwt, pyjwt, jsonwebtoken).

Documentation

Start with docs/README.md. Reading order:

  1. docs/ARCHITECTURE.md — system design, topology, module boundaries, scaling, and the embeddability strategy.
  2. docs/adr/0001-siwe-wallet-session-auth.md — the decision record (pattern, framework choice, trade-offs).
  3. docs/TOKEN-SPEC.md — the bearer JWT contract: claims, algorithms, key rotation, revocation, and the verification checklist that consuming services must implement.

Status

Phase-0 seed. The repository currently contains the architecture and protocol specs plus a minimal Axum service skeleton (GET /healthz). Endpoint implementation follows the milestones in docs/ARCHITECTURE.md §Roadmap.

Build & run

cargo build
cargo run            # serves on 127.0.0.1:3001 by default
curl localhost:3001/healthz

Configuration is layered (later wins): config/default.toml -> config/{APP_ENV}.toml -> APP_-prefixed env vars (nested via __, e.g. APP_SERVER__PORT=8080). See config/default.toml.

License

MIT.

About

SIWE wallet authentication and session JWT issuer for Nodle backends

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages