Glossary
Key terms used in Hawcx Agentic Auth documentation
| Term | What It Means |
|---|---|
| AS (Authentication Service) | The server that handles mutual authentication between the agent and the service. Establishes secure sessions and provisions key material. |
| CIBA | Client-Initiated Backchannel Authentication. The mechanism that enables human-in-the-loop approval for high-risk agent actions. The agent requests authorization, a human is notified, and the token is only minted after approval. |
| Cedar / OPA | Policy languages used to define access rules. Cedar (by AWS) and OPA (Open Policy Agent) are both supported for writing agent access policies. |
| Forward secrecy | A property where compromising a long-term key does not reveal past session communications. Each session uses ephemeral keys that are discarded after use. |
| Hawcx AgentAuth | The protocol and platform that powers Hawcx's agentic authentication. Provides cryptographic identity, per-request authorization, and encrypted tokens for AI agents. |
| IK (Identity Key) | The agent's long-term cryptographic identity key. Generated during registration, the private key never leaves the agent's machine. |
| IPC (Inter-Process Communication) | The local communication channel between the agent and its token service. No network traffic involved. |
| Mutual authentication | Both the agent and the server prove their identity to each other, not just one side. Prevents impersonation in both directions. |
| RS (Resource Server) | The service that receives the agent's requests, verifies the token, and executes the authorized action. Your API server. |
| Signcryption | A cryptographic operation that simultaneously encrypts and signs data. More efficient than encrypting and signing separately. Tokens are both confidential and tamper-proof. |
| SSF / CAEP | Shared Signals Framework / Continuous Access Evaluation Protocol. Industry standards for real-time security event sharing. Used for emergency token revocation. |
| TBAC | Task-Based Access Control. Hawcx's per-request authorization model where each tool invocation gets its own scoped, constrained permission token. |
| TQS (Token Queue Service) | The service that pre-mints single-use tokens for the agent. Runs in a separate process, isolated from the agent's runtime. Each agent gets its own TQS instance. |
| X3DH | Extended Triple Diffie-Hellman. The key agreement protocol used for mutual authentication. Provides forward secrecy and mutual authentication without transmitting secrets. |