Security
Zero-trust architecture and threat model for agentic authentication
Agents operate autonomously, at scale, making hundreds of decisions per minute. A compromised agent with broad permissions can do enormous damage before anyone notices.
Hawcx Agentic Auth is built around one principle: minimize blast radius at every layer.
Zero-Trust by Default
Every agent interaction is verified independently. There's no implicit trust based on:
- Network location (being "inside the VPC" doesn't matter)
- Previous authentication (a valid session 5 minutes ago doesn't grant access now)
- Association with other agents (Agent A being trusted doesn't mean Agent B is)
Security Properties
| Property | How It Works |
|---|---|
| No secrets at rest | Only public keys are stored on the server. Private keys live on the agent's machine. No passwords, API secrets, or credentials to steal. |
| Encrypted and signed tokens | Tokens are both encrypted and signed in a single operation. Even if intercepted, contents are invisible and tamper-proof. |
| Mutual authentication | Each session uses a mutual cryptographic handshake. Both sides prove identity. Forward secrecy means compromising a long-term key doesn't reveal past sessions. |
| Single-use tokens | Every token is consumed on first use. Stolen tokens cannot be replayed. |
| Offline verification | Services verify tokens using pre-loaded key material without contacting a central server. Sub-400 microsecond latency. No single point of failure. |
| Post-quantum ready | Supports NIST-approved post-quantum algorithms for forward-looking security. |
| Full audit trail | Every authentication, token use, and action is logged with agent identity, scope, and timestamp. |
Threat Model
| Threat | How Hawcx Handles It |
|---|---|
| Stolen token | Single-use (consumed on first presentation). 60-second TTL. Encrypted (unreadable even if intercepted). No replay possible. |
| Agent impersonation | Mutual cryptographic authentication. No secrets are ever transmitted. Identity is proved through key possession. |
| Scope escalation | Permissions are set by the policy engine, not the agent. Permissions are cryptographically bound to the token. Modifying them invalidates the token. |
| Man-in-the-middle | Tokens are encrypted + TLS. Forward secrecy from ephemeral session keys. Token payload is invisible to interceptors. |
| Prompt injection | Per-request scoped tokens limit what a compromised agent can do to a single tool invocation. Human-in-the-loop blocks destructive actions. The agent cannot influence its own permissions. |
| Key compromise | Per-agent keys with process isolation. Forward secrecy means past sessions remain confidential. Compromising one agent doesn't affect others. |
| Token replay | Each token can only be consumed once (atomic check-and-consume). Second presentation is rejected immediately. |
Process Isolation
Key material never resides in the agent's memory:
| Key | Who holds it | Where |
|---|---|---|
| Agent identity key (private) | Authenticator only | Separate auth process |
| Session keys | Token service only | Separate token process |
| Policy signing key | Token service only | Separate token process |
| Response key (per-token) | Agent | Agent process (ephemeral, for encrypting responses) |
The agent only holds a per-token ephemeral response key that cannot be used to authenticate or mint new tokens.
Human-in-the-Loop
Not every action should be fully autonomous. Hawcx supports human approval gates for high-risk operations.
When your access policy requires human approval for an action (e.g., destructive operations like delete, execute, or transfer above a threshold):
- The token service evaluates the policy and determines human approval is required
- A backchannel request is sent to the responsible human (push notification, dashboard alert, etc.)
- The token is not minted until the human approves
- The agent cannot observe, interact with, or bypass this gate
- On approval, the scoped token is minted and made available to the agent
The agent's process is completely separated from the approval flow. There is no prompt the agent can craft to circumvent human approval.
Anomaly Detection
Three detection layers identify compromised or misbehaving agents before damage occurs:
- Rule-based: threshold alerts when agents exceed expected behavior (e.g., 100+ auth attempts per minute)
- Statistical: outlier detection against each agent's baseline activity patterns
- ML-based: pattern recognition across your entire agent fleet to spot coordinated anomalies