🔐 DTLAuth: Modern Identity & Access Tokens

DTLAuth is a modern authentication and authorization layer built on DTL. Instead of JWT, SAML, or OIDC, DTLAuth uses compact, deterministic, cryptographically sealed tokens that are perfect for Web3, microservices, and critical infrastructure.

What is DTLAuth
ID Tokens (dtID)
Access Tokens (dtAC)
DTLAuth Gateway
Comparison to JWT/SAML
Security Model

What is DTLAuth?

DTLAuth is an identity and access management system where tokens are DTL files, not opaque strings. Every token contains:

User identity - UID, name, email, organization
Roles & permissions - RBAC, fine-grained scopes
Audience - Who can use this token
Expiration - Explicit timestamps
Cryptographic proof - Hash + signature over entire token
Nonce - Prevents replay attacks
Chain anchor - Optional blockchain verification

ID Tokens (dtID Domain)

An ID token identifies who the user is. Example:

@dtlv1.0^dtID^pDTLAuthID1^c2^s1^w2^hb3^sged
@sec^fh88ff22aa44dd...^wa0xABCD99EF...^sg0xf122aa33bb...^chZC01

USER|uid:s,iss:s,aud:a(s),name:s,email:s,roles:a(s),exp:i,iat:i,nonce:s|1|S1|W2|C2
u-9001|https://login.dtlaz.org|alif-portal,iris-vision|Padam Sundar Kafle|padam@example.com|admin,superintelligence|1736990000|1736986400|xyz123

What this means:

User: Padam Sundar Kafle (uid: u-9001)
Roles: admin, superintelligence
Audience: Can be used by alif-portal and iris-vision
Expires: January 15, 2025
Issued: January 15, 2025 (at different time)
Signature: Cryptographically signed by issuer wallet

Access Tokens (dtAC Domain)

An access token defines what you can do. Example:

@dtlv1.0^dtAC^pDTLAuthACC1^c2^s1^w2^hb3^sged
@sec^fh7711aa22bbff...^wa0xABCD99EF...^sg0xab11cd22dd77...^chZC01

ACCESS|uid:s,client_id:s,scopes:a(s),resources:a(s),exp:i,iat:i,nonce:s|1|S1|W2|C2
u-9001|alif-portal|triage.read,lab.write,patient.read|patient:*,org:aster|1736990400|1736986400|acc-xyz123

What this means:

User: u-9001 (same as ID token)
Scopes: Can read triage/lab, write lab, read patient data
Resources: Access all patients in Aster organization
Expires: 15 minutes (shorter than ID token)
Nonce: Unique identifier for this specific token

DTLAuth Gateway

The DTLAuth Gateway is a FastAPI microservice that:

Issues ID & Access tokens when users log in
Verifies tokens for APIs and microservices
Manages user databases (LDAP, AD, local DB)
Supports Web3 wallet login (sign message with MetaMask, etc.)
Federates with other DTLAuth gateways
Bridges to legacy OAuth2/OIDC if needed

Token Flow

User logs in: POST /auth/login with username + password
Gateway validates, creates ID + Access tokens (both DTL files)
Returns tokens as strings: { "id_token": "...", "access_token": "..." }
Client stores tokens locally (or in secure httpOnly cookie)
Client includes access_token in API request header
API calls POST /auth/verify with token
Gateway verifies hash + signature, returns identity JSON
API checks scopes/resources, allows/denies request

DTLAuth vs JWT vs SAML vs OIDC

Aspect	DTLAuth	JWT	SAML	OIDC
Token Format	DTL (deterministic)	Base64(JSON)	XML	JWT
Size	Tiny	Medium	Huge	Medium
Signature Schemes	Ed25519, secp256k1	HS256, RS256	RSA, etc.	RS256, etc.
Web3 Compatible	Native (wallets)	No	No	No
Canonical Form	Single (deterministic)	No (multiple valid)	No (XML ambiguity)	No (JSON ambiguity)
alg=none Vulnerable	No (enforced sig_alg)	Yes (if not checked)	N/A	Yes (builds on JWT)

Security Model

DTLAuth tokens have multiple layers of security:

Hash-based integrity - Any bit change invalidates token
Signature-based authenticity - Issued by trusted issuer only
Timestamp validation - iat (issued at) and exp (expires) enforced
Nonce uniqueness - Prevents token reuse attacks
Audience validation - Token only valid for specified apps
No algorithm negotiation - sig_alg is in header, cannot be changed

Read Full DTLAuth Spec → Python SDK →