Home DTLAuth

DTLAuth

Modern identity and access tokens that replace JWT, SAML, and OIDC with deterministic, cryptographically sealed, schema-validated tokens.

Why DTLAuth?

Traditional authentication tokens have significant problems:

❌ JWT Problems

  • alg=none vulnerabilities
  • Algorithm confusion attacks
  • No built-in schema validation
  • Base64 bloat
  • Inconsistent claim types

✅ DTLAuth Solutions

  • Single canonical format - no algorithm choice
  • BLAKE3 + Ed25519 only
  • Schema-enforced with enum validation
  • 40-60% smaller than JWT
  • Strict typing for all claims

Token Types

🎫

ID Token (dtID)

User identity, roles, permissions. Schema-validated with enum-constrained roles.

🔑

Access Token (dtAC)

API scopes, resource permissions. Enum-validated access levels.

🔄

Refresh Token (dtRT)

Secure token rotation with cryptographic binding to original session.

ID Token Example

@dtlv1.0^dtID^pDTLAuthID1^c0^s2^w1^tokenHash
@sec^blake3_abc123^wa0xABCD99EF...^sg0x123...^chETH

# User identity with enum-validated roles
USER|uid:s,name:s,email:s,role:e(admin,user,guest,super),aud:a(s)|1|S2|W1|C0
u-9001|Padam Kafle|padam@dtlaz.org|super|api.axz.si,web.axz.si

# Claims with strict typing
CLAIMS|uid:s,iss:s,iat:T,exp:T,nbf:T|1|S2|W1|C0
u-9001|auth.dtlaz.org|2025-01-03T10:00:00Z|2025-01-03T22:00:00Z|2025-01-03T10:00:00Z

Access Token Example

@dtlv1.0^dtAC^pDTLAuthAC1^c0^s2^w1^accessHash
@sec^blake3_def456^wa0xABCD99EF...^sg0x456...^chETH

# Permissions with enum-validated scopes
PERMS|uid:s,scope:e(read,write,admin,none),resource:s,exp:T|4|S2|W1|C0
u-9001|admin|api.axz.si/*|2025-01-03T22:00:00Z
u-9001|write|files.axz.si/*|2025-01-03T22:00:00Z
u-9001|read|public.axz.si/*|2099-12-31T23:59:59Z
u-9001|none|admin.axz.si/*|2025-01-03T22:00:00Z

# Rate limits
LIMITS|uid:s,endpoint:s,rpm:i,daily:i|2|S0|W0|C0
u-9001|api.axz.si/v1/*|1000|100000
u-9001|api.axz.si/v1/heavy/*|10|1000

DTLAuth vs JWT Comparison

Feature DTLAuth JWT SAML
Token Size ~200 bytes ~500 bytes ~2000 bytes
Schema Validation ✓ Built-in ✗ None ~ XSD optional
Enum Constraints ✓ Native ✗ None ✗ None
Algorithm Confusion ✓ Impossible ✗ Vulnerable ~ Complex
Web3 Ready ✓ Native ✗ No ✗ No
Blockchain Anchoring ✓ Built-in ✗ No ✗ No
Human Readable ✓ Yes ✗ Base64 ~ XML verbose

Security Features

🔐

BLAKE3-256 Hashing

Fast, secure cryptographic hashing for token integrity verification.

✍️

Ed25519 Signatures

Modern elliptic curve signatures. No algorithm negotiation - single secure choice.

⛓️

Blockchain Anchoring

Optional anchoring to Ethereum, Polygon, or custom chains for tamper-proof audit.

👛

Wallet-Bound

Tokens can be cryptographically bound to Web3 wallet addresses.

Role & Scope Enums

DTLAuth uses enum types to enforce valid roles and scopes:

# User roles - customize per application
role:e(admin,user,guest,moderator,super,viewer)

# API scopes
scope:e(read,write,admin,delete,none)

# Token status
status:e(active,revoked,expired,pending)

# MFA status
mfa:e(verified,pending,disabled)

# Account type
account_type:e(personal,business,enterprise)

DTLAuth Gateway

The reference implementation provides a drop-in replacement for traditional identity providers:

🏗️ FastAPI Reference Implementation

Production-ready DTLAuth gateway with support for token issuance, validation, refresh, and revocation. Federation-ready for enterprise deployments.

from dtlauth import DTLAuthGateway, TokenConfig

# Initialize gateway
gateway = DTLAuthGateway(
    issuer="auth.myapp.com",
    signing_key=private_key,
    token_config=TokenConfig(
        id_token_ttl=3600,      # 1 hour
        access_token_ttl=900,   # 15 minutes
        refresh_token_ttl=86400 # 24 hours
    )
)

# Issue tokens
tokens = gateway.issue_tokens(
    user_id="u-9001",
    role="admin",        # Validated against enum
    scopes=["read", "write"]  # Validated against enum
)

# Validate token
claims = gateway.validate_token(tokens.access_token)
🚀 Get Started with DTLAuth 📋 DTLAuth Specification