KEMET.
Menu
Docs v0.2.0

Documentation

Authentication

Cryptographic Node authentication — no password custodianship.

1. Identity Model

Authentication is cryptographic. See KCEP for Vault hierarchy, device enrollment, and recovery policy.

2. Challenge Flow

  • Challenge request — client sends Node ID; gate returns nonce + expiry.
  • Signature — client signs nonce || intent with identity private key.
  • Verification — gate validates against registered public key material.
  • Token issue — short-lived bearer JWT or opaque token for gateway calls.

3. Device Linking

Additional devices enroll with identity-signed attestations. Each device maintains its own key domain for KSMP fan-out.

4. Token Use

Attach Authorization: Bearer <token> to REST and WebSocket upgrade requests. Tokens expire; refresh requires a new challenge. Rate limits fall under KARP.

Security Notes

  • Never transmit Vault recovery phrases to any API.
  • Private keys remain in platform secure enclave where available.
  • Revoke compromised devices through client settings; peers receive device-change events.

← Back to docs home