Skip to content

Releases: build-on-ai/buildonai-key-server

v2.0.0 — ed25519 signature-per-request

31 May 16:05
@tmaloziec tmaloziec
v2.0.0
5f98c59

Choose a tag to compare

View all tags
v2.0.0 — ed25519 signature-per-request Latest
Latest

Breaking change vs. consciousness-key-server v1.0.0

This release replaces the earlier consciousness-key-server v1.0.0. The repository has been renamed (consciousness-key-serverbuildonai-key-server) and the auth model has fundamentally changed.

Old (v1.0.0): vault-only, bearer tokens + IP allow-list.
New (v2.0.0): ed25519 signature-per-request as the trust primitive, optional vault on top.

Existing v1.0.0 deployments will not work against this server without re-registering agents and switching their clients to signed-request flow. See docs/SIGNING-PROTOCOL.md.

What this is

A small HTTP service that:

  • Verifies ed25519-signed requests via POST /api/verify — stateless, no sessions, no token issuance.
  • Optionally serves SSH keys and API tokens from an on-disk vault, gated by IP allow-list + (under AUTH_MODE=enforce) the same ed25519 signature.

Highlights

  • Three AUTH_MODE valuesoff / observe / enforce. The observe mode logs what enforce would reject without blocking traffic — a safe migration path from unsigned to signed deployments.
  • Anti-replay via Redis nonce cache (TTL 300s) + strict timestamp window (300s back, 60s forward).
  • Revocation is rm keys/agents/<AGENT>.pub — takes effect on the next request, no cache.
  • Audit log with 50 MB self-rotation; JSONL + plain-text formats.
  • Sidecar-friendly — no dependency on Consciousness Server or anything else in the BuildOnAI ecosystem. Works for any HTTP service that wants key-based request auth.

Standalone use cases

  • Inter-service auth in a small monorepo (replaces shared .env secrets).
  • Webhook authentication (sender signs payload, receiver verifies — no shared HMAC secret per source).
  • IoT device auth (per-device keypair, revocation by file removal).
  • Substitute for mTLS when you don't want to operate a certificate authority.

License

Dual-licensed: AGPL-3.0-only + commercial. See LICENSE and LICENSE-COMMERCIAL.md. Commercial licence enquiries: buildonai.tm@gmail.com.

Status

Continuously used in real-world workloads by the author since mid-2025. Public release May 2026.

Assets 2
Loading