Trust model

Security

A ticket that admits incorrectly is worse than a normal 429. x429 security is built around signature verification, binding, expiry, and single-use redemption.

Mandatory verification

  • Verify Ed25519 signature over canonical JSON.
  • Reject if kid cannot be resolved to an issuer key.
  • Reject if scope or resource does not match the request.
  • Reject if bind.value does not match X429-Client-Key.
  • Reject if current time is before notBefore, unless a valid paid proof permits early admission.
  • Reject if current time is after notAfter.
  • Reject if the nonce was already spent.

Threat model

ThreatDefenseRequired test
Client edits notBefore to redeem early.Signature covers the canonical unsigned ticket.Tampered ticket rejected.
One valid ticket is redeemed many times.Nonce store spends each nonce atomically once.Second redemption rejected, including concurrent attempts.
Ticket for endpoint A is used on endpoint B.resource and scope are checked at redemption.Cross-resource redemption rejected.
Ticket is stolen from logs or traces.Client-key binding prevents another client from redeeming.Wrong X429-Client-Key rejected.
Paid proof is replayed without a valid ticket.Payment verifier is never sufficient by itself.Payment-only redemption rejected.
Discovery key is stale during rotation.Publish old and new public keys until old tickets expire.Both keys accepted only during the rotation window.
Ticket leaks through HTTP caches.Cache-Control: no-store on ticket responses.429 responses are not cached by the edge or browser.

Key management

  • Use separate issuer keys per environment.
  • Publish public keys through /.well-known/x429.json.
  • Rotate keys by publishing old and new keys until old tickets expire.
  • Never store private keys in the repo, client bundle, or public Pages site.

Operational security

Instrument the system. Trust comes from measurable behavior, not protocol claims.

  • Count tickets issued, redeemed, expired, and rejected.
  • Track signature failures and replay attempts.
  • Measure redemption p95 relative to promised window.
  • Alert on ticket breach rate above zero in production.
  • Keep raw payment proof logs access-controlled.

Read next