Trust model
Security
A ticket that admits incorrectly is worse than a normal 429. x429 security is built around signature verification, binding, expiry, and single-use redemption.
Mandatory verification
- Verify Ed25519 signature over canonical JSON.
- Reject if
kidcannot be resolved to an issuer key. - Reject if
scopeorresourcedoes not match the request. - Reject if
bind.valuedoes not matchX429-Client-Key. - Reject if current time is before
notBefore, unless a valid paid proof permits early admission. - Reject if current time is after
notAfter. - Reject if the nonce was already spent.
Threat model
| Threat | Defense | Required test |
|---|---|---|
Client edits notBefore to redeem early. | Signature covers the canonical unsigned ticket. | Tampered ticket rejected. |
| One valid ticket is redeemed many times. | Nonce store spends each nonce atomically once. | Second redemption rejected, including concurrent attempts. |
| Ticket for endpoint A is used on endpoint B. | resource and scope are checked at redemption. | Cross-resource redemption rejected. |
| Ticket is stolen from logs or traces. | Client-key binding prevents another client from redeeming. | Wrong X429-Client-Key rejected. |
| Paid proof is replayed without a valid ticket. | Payment verifier is never sufficient by itself. | Payment-only redemption rejected. |
| Discovery key is stale during rotation. | Publish old and new public keys until old tickets expire. | Both keys accepted only during the rotation window. |
| Ticket leaks through HTTP caches. | Cache-Control: no-store on ticket responses. | 429 responses are not cached by the edge or browser. |
Key management
- Use separate issuer keys per environment.
- Publish public keys through
/.well-known/x429.json. - Rotate keys by publishing old and new keys until old tickets expire.
- Never store private keys in the repo, client bundle, or public Pages site.
Operational security
Instrument the system. Trust comes from measurable behavior, not protocol claims.
- Count tickets issued, redeemed, expired, and rejected.
- Track signature failures and replay attempts.
- Measure redemption p95 relative to promised window.
- Alert on ticket breach rate above zero in production.
- Keep raw payment proof logs access-controlled.