Token Replay Attack DemoLIVE gRPC

Ed25519 micro-token minting, single-use nonce, replay & tamper detection via ag-token
1
Mint micro-token
Call ag-token ExchangeToken to mint a signed, single-use JWT for agent b0000001.
2
Validate token (first use)
Call IntrospectToken — verifies signature, checks expiry, consumes nonce (single-use).
3
Replay attack (second use)
Call IntrospectToken again with the same token — nonce already consumed.
4
Token expiry
Micro-tokens have a 30s TTL. This step explains the expiry mechanism without waiting.
5
Tamper detection
Flip a character in the token signature and call IntrospectToken — Ed25519 verification fails.

How Micro-Tokens Work

ag-token mints Ed25519-signed JWTs with: sub (agent ID), scope (allowed operations), tool_binding (locked to specific tool call), jti (unique nonce), exp (30s TTL). Each token is single-use: the nonce is consumed on first IntrospectToken call.

Three layers of protection: (1) Ed25519 signature prevents tampering, (2) JTI nonce prevents replay, (3) 30s TTL limits the window of validity.

ExchangeToken (mint) IntrospectToken (verify + consume nonce) IntrospectToken (replay rejected) IntrospectToken (tampered rejected)
Clampd Token Replay Demo — All steps use real gRPC calls to ag-token. Ed25519 signatures, nonce consumption, and tamper detection are all server-side.