Session Token¶
Cryptographic anchor for every window, call, and audit record¶
The CRP Session Token binds a whole session together. It prevents replay, pins the active safety policy, and lets Gateway, Comply, Visualise, and the audit sink verify that they are all talking about the same governed session.
Self-hosted today Managed-cloud waitlist for Gateway and Comply; more endpoints on the roadmap
What It Is¶
A signed, structured token (JWS / COSE-compatible) carried in CRP-Session-Token that includes:
sidSession identifier
iatIssued-at time
expExpiry
capAllowed features
polSafety policy hash
aud- intended audience (gateway, comply, audit sink)kid- signing key identifier
Why It Exists¶
- Continuation integrity - Window N+1 cannot be forged or replayed without the session token.
- Cross-service audit binding - Gateway, Comply, and Visualise all verify the same token.
- Policy pinning - the active Safety Policy is hashed into the token, so policy substitution mid-session is detected.