Skip to content

Session Token

The CRP Session Token is the cryptographic anchor that binds every window, every call, and every audit record in a session together. Fully specified in SPEC-007.

What It Is

A signed, structured token (JWS / COSE-compatible) carried in CRP-Session-Token that includes:

  • sid — session identifier
  • iat — issued-at time
  • exp — expiry
  • aud — intended audience (gateway, comply, audit sink)
  • cap — capabilities (which protocol features the session may use)
  • pol — bound Safety Policy hash
  • kid — signing key identifier

Why It Exists

  • Continuation integrity — Window N+1 cannot be forged or replayed without the session token.
  • Cross-service audit binding — Gateway, Comply, and Visualise all verify the same token.
  • Policy pinning — the active Safety Policy is hashed into the token, so policy substitution mid-session is detected.

SPEC-007 normative text