Hey folks! I've developed a system called RODiT (Rich Online Digital Tokens) that aims to revolutionize API authentication by eliminating the need for traditional user databases. I'm really excited to share it with you and would love some feedback!
The main issues I see with conventional API authentication include the need for user databases and session management, the rarity of mutual authentication (where both the client and server verify each other's identities), and the difficulties in properly authenticating webhooks. Additionally, authentication, configuration, and licensing are usually handled by separate systems.
RODiT streamlines this by combining all those functions into a single blockchain-based credential on NEAR Protocol. Here's what sets it apart:
- **Stateless Mutual Authentication**: Both client and server authenticate each other continuously without maintaining backend sessions. The token encapsulates permissions, rate limits, and configurations.
- **Local Key Generation**: Keys are created directly on the endpoints, avoiding the need for Certificate Signing Requests (CSRs), certificate authorities, or central key management. When you buy a RODiT, it's generated and sent to your NEAR blockchain address.
- **Continuous Validation**: Unlike JWT tokens that are essentially "fire and forget," RODiT tokens undergo re-validation throughout API calls to thwart token theft and replay attacks.
- **Built-in Commerce**: You can resell, swap, or white-label tokens, and subscription management is embedded within the authentication process.
I've also set up a working demo called TimeHereNow, where you can actually experience this technology in action. You can check it out here: timeherenow.com. It leverages the NEAR blockchain for accurate time sourcing, integrates the complete IANA timezone database, and features blockchain-timestamped webhook timers. Plus, there's an NPM package available for simple integration.
Right now, my concern is that I have the technology and the demo running, but I'm in search of users or partners. I'm eager to know if this approach addresses real problems in your scenarios, what use cases excite you the most, and whether you'd prefer this as open-source, proprietary, or a hybrid model.
I'm especially interested in hearing from developers focused on API authentication, webhook security, IoT device provisioning, secure networking, and those operating in regulated sectors like finance or healthcare. I'm ready to dive into technical discussions and any critiques you might have! Just to clarify, RODiT uses the blockchain purely for credential verification, not for crypto speculation.
2 Answers
Considering the use of blockchain here, you can view it as a database, but it’s more about enabling peer-to-peer authentication. It offers a decentralized solution which is handy, and integrating features like configuration and licensing directly into the authentication process is pretty unique.
Isn't mutual TLS (mTLS) already a form of mutual authentication? How do you plan on revoking tokens if they're compromised? And aren't you using the blockchain like a database in this case?
For token revocation, with RODiT, if a controlling key is compromised, the thief would need to transfer the RODiT to a new key immediately to maintain control. This gives you an immediate way to detect unauthorized access, making remediation easier.
Yeah, mTLS is a valid mutual authentication method, but it's complex to implement correctly. With RODiT, you avoid some of that hassle because you update endpoints independently, and it won't mess with the service duration. RODiT keeps connection state more distinct from API functions, offering you a clearer picture on observability.