Security Model

Authentication

Truss uses a two-layer authentication strategy. The dashboard uses email/password sessions with standard session management. Programmatic access uses API keys prefixed with tr_, which are SHA-256 hashed before being stored at rest. API keys are scoped to a single organization and can be revoked independently.

Role-Based Access Control

A five-tier RBAC hierarchy governs access:

  • Owner (4) — Full administrative control, billing, and org destruction.
  • Admin (3) — User management, mandate creation, and settings.
  • Compliance Officer (2) — Evidence review, audit log access, and alert configuration.
  • Developer (1) — Agent registration, mandate execution, and action recording.
  • Read-only (0) — View-only access to mandates, actions, and evidence.

API keys are treated as the Developer role by default.

Cryptography

All signing uses Ed25519 via libsodium-wrappers (TypeScript SDK) and PyNaCl (Python SDK). Mandates, evidence packages, and delegations carry Ed25519 signatures. The API stores only public keys; all signing happens client-side.

Evidence Signing

Evidence packages are signed with SHA-256 hashes over their contents. Cross-organizational evidence sharing uses dual-signing, where both parties sign the same evidence bundle. Mandate authenticity is verified by checking the mandate's signature against the issuing organization's public key.

Delegation Security

Delegations include nonce-based replay protection to prevent reuse. Each delegation hop expires after 24 hours and must narrow the scope of the parent mandate, ensuring the principle of least privilege is maintained throughout delegation chains.

PreviousData ModelNextTAP Protocol