securitytokensruntime-trustsdk
Signed action tokens: HMAC proof before executors run side effects
Approving in Sanctum is not enough — executors must verify a short-lived HMAC token scoped to actor, action, and audit ID before any real-world effect.
May 10, 20267 min read
Approval in a dashboard is not proof an executor saw it. Signed action tokens are short-lived HMAC-SHA256 credentials binding actor, action, org, and audit ID — executors must verify before running side effects.
Why tokens matter
- Prevents “replay” of stale approvals
- Stops bypass paths that skip the runtime
- Gives microservices a cryptographic check, not honor system
Flow
- Agent calls verifyAction → APPROVED
- Runtime returns action_token (5 min TTL)
- Executor verifies token → executes → reports result
More: all posts · runtime trust layer · open Sanctum Console