Replacing static API keys with 5-minute, self-destructing Ed25519 tokens sounds greatโuntil your Redis node dies, NTP drifts, or you realize you have to rewrite 50 legacy microservices to verify them.
Last time, we introduced OathMesh. Since then, weโve been hardening it for distributed systems. Here is how we solved the hard problems: clock drift, cache failures, and zero-code adoption.
โก The Proof: <1ms Overhead
First, the metric that matters. In our Kubernetes k6 benchmarks, the full 14-step verification pipeline (Ed25519 sig check, JWKS resolution, replay defense, policy eval) adds <1ms latency at p99.
[Raw Request] p50: 2.1ms | p95: 4.5ms | p99: 8.2ms
[+ OathMesh Verify] p50: 2.8ms | p95: 5.1ms | p99: 9.0ms
Delta: <1ms
Security shouldn't bottleneck your infra.
๐ 1. Clock Drift & Sandboxing
The Clock Skew Problem
A strict 5-minute TTL breaks when server clocks desync by even a few seconds. NTP isn't perfect.
The Fix: A 30-second ClockSkewLeeway across all SDKs. Tokens are accepted if exp + 30s > now and iat - 30s < now. The token still dies in โค 5 minutes; we just don't reject valid tokens because server-b is slightly behind server-a.
The SSRF Vector
We use Apple's Pkl for policy-as-code. But what if a malicious policy tries to read("/etc/shadow") or makes an outbound HTTP request?
The Fix: Strict sandboxing at the execution layer:
-
--allowed-modules="pkl:*"(no network/package imports) -
--allowed-resources="file://<dir>/"(scoped strictly to the policy directory)
๐ก๏ธ 2. The Redis Dilemma: Fail-Open vs. Fail-Closed
OathMesh uses Redis to prevent token replays. If Redis drops, you face a classic choice:
- Fail open: Accept tokens โ Security risk (DDoS your Redis to bypass auth).
- Fail closed: Reject everything โ System-wide downtime.
The Fix: We fail closed for new tokens, but use a bounded circuit-breaker to protect in-flight requests.
If Redis drops, the Go engine activates an in-process cache of known-good tokens verified in the last 60 seconds.
- New tokens? Rejected (fail closed).
- Legitimate in-flight callers? They survive the blip.
๐ 3. Zero-Code Gateway Integration
You shouldn't rewrite legacy services to adopt zero-trust. We brought OathMesh to the API Gateway layer.
Envoy (ext_authz)
A standalone Go binary implements Envoy's gRPC ext_authz interface. It verifies tokens and injects identity headers before traffic hits your app.
# envoy.yaml snippet
http_filters:
- name: ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
grpc_service:
google_grpc:
target_uri: oathmesh:4000
Your upstream receives:
X-OathMesh-Subject: agent://ci/deploy-bot
X-OathMesh-Action: deploy
X-OathMesh-Token-ID: <jti-uuid>
Zero code changes required.
Kong
We built a native Go PDK plugin. It runs our 14-step pipeline directly inside Kong's request lifecycle. No sidecars, no Lua rewrites, no extra network hops.
๐ 4. Observability: Step-Annotated Audit Logs
Every verification emits a structured NDJSON event. No guessing why a token was rejected.
{"ts":"...","event":"allow","step":14,"jti":"abc123","sub":"agent://ci/deploy-bot","act":"deploy"}
{"ts":"...","event":"deny","step":13,"reason":"jti_replay","jti":"abc123","src_ip":"10.0.4.99"}
Pipe it to jq, ship it to your SIEM, or grep for step 13 to catch replays instantly.
๐๏ธ Maturity: Where We Actually Are
| Capability | Status |
|---|---|
| Core engine (Go) | โ Production-tested internally |
| SDKs (Go, Node.js, Python) | โ Stable, cross-SDK conformance-tested |
| Envoy + Kong integrations | โ Ready for early adopters |
| Independent security audit | ๐ Seeking sponsors โ contact us |
Honest take: If you're running SPIFFE with full sidecar coverage, keep using it. OathMesh is for teams who want zero-trust machine identity without the service mesh footprint: CI runners, legacy VMs, and polyglot environments.
Ready to kill your static API keys?
The engine is open-source and ready for early adopters. Run the 3-command demo, read the threat model, and tell us what breaks.
๐ GitHub: oathmesh/oathmesh
๐ Performance Benchmarks
๐ Threat Model
Built by Moustafa Mahmoud Atta & Abd El-Sabour Ashraf โ MIT License
Top comments (0)