Skip to content

Replay Protection

Every INK message MUST include:

  • nonce: A base64url-encoded random value, 16 to 256 characters. 22 characters (128 bits) is the recommended minimum; conforming receivers MUST accept any length in that range.
  • timestamp: ISO 8601 UTC timestamp.

Validation Rules

Receiving agents MUST:

  1. Reject messages with timestamps older than 5 minutes from the receiver’s clock.
  2. Reject messages with timestamps in the future by more than 30 seconds.
  3. Track seen (sender, nonce) pairs and reject duplicates for at least the timestamp window. A 10-minute retention window is recommended so a nonce stays tracked after its timestamp expires.

Nonce storage is the integrator’s responsibility. The library exposes a checkReplay() primitive that decides whether a single (timestamp, nonce) pair is fresh given a caller-supplied seen-nonce set; the caller owns the cache and its TTL.

Rationale

The 5-minute window accommodates reasonable clock skew between agents while limiting the replay attack surface. The 30-second future tolerance prevents rejection of messages from slightly fast clocks.

The recommended 10-minute nonce-retention window is intentionally larger than the timestamp window so a nonce is still tracked after the timestamp becomes invalid, preventing an edge case where a message’s timestamp expires but its nonce is purged from tracking, potentially allowing re-acceptance with a fresh timestamp.