← Back to Authevo

Security Brief

Enterprise-grade security architecture

This document provides an overview of Authevo's security architecture for CISOs, compliance leads, and security teams evaluating AI agent governance solutions.

Executive Summary

Authevo provides a secure, auditable runtime for AI agents performing high-value operations. Every action is cryptographically signed, policy-verified, and stored in a tamper-evident ledger. The platform is designed to meet enterprise security requirements while enabling autonomous agent operations.

SOC 2 Ready PSD2 Aligned GDPR Compliant Zero Trust

Architecture Overview

🔐

Identity Layer

DID-based agent credentials with Ed25519 signatures

📋

Policy Engine

OPA-powered enforcement with version control

📜

Audit Ledger

Tamper-evident hash chain with JSON-LD records

🔄

Settlement Fabric

Re-verified execution with downstream hooks

Cryptographic Standards

Agent Identity (DIDs)

Each agent is issued a Decentralized Identifier (DID) following the W3C DID Core specification. We use the did:key method with Ed25519 keypairs for simplicity and cryptographic strength.

Component Standard Details
Key Algorithm Ed25519 256-bit keys, fast verification, widely supported
DID Method did:key Self-certifying, no external resolver required
Encoding Multibase + Multicodec Base58-btc encoding with 0xed prefix
Signature Format Detached Ed25519 64-byte signatures, NaCl compatible

Action Signing

Every action executed by an agent is signed before submission:

  1. Canonicalization — Action payload is serialized using JSON Canonicalization Scheme (JCS)
  2. Hashing — SHA-256 digest of the canonical form
  3. Signing — Ed25519 detached signature using agent's private key
  4. Verification — API verifies signature against registered public key before processing

Tamper-Evident Ledger

Actions are stored in a hash chain where each record includes the hash of the previous record. This creates an immutable audit trail that can be independently verified. 

{
  "actionId": "act_7x9kL2...",
  "prevHash": "sha256:8f3a9c...",
  "payload": { ... },
  "policyDecision": "allow",
  "signature": "ed25519:Bk2x...",
  "hash": "sha256:2b7e1f..."
}

Policy Enforcement

Authevo uses Open Policy Agent (OPA) for policy enforcement. Policies are written in Rego and evaluated inline with every action.

  • Fail-Closed — If policy evaluation fails, the action is denied
  • Version Controlled — Policy changes are tracked with semantic versioning
  • Decision Logging — Every policy decision is logged with full input context
  • Simulation Mode — Test policy impact before deployment

Access Control

Control Implementation
Authentication API keys with HMAC-SHA256 request signing
Authorization Role-based access with policy enforcement
Agent Revocation Instant DID revocation with verification-path blocking
Rate Limiting Per-agent, per-action-type limits via policy
Network Security TLS 1.3, private networking between services

Data Protection

  • Encryption at Rest — AES-256 encryption for stored data
  • Encryption in Transit — TLS 1.3 for all external connections
  • Key Management — Integration with HSM/KMS for production deployments
  • Data Isolation — Tenant-level data segregation
  • Retention Policies — Configurable audit log retention

Compliance Alignment

SOC 2

Authevo's architecture supports SOC 2 Type II compliance with built-in controls for:

  • Access control and authentication (CC6.1)
  • Change management via policy versioning (CC8.1)
  • System monitoring and logging (CC7.2)
  • Incident response with revocation workflows (CC7.4)

PSD2 / Strong Customer Authentication

For financial services, Authevo provides the audit trail and policy controls required for Strong Customer Authentication (SCA) scenarios, including:

  • Transaction-specific signing
  • Dual-control approval workflows
  • Immutable transaction records

Incident Response

Authevo provides rapid response capabilities for security incidents:

  1. Instant Revocation — Revoke agent credentials with a single API call
  2. Action Replay — Reconstruct agent activity timeline from audit logs
  3. Forensic Export — Export signed action packs for investigation
  4. Policy Rollback — Revert to previous policy versions

Security Roadmap

Feature Status
Ed25519 Agent Signatures ✓ Implemented
OPA Policy Enforcement ✓ Implemented
Hash Chain Audit Ledger ✓ Implemented
HSM/KMS Integration Planned
mTLS Between Services Planned
SBOM & Vulnerability Scanning In Progress
OpenTelemetry Tracing Planned

Contact Security Team

For security inquiries, vulnerability reports, or compliance documentation requests, contact our team.