Quickstart

What is re:lock’s Active API Armour?

Re:lock’s Active API Armour has three main characteristics that differentiate it from other solutions you may be using for API security:

  • the program operates as an isolated service – it is a self-encrypted software enclave, deployed on the server that carries out all processes in-memory only and does not allow for any access by third parties, human or program;

  • it uses a novel method of authentication and authorization based on persistent, direct pairing of services (entangled identity) and a chained ticket system, instead of (or in addition to) bearer tokens;

  • it delivers end-to-end encryption with perfect forward secrecy and without the need for distribution, storage, or management of cryptographic keys.

You should consider using the Armour for all cases where current solutions present significant gaps or make implementation overly complex; mostly with those APIs that require robust security and secrecy, especially within private and partner networks (e.g., financial systems, healthcare IT, or other critical sectors).

Why should you consider using the Armour?

API security is emerging as a significant business issue that translates into new development challenges for many modern systems and services. The existing toolkit, including OAuth / OpenID, signed JWT tokens, or mTLS, presents some important vulnerabilities that are exploited by adversaries and require a lot of work, often cumbersome and non-value-adding, from the development and security teams.

By adding the Armour to your API workflow and architecture you can efficiently enforce zero trust posture with a streamlined and fail-proof authentication, authorization, and encryption – all in one software.

Read more for a detailed view of Active API Armour’s benefits.

Minimal example

To use the Active API Armour both endpoints, producer and consumer, need to deploy it in local networks.

Run service:

docker pull relock/armour
docker run --privileged --network host -it relock/armour run \
           --host 127.0.0.1 --port 8111 --multiprocessing

We recommend running this container in isolated compute environments, such as an AWS Nitro Enclave instance, to further protect and securely process highly sensitive data computed by the software.

You can install python package in the usual way using pip:

pip install relock

Once installed, a typical consumer request may look like:

from relock import TCP as Armour

http = requests.Session()
armour = Armour(host='127.0.0.1',
                port=8111,
                name='Alice')

with armour(host='<api host>', port=80) as arm:
    if response := http.get(arm.addr,
                            headers={'Content-Type': 'application/json',
                                      **arm.headers()},
                            json={}):
        if ticket := arm.stamp(response.headers):
            logging.info(response.json())

More detailed examples of the producer and consumer application implementations can be found in our GitHub repository.

Existing infrastructure compatibility

The Active API Armour is designed to work as an additional layer of protection and can be deployed irrespective of the existing infrastructure and alongside any current identity providers and authentication services.

Developer version

The Armour available here is in its early developer version. We encourage you to use it to explore the features of the system, but also to exercise caution in any production implementations. If you are interested in a production-ready version, feel free to get in touch.

This software provides critical security functions, and as such constantly evolves and benefits from the feedback of the development community. If you spot any vulnerabilities or issues, please let us know at contact@relock.id.