26 June 20264 min read
Your agents authenticate like it's 2015
Agents act, and hand authority to sub-agents, at machine speed — carrying bearer tokens that were designed for a human clicking a login button. A captured token stays valid. A delegated one can be replayed. The tool executing the call can't check the scope locally. None of this is exotic; it's the default. This is a problem post, not a product post.
Read essay →24 May 202611 min read
The five-dollar substrate
We have an ESP32-C6-WROOM-1 authenticating at 2 Hz over the public internet, every request a unique credential, no centralised vault behind it. $4.95 of silicon, Wi-Fi 6 on-die. This post is a deliberately speculative read on what that could mean for the substrate the agentic internet is about to be built on. The /compare-hardware-auth page is the factual side; this one is the horizon.
Read essay →17 May 20264 min read
Produce a regulator-ready compliance archive
Late-Sunday lab notes from Phase 9: end-to-end testing produces a cryptographically anchored, GPG-signed NIS2 compliance archive on a laptop. Across nine phases we've been describing this. It works.
Read essay →16 May 20268 min read
Identity has a new floor
A thesis on why federation — the floor Auth0 built and every enterprise stack now relies on — needs a new floor under it. Federation answers who is acting; the next primitive answers what was true about what they did. Why 2026 is the right moment to build it, and where it lands cleanly across ten regulated verticals.
Read essay →14 May 20265 min read
M2M authentication at 8.5 ns local, 25 ms over public internet
Phase 0 (engine bench on a laptop) and Phase 1 (live two-box HTTPS demo over the public internet) of EdSSA — Ephemeral Decentralised Stateless Structural Authentication. Patent pending in Europe; mechanism details remain confidential, but what we measured doesn't.
Read essay →12 May 202620 min read
The Architecture of Autonomous Trust
From OAuth 2.0 Client Credentials and mTLS to SPIFFE/SPIRE and Workload Identity Federation — and the post-PKI architecture that comes next. A survey of how machines authenticate to machines today, and why agentic AI, satellites, and disconnected edge environments need a different paradigm.
Read essay →22 April 20268 min read
Why post-quantum migration plans probably don't reach low Earth orbit
Most post-quantum migration plans are written for terrestrial cloud-microservice environments. The harshest operational regimes — LEO, deep-space, contested airspace — get a footnote, if that. They deserve more than a footnote.
Read essay →15 April 20267 min read
Vault-based authentication: an honest look at what it cannot do
Vault-based authentication has been the right tool for the cloud-microservice era. It will continue to be the right tool there. The places where it is the wrong tool — and there are more of them than the cloud-native conversation usually acknowledges — deserve their own architecture.
Read essay →1 April 20266 min read
Sovereignty as a feature, not a marketing line
European cryptographic sovereignty is not a slogan. It is a procurement constraint, a regulatory direction, and an architectural choice. We treat it as all three.
Read essay →