RFC-0007 — Customer nonce protocol
Owner: Gateway Lead + DevEx
What it defines
Anti-replay protection for inference requests.
Canonical flow
- Customer generates a fresh 256-bit random nonce per inference.
- Customer signs
(nonce, ts, customer_signature)and sends with request. - Operator MUST reject duplicate
(operator_id, nonce)within 24h. pallet-nonce-vaultrecords short-form hashes for 24h sliding window.
Implementation deviation (gateway-router)
The reference gateway-router implementation issues nonces via POST /v1/nonces and rejects customer-generated ones. The customer SDK accepts both flows.
Replay attack defense
Attacker captures a signed receipt and tries to settle its CUC credit twice → fails because chain-side check verifies nonce was burned at first settlement.