AlltheX · Stateless Verification Protocol · We verify the integrity of a request — not the identity of a user.

Documentation

Quickstart

Integrate the AlltheX verification protocol in minutes. No account required to read the spec.

Overview

How AlltheX works

AlltheX is a stateless verification protocol. It operates on a single principle: instead of observing who sent a request, it verifies that the request was constructed according to a deterministic protocol.

Verification is binary. A canonical frame either satisfies the protocol constraints — or it does not. There are no confidence scores, no behavioral thresholds, and no accumulated session state.

Installation

Install the SDK

npm 
npm install @allthex/sdk
yarn 
yarn add @allthex/sdk

First Request

Construct and sign a frame

Each request requires a canonical frame — a deterministic representation of the interaction — before it is transmitted.

typescript 
import { AlltheX } from '@allthex/sdk';

const client = new AlltheX({
  publicKey: process.env.ALLTHEX_PUBLIC_KEY,
});

// Construct a canonical frame
const frame = client.frame({
  action:    'submit',
  timestamp: Date.now(),
  nonce:     client.nonce(),
});

// Sign and attach to request
const headers = frame.sign();

API Reference

Canonical Frame

A canonical frame is the minimal deterministic representation of an interaction. The frame is constructed client-side, signed, and verified server-side. No runtime state is required on either end.

Field Type Description
action string Identifier for the interaction type.
timestamp number Unix milliseconds at frame construction.
nonce string Single-use challenge value. Invalidated after first verification.
signature string HMAC-SHA256 over the canonical serialization of the frame.

Verification

Server-side verification

typescript 
import { verify } from '@allthex/sdk/server';

const result = verify({
  frame:     request.headers['x-allthex-frame'],
  signature: request.headers['x-allthex-sig'],
  secretKey: process.env.ALLTHEX_SECRET_KEY,
});

if (!result.valid) {
  return response.status(403).json({
    error: result.reason,
  });
}

Error Codes

Verification errors

Code Meaning
INVALID_SIGNATURE Frame signature does not match the canonical serialization.
NONCE_CONSUMED This nonce has already been verified. Replay attempt.
FRAME_EXPIRED Frame timestamp falls outside the allowed window.
MALFORMED_FRAME Frame fields are missing or do not conform to spec.

Concepts

Stateless design

The AlltheX protocol requires no persistent state on the verification server beyond nonce storage for replay resistance. There is no session, no user profile, and no behavioral history consulted during verification.

Each verification is self-contained. The frame carries everything the server needs to reach a deterministic conclusion.

Concepts

Replay resistance

Every frame contains a single-use nonce. The verification server records consumed nonces with a TTL matching the allowed timestamp window. Any attempt to resubmit a previously verified frame will fail with NONCE_CONSUMED.

The nonce store is the only stateful component in the protocol. It does not contain user identity, device data, or behavioral signals.