Authentication

Authentication verifies the identity or credentials of a peer before a session is allowed to proceed. Zenoh supports both transport-layer authentication and a session-layer authentication exchange carried by INIT/OPEN extensions.

Transport-Layer Authentication (TLS / QUIC)

When a TLS- or QUIC-based locator is used, the underlying secure transport may authenticate the remote peer, typically with X.509 certificates.

  • Certificate validation rules are defined by the chosen transport/security stack, not by the Zenoh message format.

  • Mutual authentication is deployment-specific: some deployments authenticate only the server side, others require both peers to present credentials.

  • How certificate attributes are mapped into local identities for policy decisions is implementation-defined.

Session-Layer Authentication (Auth Extension)

The Auth extension is present at extension ID 0x3 in INIT and OPEN. It is encoded as ZBuf and is opaque to the base protocol: the wire format standardizes only where those bytes appear, not how they are interpreted.

An implementation may use this payload for challenge/response exchanges, bearer tokens, proof-of-possession data, or other deployment-specific mechanisms. The responder may include Auth data in InitAck and/or OpenAck, or abort the handshake with CLOSE if authentication fails.

Handshake Flow

Initiator                               Responder
    |── INIT / OPEN + Auth payload ────>|
    |<── INIT / OPEN + Auth payload ────|  (or CLOSE)

Combining Mechanisms

Transport-layer and session-layer authentication may be used simultaneously. Access control decisions MAY use identity material derived from either layer. The protocol does not require one layer to subsume the other.