dmj.one

Work / Enterprise & Security / Zero-Trust API Broker

No. 30 · Enterprise · API · Default-deny

Default DENY.
Every call signed.

Internal APIs are the new attack surface. SSRF, leaked tokens, over-broad service identities. The broker stops all three. Every request is authenticated. Every token is scoped. Every hop is mutual TLS. Every call leaves a signed audit log on its way out, even if your team forgets to log it.

View source The five gates Audit log shape
DENYDefault policy
mTLSEvery hop · every call
1 / callSigned audit entry emitted
ScopedTokens · least privilege
0SSRF paths · by design

Act I · The Problem

Three failures, all internal.

External breaches make headlines. Internal misuse drains balance sheets. The broker stops the three failure modes that show up in every post-mortem.

SSRF

The service makes the call you didn't authorise.

An untrusted input becomes a URL. The service fetches it. Internal metadata, cloud creds, neighbour services, all readable from the inside.

Leaked token

One token. Every API. Forever.

A debug print, a CI log, a misconfigured Sentry, and the long-lived service token is in the wild. The token has admin scope on six services it never needed.

Over-broad identity

"It needed to talk to the database, sometimes."

So it got blanket access. Now any code path under that service identity can read every row, drop every table, call every other API in the mesh.

Act II · The Promise

Five gates. One call.

A request that survives all five gates is allowed and audited. A request that fails any gate is rejected and audited. There is no other path.

01

Identity gate. mTLS or stop.

The caller presents a client certificate. The broker pins it to a known service identity. No certificate, no conversation. No fallback to bearer-only.

Authenticated
02

Scope gate. Token must match action.

Each token carries the minimum scope for one action against one upstream. Scope mismatch is a hard reject. Tokens are short-lived and rotate on each call.

Authorised
03

Allowlist gate. Only registered upstreams.

The upstream URL must resolve to an entry in the registry. Arbitrary URLs are rejected. SSRF is a category error here, not a vulnerability.

Routable
04

Shape gate. Schema, size, headers.

Request body validated against a registered schema. Headers stripped to the required set. Size capped. Anything weird, dropped before it reaches the upstream.

Validated
05

Egress gate. Sign and forward.

Broker signs the audit entry, then issues the upstream call over its own mTLS connection. Upstream sees a stable broker identity, not the original caller.

Forwarded · signed

Act III · The Receipt

One call. One signed receipt.

No buffering. No batching. No "the agent crashed before the log shipped". The audit entry is written, signed, and emitted before the upstream sees the request.

audit · /v1/orders/create · Ed25519 signed SEALED 
{
  "v": "ztb-1",
  "ts": "2026-05-04T11:42:08.317Z",
  "call_id": "01HX9GZ6P7B2WMK0RTV3F8N4QE",
  "caller": {
    "spki": "sha256:b1f4...e22a",
    "identity": "svc.checkout"
  },
  "upstream": {
    "name": "orders.api.internal",
    "path": "/v1/orders/create",
    "method": "POST"
  },
  "token": {
    "scope": ["orders:create"],
    "exp_in_s": 60
  },
  "shape": {
    "schema": "order.create.v3",
    "bytes": 412,
    "sha256": "4a8d...c19f"
  },
  "decision": "ALLOW",
  "latency_ms": 3,
  "prev_hash": "7e0c...9d31",
  "sig": "ed25519:9f...7c"  // signed before egress
}
Each entry chains prev_hash → curr_hash. Tampering one entry breaks the chain for every entry after it.

Act IV · The Pattern

Same posture. Different surface.

The broker is the API-shaped sibling of Zero-Trust MySQL. Both refuse to trust the network, the operator, and the caller. Both produce a hash-chained audit pack the auditor accepts. Both prefer a small, verifiable surface to a large, "configurable" one.

A

Same default. DENY.

Nothing routes, nothing decrypts, nothing executes unless an explicit policy says so. New endpoints are off until they are registered.

Fail closed
B

Same audit shape.

Hash-chained entries. Off-host anchor. Signed before emission. Auditor walks the chain and verifies continuity end to end.

Tamper-evident
C

Same proof model.

Controls expressed as scripts that pass or fail. Evidence bundle generated on demand. No self-signed compliance reports.

Verifiable
D

Same blast radius.

Compromise a caller, you get one short-lived token with one scope on one endpoint. The blast radius is one row, not one cluster.

Contained

Act V · Proof

What the auditor sees.

Signed audit log per call

Ed25519 signature emitted before the upstream sees the request. Hash chained. Off-host anchor. Tampering one entry breaks every entry after.

Scoped, short-lived tokens

One scope, one upstream, one minute. Rotated per call. Leaking a token leaks one minute of one action against one endpoint.

mTLS on every hop

Caller to broker, broker to upstream. SPKI-pinned. No bearer-only fallback path. No anonymous calls anywhere on the data plane.

Allowlist-only routing

Upstream URLs come from the registry, not the request. SSRF is a category error here, not a CVE. Untrusted URLs cannot be resolved.

Schema-validated shape

Body validated against a registered schema. Headers reduced to the required set. Size capped. Anything weird is dropped at the gate.

Built so teams cannot misuse it

The default path is the only path. There is no "skip the gate for performance" flag. Misuse requires a code change and a registry change, both reviewed.

If your blast radius is "the whole mesh", fix the gate.

I build internal API gateways that prefer one verifiable path to ten configurable ones. Default deny. Signed audit. Scoped tokens. The gate makes the right thing the easy thing.

Hire me Back to work