Hessra Logo
< BACK_TO_BLOG
#authorization#security#biscuit#rust

Introducing Hessra: Authorization Built for Machines

Authorization built for machines with offline-verifiable tokens and deep stack coverage.

by Jacob Valentic

Authorization is one of the hardest problems in modern software and the top security risk according to OWASP's Top Ten. At Hessra, we believe getting it right isn't just good for app security, it's a step toward fixing the original sin of interconnected systems.

What's wrong with Authorization today?

Today's approaches to authorization fall into a few buckets:

OAuth was originally designed for user login flows, specifically granting third-party applications reasonable access to user data. It's been stretched into broader use cases over time but protocol ossification is real, even at the application layer. It usually comes attached at the hip with JWTs and all the fuzziness and trickiness JWTs bring with them.

Zanzibar-inspired policy engines offer impressive scaling, efficiently storing zillions of subjects and resources in centralized policy graphs. But they often rely on blocking network calls close to the actual data to evaluate access or require replicating the full policy store everywhere you want to make those decisions. These are heavy systems tricky for regular developers to reason about but are good if you have complex data access needs tightly coupled to policy.

And of course, there's the tried-and-untrue: write authorization logic directly into your codebase. It's fast to start, fatal to scale, and why "Broken Access Control" is OWASP's number one risk.

> Hessra takes a different approach

We are building authorization from the ground up: purpose built for machines and services. Instead of treating the authorization request as an afterthought or bolting it onto identity protocols meant for users, we are building a new model that is broadly applicable to any networked application or distributed system. Hessra aims to make authorization easy to add to any network request, using any protocol, in any language.

Here is how it works:

Request-time token issuance

When a client service wants to make a request say it requests an authorization token from Hessra. This token is scoped to that exact operation and resource, it is extremely short-lived, and it's only meant for that single use.

Offline, verifiable enforcement

The token is a signed Biscuit token, which travels with the request. Any downstream service, worker, or even your database can verify the token locally using only the public key of your authorization service. No round trips to check permission. Just decentralized, fast, zero-trust enforcement.

Built for real infrastructure

The service and core SDK are written in rust and designed for performance and safety. Our tokens are an opinionated implementation on top of Biscuits, a capability-based token format with support for embedded policy logic, attenuation, and 3rd party attestation. The SDK offers easy means for requesting tokens, attesting them, and verifying them. We also offer a C FFI, Postgres extension, and Typescript API library.

> Service chains: proof of traversal

In complex systems, a request might pass through multiple services like an edge function or API gateway, some middleware, business logic, and finally the data store. Hessra supports service chains, allowing you to define expected hops and require each service to sign the token before forwarding it. Each verifier can ensure:

  • The token authorized the operation,
  • It passed through the correct services up to this point,
  • Nothing tampered with it along the way.

This helps implement explicit request lineage. It also prevents lateral movement: bad actors with a foothold in your system (or that mis-configured dev service) won't be able to access resources through a different channel.

> What's next?

We're early in this journey. The Hessra MVP is live and we're looking for design partners to help shape the system as we refine features, integrations, and developer experience.

If you're building distributed infrastructure or working on machine-to-machine security, we'd love to work with you. We're especially interested in partnering with teams facing challenges like:

  • Deploying services into on-prem or hybrid environments that need clearly defined, enforceable operations.
  • Operating IoT or embedded devices that call out to external APIs or cloud services.
  • Running microservice-heavy architectures that struggle with consistent, decentralized auth.
  • Needing cryptographically provable audit trails across service boundaries.

If that sounds like you, or even slightly close, we'd love to hear from you.

And if you're curious about the internals, there are more blog posts to come. Of course, feedback or contributions to our open source SDKs are always welcome.

> Join us

We're a small team of engineers building deeply technical infrastructure with a clear vision: make authorization verifiably secure and easy to include anywhere.

If that resonates with you:

Let's fix authorization from the bottom up.

— Jacob Valentic, Co-founder of Hessra