UCAN Authorized Wire Authenticated Key Exchange (AWAKE)

Authorized Wire Authenticated Key Exchange, or AWAKE, is used for secure device linking.

Quick Links

Protocol Specification https://github.com/ucan-wg/awake


Authorized Wire Authenticated Key Exchange (AWAKE) is an AKE built on top of the UCAN auth token. AWAKE is similar to other mutual authentication schemes (such as self-signed mTLS), but with a focus on authorization and proof. AWAKE leverages the UCAN capability chain to prove access to some resource, validating that the requestor is communicating with a party capable of performing certain actions. This is a helpful root of trust with a well defined context when establishing a secure communications channel.


AWAKE bootstraps a secure session on top of a public channel. Key exchanges for point-to-point communication are plentiful, but in open, trustless protocols, rooting trust can be a barrier for ad hoc communications channels. Two common approaches are to use a trusted certificate authority, or ignore the principal and “merely” establish a point-to-point channel.

Capability-based systems have a helpful philosophy towards a third path. By emphasizing authorization over authentication, they provide a way to know something provable about what the other party “can do”, even if they have no sure way of knowing “who they are”. One way of phrasing this is that such an agent is “functionally equivalent to the principal in this context”. AWAKE makes use of authorization to bootstrap point-to-point sessions that are both secure and mutually trusted.

1 Like