JWS replay
ERR-P01-IDT-1010 - JWS replay
Section titled “ERR-P01-IDT-1010 - JWS replay”Summary
Section titled “Summary”A body-signed request was rejected because its jti has already been
seen - a replay of a previously consumed JWS.
When this is raised
Section titled “When this is raised”- A self-service request (
POST /v1/agent/me/rotate-keyorDELETE /v1/agent/me) carries a body JWS whosejtimatches one the server already processed. - These body-JWS endpoints authenticate via the signed payload rather
than the
Authorizationheader, so each JWS must be single-use to prevent replay.
What to do
Section titled “What to do”- Mint a fresh JWS with a new, unique
jtifor every self-service call; never resend a JWS that was already submitted. - Treat a 401 with this code as terminal for that JWS - re-sign and retry with a new one.
Server-side cause
Section titled “Server-side cause”- Reserved - will be raised by the
/v1/agent/merotate-key / self-revoke flow; not yet wired (packages/identity/src/service/me.ts, whererotateKeyandselfRevokecurrently thrownot implemented). The middleware inapps/api/src/middleware/auth.tsalready routes these body-JWS paths past the header JWT check in anticipation.
Example response
Section titled “Example response”{ "type": "https://citizenry.id/errors/ERR-P01-IDT-1010", "title": "Unauthorized", "status": 401, "code": "ERR-P01-IDT-1010", "message": "jti has already been used", "method": "POST", "instance": "/v1/agent/me/rotate-key", "request_url": "https://api.citizenry.id/v1/agent/me/rotate-key", "timestamp": "2026-05-17T07:00:00.000Z"}Related codes
Section titled “Related codes”ERR-P01-IDT-1011- JWS action mismatch.ERR-P01-IDT-1012- JWS lifetime exceeded.
Changelog
Section titled “Changelog”- 0.1.0 - introduced.