shield.verify(token=jwt_eyJhbG..., scope=inference)
↳ shield.identity.lookup(sub=jamie@axe)
↳ shield.attestation.check(device_id=...)
↳ shield.scope.match(requested=inference)
↳ verdict: ALLOW · ttl=300s
↳ knox.audit.append(0x6e34...)
shield.verify(token=jwt_eyJhbG..., scope=inference)
↳ shield.identity.lookup(sub=jamie@axe)
↳ shield.attestation.check(device_id=...)
↳ shield.scope.match(requested=inference)
↳ verdict: ALLOW · ttl=300s
↳ knox.audit.append(0x6e34...)
shield.verify(token=jwt_eyJhbG..., scope=inference)
↳ shield.identity.lookup(sub=jamie@axe)
↳ shield.attestation.check(device_id=...)
↳ shield.scope.match(requested=inference)
↳ verdict: ALLOW · ttl=300s
↳ knox.audit.append(0x6e34...)
shield.verify(token=jwt_eyJhbG..., scope=inference)
↳ shield.identity.lookup(sub=jamie@axe)
↳ shield.attestation.check(device_id=...)
↳ shield.scope.match(requested=inference)
↳ verdict: ALLOW · ttl=300s
↳ knox.audit.append(0x6e34...)
shield.verify(token=jwt_eyJhbG..., scope=inference)
↳ shield.identity.lookup(sub=jamie@axe)
↳ shield.attestation.check(device_id=...)
↳ shield.scope.match(requested=inference)
↳ verdict: ALLOW · ttl=300s
↳ knox.audit.append(0x6e34...)
shield.verify(token=jwt_eyJhbG..., scope=inference)
↳ shield.identity.lookup(sub=jamie@axe)
↳ shield.attestation.check(device_id=...)
↳ shield.scope.match(requested=inference)
↳ verdict: ALLOW · ttl=300s
↳ knox.audit.append(0x6e34...)

ZERO-TRUSTFROM BOOT

SAML · OIDCMTLS · PASSKEYS

EVERY HOPVERIFIED

SHIELD

Zero-trust authentication across the platform. Every request verified. Nothing past the gateway is uncategorized.

SCROLL

Every Request Verified. No Exceptions.

Shield ensures every request across the entire CASTLE platform is authenticated before it touches any other system. No credentials, no access. Period.

Zero trust means zero assumptions. Shield authenticates at every layer — not just the perimeter.

Authentication Standards

Supported Methods

OAuth 2.0 + OpenID Connect

Industry standard. Multi-provider support. Native Okta, Azure AD, Google integration.

JWT Tokens

Short-lived access tokens. Automatic refresh. Cryptographic verification on every request.

Multi-Factor Authentication

TOTP authenticators. Hardware security keys. Backup codes. Never a single point of failure.

Enterprise SSO

SAML 2.0. LDAP directory integration. Active Directory. Your existing identity infrastructure.

API Key Management

Scoped permissions. Automatic rotation. Key derivation with PBKDF2. Audit trail for every key.

Session Management

Automatic timeout policies. Device tracking. Session revocation. Real-time logout across all clients.

Compliance Standards

OAuth 2.0 RFC 6749

Authorization framework. Delegation without sharing credentials.

OpenID Connect Core 1.0

Identity layer on OAuth. Authentication + authorization in one protocol.

PKCE (RFC 7636)

Proof Key for Public Clients. Protection against authorization code interception.

JWT (RFC 7519)

JSON Web Token standard. Stateless authentication. Cryptographic signatures.

Constant-Time Comparison

Timing attack resistant. Keys compared in constant time regardless of value.

Secure Storage

bcrypt hashing. Salted secrets. Never store plaintext credentials.

Tower: Fine-Grained Access Control

Tower determines what authenticated users can actually do. Role-based access control with fine-grained permissions down to individual data records and API endpoints.

RBAC — Role-Based Access Control

Define custom roles with semantic names (Admin, Analyst, Viewer). Assign roles to users. Control access based on job function, not individual permissions.

ABAC — Attribute-Based Access Control

Fine-grained policies based on attributes. Resource type, user department, data sensitivity, time of day. Unlimited expression power.

Resource-Level Permissions

Per-API endpoint, per-database table, per-data record. Granular down to the row. Users see and access only what they're authorized to see.

Policy-as-Code

Permissions defined as code. Versioned, audited, tested. Review before deployment. Rollback if needed. No hidden access logic.

Compliance & Certification

FIPS 140-2

Cryptographic Path

All cryptographic operations ready for FIPS 140-2 Level 2 certification. 4-6 month certification timeline on demand.

Protected B Ready

Canadian Compliance

Meets Protected B standards. Government of Canada approved. Privacy Act compliant. Data residency in Canada.

PIPEDA

Personal Information Protection

Compliant with Personal Information Protection and Electronic Documents Act. Consent tracking. User data rights honored.

ITSG-33

Information Technology Security

ITSG-33 Government of Canada standards in progress. Security controls aligned with government best practices.

Constant-Time Keys

Timing Attack Resistance

All cryptographic key comparisons in constant time. No timing side-channels. Immune to timing-based attacks.

Stack Trace Suppression

Zero Information Leakage

Errors sanitized before transmission. No system internals exposed. Stack traces never reach clients.

Deploy Zero-Trust Authentication

Configure

Define authentication methods. OAuth, SAML, API keys. Integrate with your identity provider.

Define Policies

Write Tower policies. RBAC roles. ABAC rules. Fine-grained permissions for your data.

Enforce

Every request verified. Every action authorized. Zero trust by default. Always.

Ready to deploy zero-trust authentication?

Launch Shield →

/ Contact · we read every inquiry

Talk to .

Demos, partnerships, government RFPs, technical questions. A person reads every form. You hear from someone — not a queue.