.. Relock Cloud Deployment documentation master file, created by sphinx-quickstart on Wed Aug 20 11:05:55 2025. You can adapt this file completely to your liking, but it should at least contain the root `toctree` directive. .. rst-class:: break_before Executive Summary ================= Relock’s authentication system has a decisive advantage over other methods: its *continuous, ephemeral nature*. Every request carries fresh, device- and origin-bound cryptographic proof with built-in reuse and compromise detection, eliminating the weaknesses of bearer authentication (passwords, OTPs, session cookies, bearer tokens). Whereas today’s strongest authentication methods — passkeys and hardware keys — excel at protecting the private key, Relock protects the *server–device relationship* itself, ensuring there are no reusable credentials for an attacker to walk away with. **What that buys you in practice:** *High-assurance continuous trust.* Every request carries a fresh, origin- and device-bound Signed One-Time Token derived from a rotated, on-demand secret. *Phishing resilience out of the box.* Session cookie theft, token replay, and AiTM phishing are neutralized — session trust cannot be bypassed. *Visibility, not just observability.* The authentication gateway detects any reuse, mismatch, or tampering and triggers immediate server-side detection and session termination. *Frictionless user experience.* No user gesture is required after the initial login; protection is invisible, silent, and continuous in the background. *Plug-and-play deployment.* Lightweight JS agent plus a proxy header — no UX overhaul, complex management, hardware rollout, browser extensions, or OS-level software. No user adoption hurdles: **just plug it in**. At its core, Relock shifts security assurance level from a one-time login event to a model of **continuous cryptographic trust**, delivering strong posture, phishing resistance, and regulatory alignment — all while remaining invisible and frictionless for users.