Metadata-Version: 2.4
Name: sycksec-token
Version: 1.0.0
Summary: Secure token generation and verification engine with rate limiting
Home-page: https://github.com/sycksec/sycksec-core
Author: Arjun Mani
Author-email: Arjun Mani <arjunmani45.mm@gmail.com>
Maintainer-email: Arjun Mani <arjunmani45.mm@gmail.com>
Project-URL: Homepage, https://github.com/sycksec/sycksec-core
Project-URL: Documentation, https://sycksec-core.readthedocs.io/
Project-URL: Repository, https://github.com/sycksec/sycksec-core.git
Project-URL: Issues, https://github.com/sycksec/sycksec-core/issues
Project-URL: Changelog, https://github.com/sycksec/sycksec-core/blob/main/CHANGELOG.md
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Topic :: Security
Classifier: Topic :: Security :: Cryptography
Requires-Python: >=3.8
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: cryptography>=3.4.8
Requires-Dist: pycryptodome>=3.15.0
Provides-Extra: dev
Requires-Dist: pytest>=6.0; extra == "dev"
Requires-Dist: pytest-cov>=2.0; extra == "dev"
Requires-Dist: black>=22.0; extra == "dev"
Requires-Dist: flake8>=4.0; extra == "dev"
Requires-Dist: mypy>=0.950; extra == "dev"
Requires-Dist: pre-commit>=2.15; extra == "dev"
Provides-Extra: test
Requires-Dist: pytest>=6.0; extra == "test"
Requires-Dist: pytest-cov>=2.0; extra == "test"
Requires-Dist: pytest-mock>=3.6; extra == "test"
Dynamic: author
Dynamic: home-page
Dynamic: license-file
Dynamic: requires-python


# 🛡️ SyckSec — Next-Gen Token Security

**Unbreakable • Unpredictable • Unrecognizable**  
SyckSec is a context-aware, multi-layer token security system designed to replace brittle, predictable authentication tokens like JWTs.  
It blends **encryption, obfuscation, visual camouflage, and adaptive intelligence** to create tokens that are **unreadable, unpredictable, and bound to the environment**.

---

![License](https://img.shields.io/badge/license-MIT-green)
![Python](https://img.shields.io/badge/python-3.8%2B-blue)
[![Security Tested](https://img.shields.io/badge/security-tested-success)](#)

---

## 📜 Table of Contents
1. [Problem](#-problem)
2. [Solution](#-solution)
3. [Core Features](#-core-features)
4. [Architecture Overview](#-architecture-overview)
5. [Security Advantages](#-security-advantages)
6. [Open Source vs SaaS](#-open-source-vs-saas)
7. [Installation](#-installation)
8. [Quick Start](#-quick-start)
9. [Configuration](#-configuration)
10. [API Usage](#-api-usage)
11. [Security Considerations](#-security-considerations)
12. [Contributing](#-contributing)
13. [License](#-license)
14. [Contact](#-contact)

---

## ❗ Problem
Authentication tokens in most applications suffer from:
- **Predictable structures** (e.g., JWT = header.payload.signature)
- **Weak context binding** (valid anywhere until expiry)
- **Replay vulnerabilities**
- **Lack of built-in anti-analysis**

Result:  
Tokens can be **stolen, replayed, or brute-forced offline**, leading to costly breaches in finance, healthcare, and government applications.

---

## 💡 Solution
SyckSec creates **multi-layer encrypted, context-bound tokens** with **dynamic obfuscation** and **visual camouflage**.

- **Unreadable**: AES-256 encryption + HMAC signature + per-layer random IVs.
- **Unpredictable**: Dynamic per-user obfuscation patterns rotate hourly.
- **Unrecognizable**: UUID-like visual formatting + checksum validation.
- **Context-Aware**: Tokens bound to device, location, and behavior.

---

## 🛡 Core Features

### Multi-Layer Adaptive Security
- 1–3 layers of AES-256 encryption
- HMAC signatures for integrity
- Constant-time signature verification

### Advanced Obfuscation Engine
- Dynamic pattern generation (hourly)
- Pattern-based noise injection
- Base64 encoding with intelligent padding

### Visual Camouflage
- UUID-like formatting
- SHA-256 checksum
- Anti-analysis formatting

### Context Awareness
- Device fingerprint binding
- Location & usage pattern checks
- Client type identification

### Enterprise Features
- Built-in rate limiting
- Batch token verification
- LRU caching for pattern recipes
- Full audit trail

---

## 🏗 Architecture Overview

**Generation**
```

Client Request
│
├─▶ Token Generator
│     ├─ Context Binding (device/location/behavior)
│     ├─ Payload Signing (HMAC)
│     ├─ Multi-Layer Encryption (AES-256)
│     └─ Visual Camouflage + Checksum
│
└─▶ Secure Delivery (cookie/header)

```

**Verification**
```

Incoming Token
│
├─▶ Pattern Detection
├─▶ De-camouflage
├─▶ Signature Verification
├─▶ Context Check
└─▶ Allow / Reject

````

---

## 🔐 Security Advantages

| Attack Surface      | JWT (typical)                           | SyckSec (implemented)                                          |
| ------------------- | --------------------------------------- | -------------------------------------------------------------- |
| Token tampering     | Signature only                          | Signature + deterministic obfuscation + checksum              |
| Replay              | exp/nbf only                            | Context binding (device/location/behavior)                    |
| Key rotation        | Manual kid                              | Recipe versioning + per-layer keys                            |
| Offline brute force | Base64url, 3 dots → easy to spot        | UUID-like camouflage + decoys                                  |
| Stolen token        | Valid until expiry                      | Self-healing refresh + context check                          |
| Mass issuance abuse | N/A                                     | Built-in rate limiting + audit logs                           |
| Side-channel        | Timing attacks possible                 | Timing variance + constant-time ops                           |

---

## 🆓 Open Source vs 💼 SaaS

| Feature                         | Open Source | SaaS / Enterprise |
| -------------------------------- | ----------- | ----------------- |
| AES Encryption (1–2 layers)     | ✅          | ✅                |
| AES Encryption (3 layers)       | ❌          | ✅                |
| HMAC Signature                  | ✅          | ✅                |
| Dynamic Patterns                | ✅          | ✅                |
| Device Fingerprint Binding      | ❌          | ✅                |
| GeoIP & Behavioral Analytics    | ❌          | ✅                |
| Built-in Rate Limiting          | ❌          | ✅                |
| Dashboard & Forensics Export    | ❌          | ✅                |
| SLA & Enterprise Support        | ❌          | ✅                |

---

## ⚙ Installation

```bash
# Python SDK
pip install sycksec
````

---

## 🚀 Quick Start

```python
from sycksec import SyckSec
import os

# Set secret (in production, use env vars)
os.environ['SYCKSEC_SECRET'] = 'your-secure-secret-32-chars-long!'

# Initialize client
sycksec = SyckSec()

# Custom recipe
custom_recipe = {
    "version": "custom_secure_v1",
    "pattern": [10, "core", 15, "core", 8],
    "charset": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+",
    "randomize_noise": False,
    "noise_variance": 0
}

# Device info (optional)
device_info = {
    "fingerprint": "web_browser_123",
    "location": "US",
    "pattern": "standard",
    "client_type": "web"
}

# Generate token
token = sycksec.generate(
    user_id="test_user_123",
    ttl=3600,  # 1 hour
    device_info=device_info,
    custom_recipe=custom_recipe
)

print("Generated Token:", token)
```

---

## ✅ Verify a Token

```python
# Verify token with custom recipe
payload = sycksec.verify(
    token=token,
    user_id="test_user_123",
    custom_recipe=custom_recipe
)

print("Verified Payload:", payload)
```

---

## ♻ Refresh Token if Needed

```python
# Simulate near-expiry in test mode
os.environ['SYCKSEC_ENV'] = 'test'  # For demo; remove in production

refreshed_token = sycksec.refresh_token_if_needed(
    token=token,
    user_id="test_user_123"
)

if refreshed_token:
    print("Refreshed Token:", refreshed_token)
else:
    print("Token still valid, no refresh needed")
```

---

## 📡 API Usage

* **`generate(user_id, context, custom_recipe)`** — Create a new token bound to the provided context.
* **`verify(token, user_id, custom_recipe)`** — Verify, decrypt, and check context validity.
* **`refresh_token_if_needed(token, user_id)`** — Refresh before expiry while keeping context.

---

## ⚠ Security Considerations

* Always transmit SyckSec tokens over HTTPS.
* Use `HttpOnly` + `Secure` cookies for web delivery.
* Enable context binding for sensitive applications.
* Rotate keys regularly in SaaS mode.
* Review audit logs for anomalies.

---

## 🤝 Contributing

We welcome contributions!
See **CONTRIBUTING.md** for details.

---

## 📜 License

* **Core SDKs** — MIT License (Open Source)
* **Enterprise SaaS** — Proprietary License

---

## 📬 Contact

**Website:** [https://sycksec.com](https://sycksec.com)
**Email:** [contact@sycksec.com](mailto:contact@sycksec.com)

