Krill SDK/krill.zone.shared.security/PinDerivation/deriveBeaconToken

deriveBeaconToken

actual fun deriveBeaconToken(pin: String, nodeUuid: String, epochSeconds: Long): String(source)

Returns a rolling 8-character hex token that proves the caller knows the swarm PIN without revealing it on the wire — used in multicast beacons to filter out devices that belong to a different swarm.

Construction:

  1. nodeKey = HMAC-SHA256(nodeUuid, pin) — binds the token to a specific server's UUID so a leaked beacon can't be replayed against another server in the same LAN.

  2. window = epochSeconds / TOTP_WINDOW_SECONDS — quantises time into 30-second buckets so the token rotates and old captures expire.

  3. token = first 4 bytes of HMAC-SHA256(nodeKey, window) as hex.

expect fun deriveBeaconToken(pin: String, nodeUuid: String, epochSeconds: Long): String(source)

Returns a rolling 8-character hex token that proves the caller knows the swarm PIN without revealing it on the wire — used in multicast beacons to filter out devices that belong to a different swarm.

Construction:

  1. nodeKey = HMAC-SHA256(nodeUuid, pin) — binds the token to a specific server's UUID so a leaked beacon can't be replayed against another server in the same LAN.

  2. window = epochSeconds / TOTP_WINDOW_SECONDS — quantises time into 30-second buckets so the token rotates and old captures expire.

  3. token = first 4 bytes of HMAC-SHA256(nodeKey, window) as hex.

actual fun deriveBeaconToken(pin: String, nodeUuid: String, epochSeconds: Long): String(source)

Returns a rolling 8-character hex token that proves the caller knows the swarm PIN without revealing it on the wire — used in multicast beacons to filter out devices that belong to a different swarm.

Construction:

  1. nodeKey = HMAC-SHA256(nodeUuid, pin) — binds the token to a specific server's UUID so a leaked beacon can't be replayed against another server in the same LAN.

  2. window = epochSeconds / TOTP_WINDOW_SECONDS — quantises time into 30-second buckets so the token rotates and old captures expire.

  3. token = first 4 bytes of HMAC-SHA256(nodeKey, window) as hex.

actual fun deriveBeaconToken(pin: String, nodeUuid: String, epochSeconds: Long): String(source)

Returns a rolling 8-character hex token that proves the caller knows the swarm PIN without revealing it on the wire — used in multicast beacons to filter out devices that belong to a different swarm.

Construction:

  1. nodeKey = HMAC-SHA256(nodeUuid, pin) — binds the token to a specific server's UUID so a leaked beacon can't be replayed against another server in the same LAN.

  2. window = epochSeconds / TOTP_WINDOW_SECONDS — quantises time into 30-second buckets so the token rotates and old captures expire.

  3. token = first 4 bytes of HMAC-SHA256(nodeKey, window) as hex.

actual fun deriveBeaconToken(pin: String, nodeUuid: String, epochSeconds: Long): String(source)

Returns a rolling 8-character hex token that proves the caller knows the swarm PIN without revealing it on the wire — used in multicast beacons to filter out devices that belong to a different swarm.

Construction:

  1. nodeKey = HMAC-SHA256(nodeUuid, pin) — binds the token to a specific server's UUID so a leaked beacon can't be replayed against another server in the same LAN.

  2. window = epochSeconds / TOTP_WINDOW_SECONDS — quantises time into 30-second buckets so the token rotates and old captures expire.

  3. token = first 4 bytes of HMAC-SHA256(nodeKey, window) as hex.

Generated by Dokka
© 2026 Copyright