replay

Summary

replayed nonce

Help

each request must use a fresh random nonce

Details

When this fires

The verifier saw a nonce it had already accepted within the current skew window. Verifier::check_replay keeps recently-seen nonces in an in-memory map and prunes them after the timestamp falls out of the skew window. The most common trigger is a buggy client that reuses the same nonce, or a retry layer that replays a previously sent request byte-for-byte. User-visible symptom: the second of two near-identical nanook ctl calls fails.

What to check

• Confirm the client generates a fresh 32 random bytes per request (the stock Signer::sign does this).
• Retry/proxy layers must re-sign on retry, not replay cached headers.
• If the agent restarted between the two requests and you still see this, look for an attacker: the in-memory ring is fresh after restart.