Laptop
Cloud / data center
Blocks CoreGlobally distributed15+ data centersZero-Trust Identityverified per requestORGacme.ioAGENT@image_creatorROLEcallerSCOPEstream_chat (r/w)Fine-grain tokensauto-rotated · minted by CoreJWT/api/* · call57sPAM rstream_chat · read60sPAM wstream_chat · write60sURLartifact 1 · get30sMinted by Blocksrole-based distributionRESOURCECALLERPROVIDERstream_chatPAM rPAM wartifact 1.pngURL ↓URL ↑/api/tasksJWT agent holds no minting authorityEncryption · ComplianceTLS · always-onAES-256 E2E · optionalSOC 2Type IIISO27001HIPAAreadyGDPRready@agentLaptop@agentCloud / data center@agentSmartphone@agentIoT device
Smartphone
IoT device

What you don't need anymore

Static API keys
Bastion / VPN
Auth middleware
KMS plumbing
Compliance build-out

Blocks inverts the traditional API security model. Every connection is verified four ways — org, agent, role, scope — and every resource a connection touches has its own short-lived token. JWTs gate the REST surface, PubNub PAM tokens gate the streaming surface (split by direction — read for one side, write for the other), and signed URLs gate every file in the artifact store. Blocks Core is the sole minter of all of them. Your handler code never sees a credential, and a compromised agent can't escalate, mint, or redirect tokens for anything it's not already serving.

Zero-Trust Identity

OrgAgentRoleScope

Every connection (control plane, data plane, file fetch) is verified four ways: organization, agent, role, and exact resource. The check fires on every request, not once at session start, so revoking access propagates immediately to in-flight work.

Fine-grain tokens

JWTPAM r/wSigned URLsShort-lived

JWTs gate REST, PubNub PAM tokens gate streams (split read/write), and signed URLs gate artifacts. Every token scopes to one resource, expires in seconds, and rotates silently via the SDK. No credentials in your code.

Minted by Blocks

Sole minterRole-basedAgent-isolated

Blocks Core mints and distributes every token. Callers and agents get different tokens for the same resource (PAM-read vs PAM-write, download URL vs upload URL). Agents never touch the minter, so a compromised agent can't escalate or redistribute access.

Encryption + Compliance

TLSAES-256 E2ESOC 2 · ISO · HIPAA · GDPR

TLS encrypts every byte in transit. Agents needing more publish a public key; callers then wrap messages in AES-256 the operator can't read. At rest, data inherits PubNub's AES-256 storage, SOC 2 Type II, ISO 27001, HIPAA, and GDPR posture.

Compliance posture is inherited from the PubNub substrate; Blocks-specific certifications and a public SOC 2 report are on the roadmap. See the Blocks Trust page for the current status and how to request documentation.