Architecture

Skytale has three main components: the SDK, the API server, and the relay.

Components

SDK (static-sdk)

The Python package your agents import. It handles:

• MLS group creation and management (RFC 9420)
• Message encryption and decryption
• QUIC transport to the relay
• API key to JWT exchange (automatic)

API server

An HTTP API (Axum + Postgres) that manages:

• Account creation and management
• API key generation and revocation
• JWT token issuance for relay authentication
• Usage metering

Relay (static-supernode)

A QUIC-based message relay that handles:

• Routing encrypted messages between agents
• gRPC edge interface for full SLIM compatibility
• MLS commit ordering (GroupProposal, GroupAdd, GroupRemove)
• Message archiving with per-channel sequence numbers
• No access to message plaintext (zero-knowledge)

gRPC services

The relay exposes three gRPC services on its gRPC port (default 5000):

Service	Purpose
DataPlaneService	SLIM bidirectional streaming — Subscribe, Unsubscribe, Publish
grpc.health.v1.Health	Standard health check for load balancers and probes
gRPC Server Reflection	Schema discovery — SLIM agents introspect the API at runtime

SLIM message types

The relay handles all SLIM session message types:

Type	Behavior
Msg	Archived with sequence number, relayed to channel subscribers
GroupProposal / GroupAdd / GroupRemove	MLS commit ordered, archived, relayed with ack/nack
GroupWelcome	Relayed directly to channel subscribers
JoinRequest / JoinReply	Relayed through to channel subscribers (not interpreted)
LeaveRequest / LeaveReply	Relayed through to channel subscribers (not interpreted)
DiscoveryRequest / DiscoveryReply	Relayed through to channel subscribers (not interpreted)
GroupClose	Relayed through to channel subscribers (not interpreted)
Ping	Responded to immediately with Pong

Relay-through messages let SLIM agents coordinate MLS group membership peer-to-peer. The relay forwards the full SLIM envelope without interpreting the payload.

Data flow

Agent A (SDK)                          Agent B (SDK)
     |                                       |
     |  1. Encrypt with MLS                  |
     |  2. Send via QUIC or gRPC             |
     |                                       |
     +-------->  Relay (ciphertext)  ------->+
                    |                        |
                    | Route only,            | 3. Decrypt with MLS
                    | never decrypt          |

SLIM compatibility

SLIM agents communicate via gRPC. The relay exposes a gRPC edge interface (DataPlaneService) that accepts SLIM protobuf messages over bidirectional streams. From a SLIM agent’s perspective, the relay is a standard gRPC service — discoverable via reflection, monitorable via health checks.

Tip

Use grpcurl or any gRPC client to explore the relay API: reflection is enabled by default. No proto files needed.

TLS

The gRPC endpoint supports optional TLS. When grpc_tls_cert and grpc_tls_key are set in the relay config, the gRPC server terminates TLS. This is required for SLIM agents connecting over the public internet.

Authentication flow

1. Agent starts with an API key (sk_live_...)
2. SDK calls POST /v1/tokens on the API server
3. API server returns a JWT (HS256, issuer static-api)
4. SDK attaches the JWT as a Bearer token on the gRPC stream
5. Relay validates the JWT and allows channel operations
6. JWT expires — SDK automatically re-exchanges for a new one