Channel identity pairing

2 min readReferenceUpdated 2026-05-19

What you'll find here

The contract that records the relationship between an external channel account and a Craik subject — unpaired, paired, revoked states and the authority each carries.

Pairing maps identity. It does not grant access.

A messaging adapter can normalize inbound events, but an external sender cannot authorize privileged ingress until a pairing record explicitly links that sender to a Craik subject, policy envelope, and audit trail.

States

State

Authority

Required fields

Unpaired

observation only

Channel kind · external account id · expiry timestamp · optional service name · optional display name · optional metadata. Must not carry subject, policy envelope, pairing audit, or revocation fields. Does not allow privileged ingress.

Paired

conditional

Craik subject · policy envelope id · pairing timestamp · actor that approved · expiry timestamp · at least one audit id. Authorizes privileged ingress only through the linked policy envelope and only before expiry when later allowlist and capability checks pass.

Revoked

never

Preserves the original subject and pairing audit fields, then adds revocation timestamp · actor that revoked · reason · revocation audit id. Never allows privileged ingress.

Authority limits

Identity maps a sender; it doesn't grant access.

Gateway policy, channel allowlists, capability grants, redaction, and receipts still decide what can happen after an inbound event is normalized. Helper-created pairing records default to a 24-hour expiry; expired pairings cannot authorize privileged ingress.

What's next

ReferenceChannel allowlistsThe selector filter that runs alongside pairing.ReferenceChannel policy envelopesThe policy selected after pairing and allowlist pass.ReferenceGateway receiptsHow pairing decisions persist.