What is Single Packet Authorization (SPA)?
Single Packet Authorization (SPA) is a security mechanism where a client sends a single cryptographically signed packet to prove its identity before any network services become visible. The packet contains the user's identity credentials, a timestamp, and a cryptographic nonce — all signed with the user's private key. SPA evolved from port knocking, an earlier technique where clients sent packets to a sequence of closed ports to trigger access. Unlike port knocking, SPA uses cryptographic proof rather than shared sequences, making it resistant to replay attacks, man-in-the-middle attacks, and brute force. The key security property of SPA is that the receiving server remains completely silent until it receives a valid SPA packet. Invalid packets receive no response — no error message, no RST packet, no ICMP unreachable. The server is indistinguishable from a non-existent host. This eliminates the reconnaissance phase that precedes virtually all network attacks. SPA is a core component of the OpenNHP protocol and the Cloud Security Alliance's Network Hiding Protocol specification.
How LayerV Implements This
LayerV uses SPA as the first step in its 5-step authentication flow (Knock, Verify, Grant, Connect, Audit). When a user initiates access through a QURL, the LayerV agent sends an encrypted SPA packet to the LayerV Controller. The Controller validates the cryptographic proof, verifies the user's identity against your identity provider (Okta), and only then opens a temporary, session-specific tunnel to the protected resource. The SPA mechanism ensures that your infrastructure remains completely invisible to anyone who doesn't possess a valid QURL.