# Message Replay and Idempotency Keys One-sentence definition: Prevent repeated processing by binding unique keys and enforcing time windows. ## Key Facts - Clients send unique keys per operation; servers store and dedupe. - Combine with timestamps and HMAC signatures; reject stale/duplicate. - Persist outcomes to return same result for retried requests. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Distinguish replay prevention from authentication. **Mnemonic:** “**Same request, same result**.” ## Mini Scenario Q: Payment retried on network blip—what ensures 1 charge? A: Idempotency keys with stored outcomes. ## Revision Checklist - Two key components. - Server behavior. - Time window purpose. ## Related [[Event-Driven Architecture Security (Idempotency and Ordering)]] · [[Webhook Security and Request Signing]] · [[Rate Limiting and Anti-Automation (Bots)]] · [[API Security Fundamentals (REST GraphQL gRPC)]] · [[Domain 8 - Index]]