Introduction to Belay

The Belay project takes a new approach to cloud authorization with the BCAP protocol. We are developing new ways for user to authenticate to sites, for developers to create more secure web sites, and exploring it's use across the cloud. Here is what we're working on:
Application Development Security Technology

User Authorization
With Belay, web sites can forego traditional account names and passwords, while giving users highly secure credentials. Such sites have extreme flexibility in how they build their end-user relationships over time.
Read more…

No Cookies
Belay applications can completely eliminate the use of cookies, which improves front-end security.
Read more…

Belay was founded on a simple idea: Rather than give out powerful cookies, URLs and functions, make it easy to give out URLs and functions tightly scoped for a particular use.
Read more…

Cross-App Authorization
Users can authorize one web application to access some aspect of another web site. The experience is cleaner than existing authentication systems, and easier to code.
Read more…

Back End
By using a BCAP server, web application scripts only authorize AJAX calls that are expected. Random probes are rejected. Further, it is easy to tie authorized calls to particular database objects, reducing the chances of exploit.
Read more…

The BCAP protocol and abstract API works across all common web languages and systems, to enable Belay. The protocol is simple and can be implemented to meet different production situations.
Read more…

Belay is being developed in the open, and open-source.
The project's public mailing list is
The project's public code repo is

Came here via Dart? We've got welcome for you!


Belay's implementation currently (Jan. 2012) supports all the features discussed above. The parts that are current written and running include:
  • Implementation of the BCAP protocol in JavaScript (in browser), Python (AppEngine), and Java (AppEngine)
  • Works in current versions of Chrome & FF. Targeting Safari and IE 8 & 9 soon.
  • Ability to grant and manage BCAP URLs both client side and server side
  • User authorization management, with a station (storage for user's credentials) based on cloud storage (via AppEngine), with support for authentication via IDPs and e-mail.
  • Cross-application authorization supporting drag-n-drop interaction
  • Sample applications including blogging, 3rd-party blog posting, and messaging
  • Completely cookie-less
  • Secure against XSRF

Recent Announcements

  • Service Notice We've been running the current stable code base of Belay on public servers for almost a year. That phase of the project has come to the end of its ...
    Posted Sep 4, 2012, 2:27 PM by
  • Belay Demo at IEEE Symposium on Security and Privacy Joe and I are giving a short Belay demo at the 2012 IEEE Symposium on Security and Privacy in the afternoon each day (May 21st - 23rd).The PDF of the ...
    Posted Jun 7, 2012, 12:11 PM by
  • Demo Video Joe and I made a short (5 min.) demo video showing some the things we've built with the Belay system:
    Posted Mar 30, 2012, 4:50 PM by
Showing posts 1 - 3 of 11. View more »