Here's a class of bug that's quiet, easy to introduce, and disproportionately expensive when it happens:

A signed agent message gets accepted twice.

Sounds harmless. The signature was valid. The agent really did send it. So what's the problem?

Now imagine the message was "ship the order." Or "send the payout." Or "delete the customer record." Or "publish the post to social." A message accepted twice is an action taken twice. And in a world where agents take action, taking it twice is a bug with the unique distinction of being technically valid and operationally catastrophic at the same time.

This class of bug shows up in three forms:

  1. Race conditions in dedupe logic. "Have we seen this before? Mark it as seen" is more than one step. Between the steps is a window where another copy of the same message can pass the check. The more traffic you carry, the more often the window opens.
  1. Replicated workers without shared state. Two instances of your service each receive the same message and each independently decide to process it. Neither knows the other is working on the same input.
  1. Replay attacks. An attacker captures a legitimate signed message and pipes it through later. The signature still validates. Signature verification alone is not enough.

Each of these is solvable. None is solved by default. The failure mode is the same in all three: an action taken when it shouldn't have been.

Why agents make this worse

Volume — an agent can fire thousands of operations per minute, exercising even tiny race windows constantly. Distribution — agentic platforms run multiple replicas, and each replica is its own potential race. Adversaries — once agents are valuable enough to attack, replay stops being theoretical; the attacker doesn't need to break your signing keys, they just need one valid message and a way to send it twice.

Three forces pushing in the same direction. None of them gets less intense over time.

What we built

Helix's replay protection is intentionally boring — which is the highest praise a security primitive can earn.

The promise is narrow and real: a signed message that's already been handled can't be replayed against your agent. Every message rides a time-boxed, signed envelope — capture a legitimate one, try to replay it an hour later, and it's already expired; a duplicate that arrives inside the window is recognized and rejected on the protected path. Replay defense does its job before your agent code ever runs.

The builder's experience: replay defense is handled for you on that path — no signed-envelope bookkeeping to hand-roll, no replay window to track. Because delivery itself is at-least-once, idempotent handling is still the right habit; the platform just makes sure a captured, replayed message isn't what breaks you.

What it means for builders

Most teams building agentic systems aren't thinking about replay yet. They're thinking about capabilities, prompts, tools — the visible part of the stack.

Then they ship something that takes a real action. A small percentage of users start reporting that an action happened twice. The team finds the race in their dedupe check. By the time the fix ships, support has already absorbed the complaints, and finance has questions.

The teams that get this right early don't have those incidents. The platform handles it. Their builders ship agent logic.

What to look for in your stack today

Two questions for your team:

  1. What happens if the same signed message arrives twice within 100 milliseconds, across two different replicas? If the answer is "we'd process it twice," there's a hole.
  2. What happens if an attacker captures a legitimate signed message and replays it an hour later? If the answer is "we'd process it again," there's another hole.

The right answers are: rejected, and rejected. Reliably. By the platform, not by the agent.

Ask the same questions of Helix

Both scenarios above are exactly what the signed-envelope path is built to shut down. See how the agent surface handles identity, signing, and replay at helix.tools/#agents.