| ALPN | Application-Layer Protocol Negotiation — identifies which protocol a QUIC connection uses (cdn/probe/v1, cdn/client/v1, cdn/watchtower/v1, cdn/dht/v1, cdn/keys/v1). |
| App server | External, content-provider-operated component that distributes epoch-wrapped blob keys to authenticated clients. Not a CDN protocol participant. See Encryption. |
| BLAKE3 | The content-addressing hash. Every blob is identified by its BLAKE3 hash; clients verify received bytes against the known hash. |
| Blob | A content-addressed byte sequence identified by its BLAKE3 hash. |
| Channel (payment) | On-chain escrow between client and node that backs off-chain vouchers. Opens with a USDC deposit; settles with the latest voucher. |
| Chunk | The BLAKE3 hash tree leaf size (1024 bytes). iroh-blobs uses this for verified streaming. On-chain Merkle proofs for slash evidence reference this leaf size. |
| Client | A lightweight QUIC endpoint that streams content and pays per MB. No stake, no gossip publish. |
| DHT | cdn/dht/v1 — Kademlia-subset content discovery protocol. Nodes self-publish (hash → NodeId) records when caching a blob. |
| Epoch key | A short-lived symmetric key rotated every 5 minutes by the app server. Used to wrap K_blob for a single client session. |
| Gossip | iroh-gossip epidemic broadcast over topic channels — cdn/global/v1, cdn/region/{cc}/v1, cdn/reputation/v1. |
| Hash sequence | An ordered collection of blob hashes (iroh’s equivalent of a directory/manifest). |
| K_blob | Per-blob symmetric encryption key (XChaCha20-Poly1305) held by the app server. |
| Node | A staked QUIC endpoint that caches and delivers blobs. Some are origin-backed; others are pure caches. |
| NodeId | An ed25519 public key used as a node’s network identity. Bound on-chain to an Ethereum address at registration. |
| Origin-backed node | A node configured with an S3-compatible store, NFS mount, or local disk — the canonical source for specific blobs. Never experiences a true cache miss. |
| Origin backend | The opaque storage behind an origin-backed node (S3, R2, B2, MinIO, NFS, local disk). Never exposed to the network. |
| Peer mesh | The flat set of all staked nodes. Discovery via gossip; content location via DHT. |
| Probe | cdn/probe/v1 — parallel latency + availability check that runs before any delivery commitment. |
| Redirect | A StreamResponse field pointing to another NodeId (never an origin URL) when a node chooses not to pull-through. |
| Selection score | rate_per_mb × rtt_ms × (1 / max(reputation, 0.1)²) — lower is better. How clients and nodes rank candidates. |
Slash signature (slash_sig) | EIP-712 secp256k1 signature on protocol messages enabling ecrecover-based on-chain evidence. Distinct from the ed25519 wire signature. |
| SlashJudge | On-chain contract that adjudicates all four slashable offenses (corrupted delivery, phantom announcement, rate manipulation, blacklist violation). |
| Stake | TOKEN locked in StakingRegistry by a node. Minimum-stake-enforced; returned on deregistration after an unbonding period. |
| Staking registry | StakingRegistry — the on-chain contract that holds stakes, maps NodeIds to Ethereum addresses, and is the sole authority for mesh membership. |
| TOKEN | The deCDN governance and staking token. Not used for payments. Fixed 1B supply at genesis; 20% of protocol fees buy back and burn. |
| Voucher | A signed off-chain payment message: {channelId, amount, nonce, token, signature}. The primary payment instrument. |
| Watchtower | Non-custodial observer that submits disputeChannel on behalf of a node during the dispute window. |
| WatchtowerEscrow | Production on-chain contract that manages prepaid watchtower fees and enforces heartbeat-based liveness accountability. |