Hawk authentication is designed to work without transport security. When TLS is used, replay protection is not much of an issue but it is an interesting thing to see how replays are handled in Hawk.

Similar to Hawk, HTTP digest authentication is also designed to work without TLS. Digest authentication uses a server-generated nonce and a nonce counter to defend against replays. How the server generates the nonce is left to the implementation. A server can store the nonce and look up a store to see if the nonce it received is a nonce it generated and take the corresponding timestamp (if stored together) and determine if the nonce is fresh or not. If the nonce is stale, a new nonce is generated and sent back with a 401.