Atom

Authentication

Token types, credential management, and how authentication works in Atom.

Atom supports JWTs, API keys, and mTLS certificates.

JWTs and API keys are passed as Bearer tokens in the Authorization header:

Authorization: Bearer <token>
Token typeFormatUse case
JWTeyJ...Short-lived (default 1h), returned by /auth/login
API keyatom_...Long-lived, created per entity, optional expiry

Certificates are used during mTLS. Runtime services resolve certificate identity through Atom gRPC.

Public endpoints

The following endpoints do not require authentication:

GET  /health
GET  /auth/public-config
POST /auth/login
POST /auth/signup   # only when ATOM_SELF_REGISTRATION_ENABLED=true
GET  /auth/email/verify
POST /auth/email/resend
GET  /auth/oauth/:provider/start
GET  /auth/oauth/:provider/callback
POST /auth/oauth/exchange
GET  /.well-known/jwks.json
GET  /certs/ca-chain
GET  /certs/crl
POST /certs/ocsp

All other endpoints require a valid Bearer token. Public signup creates a global human entity with tenant_id = NULL; tenants are assigned later through admin, invitation, or membership workflows. Signup does not create tenants or grant platform privileges.

Sections

Credentials

Password, API key, and certificate credential management.

Certificates

mTLS certificate issuance, CA files, CRL, OCSP, and runtime lookup.

JWT Tokens

Token claims, session binding, and verification.

JWKS & Key Rotation

ES256 signing keys, JWKS endpoint, and zero-downtime rotation.

Previous

Evaluation

Next

Authentication

On this page