Authentication
Token types, credential management, and how authentication works in Atom.
Atom supports JWTs, API keys, scoped access tokens, and mTLS certificates.
JWTs, API keys, and scoped access tokens are passed as Bearer tokens in the Authorization header:
| Token type | Format | Use case |
|---|---|---|
| JWT | eyJ... | Short-lived (default 1h), returned by /auth/login |
| API key | atom_... | Long-lived, provisioned for an entity, optional expiry |
| Scoped access token | atom_... | Self-service CLI/API token capped by a permission ceiling |
Certificates are used during mTLS. Runtime services resolve certificate identity through Atom gRPC.
Public endpoints
The following endpoints do not require authentication:
All other endpoints require a valid Bearer token. Public signup creates a
global human entity with tenant_id = NULL; tenants are assigned later through
admin, invitation, or membership workflows. Signup does not create tenants or
grant platform privileges.
Sections
Credentials
Password, API key, scoped access-token, and certificate credential management.
Certificates
mTLS certificate issuance, CA files, CRL, OCSP, and runtime lookup.
JWT Tokens
Token claims, session binding, and verification.
JWKS & Key Rotation
ES256 signing keys, JWKS endpoint, and zero-downtime rotation.