Atom

Authentication

Token types, credential management, and how authentication works in Atom.

Atom supports JWTs, API keys, scoped access tokens, and mTLS certificates.

JWTs, API keys, and scoped access tokens are passed as Bearer tokens in the Authorization header:

Authorization: Bearer <token>
Token typeFormatUse case
JWTeyJ...Short-lived (default 1h), returned by /auth/login
API keyatom_...Long-lived, provisioned for an entity, optional expiry
Scoped access tokenatom_...Self-service CLI/API token capped by a permission ceiling

Certificates are used during mTLS. Runtime services resolve certificate identity through Atom gRPC.

Public endpoints

The following endpoints do not require authentication:

GET  /health
GET  /auth/public-config
POST /auth/login
POST /auth/signup   # only when ATOM_SELF_REGISTRATION_ENABLED=true
GET  /auth/email/verify
POST /auth/email/resend
GET  /auth/oauth/:provider/start
GET  /auth/oauth/:provider/callback
POST /auth/oauth/exchange
GET  /.well-known/jwks.json
GET  /certs/ca-chain
GET  /certs/crl
POST /certs/ocsp

All other endpoints require a valid Bearer token. Public signup creates a global human entity with tenant_id = NULL; tenants are assigned later through admin, invitation, or membership workflows. Signup does not create tenants or grant platform privileges.

Sections

On this page