Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.atlasmeets.com/llms.txt

Use this file to discover all available pages before exploring further.

v1 baseline

Keep v1 simple but not naive. Use one shared secret per workspace gateway.

Atlas to gateway

The gateway should verify that Atlas is allowed to call it. The simplest first version is: 
Authorization: Bearer <shared-secret>

Gateway to Atlas callbacks

If your gateway sends async job or approval callbacks back to Atlas, sign them with the same shared secret. Recommended headers: 
x-atlas-timestamp: 1710777600
x-atlas-signature: sha256=<hex-hmac>
Signature input: 
${timestamp}.${canonical_json_body}
Atlas should verify:
  • timestamp is recent
  • signature matches
  • stale or replayed payloads are rejected
Bearer-auth callbacks may exist as a short-term compatibility path, but signed callbacks should be treated as the v1 production default.

What to avoid

  • anonymous invoke endpoints
  • reusing broad internal tokens
  • leaking downstream service credentials into the Atlas-facing contract
  • forcing Atlas to know your internal auth scheme

Better hardening later

Once the basic flow is working, the next upgrades are:
  • tighter replay protection
  • per-tenant credentials
  • short-lived tokens
  • mTLS or private network controls where needed