Authentication¶
TLS Certificates¶
The AirStack Edge API uses encrypted communication for all client and server interactions, leveraging modern TLS protocols and a FIPS-validated cryptographic library. This section describes how certificates, transport encryption, and cryptographic modules are used within the system.
TLS Communication and Certificates¶
All API traffic is encrypted using TLS unless removed by the user. The Edge API by default uses self-signed certificates for its HTTPS endpoints. These certificates are generated and managed locally by the system and serve two primary purposes: * Transport Encryption - All incoming and outgoing API traffic is encrypted in transit using TLS to protect confidentiality and integrity. * Mutual Trust Configuration - If using self-signed certificates rather than those issued by a public certificate authority, clients must explicitly trust the Edge API certificate. This trust can be established by importing the self-signed certificate into the client’s trust store. Self-signed certificates provide a secure default in closed or embedded environments where external certificate authorities are not accessible or desired. See the note here
If instead you wish to use certificates generated by a public certificate authority, this can be configured using the airstack-edge-setup binary. For more information on how to configure this you can find the installation documentation here on manual configuration.
Cryptographic Library and FIPS Validation¶
All TLS and cryptographic operations performed by Edge, whether acting as a server for clients or as a client when connecting to Triton, are implemented using the AWS-LC 3.0 Cryptographic Module (static), a FIPS 140-3 validated module. This ensures that TLS operations and cryptographic primitives conform to rigorous security and implementation standards.
Scope Limitations:¶
This coverage does not extend to custom Triton backends, Python backends, or other components performing their own independent cryptographic operations unless explicitly specified.
Bearer Authentication¶
After the TLS connection is established, all API routes require a Bearer token to authorize requests. The token identifies the authenticated user or service and determines what operations it is permitted to perform. Tokens are also generated using FIPS compliant libraries.
HTTP Header Example
Authorization: Bearer <your_token_here>
cURL Example:
curl -H "Authorization: Bearer $TOKEN" \
https://<host>/airstack-edge/v1/radio/info