Security overview
Constellation OS has two authentication surfaces with different models, both designed to fail closed:
| Surface | Credential | Model |
|---|---|---|
| Platform API | Tenant API key in the x-api-key header | Key is the principal; tenant identity derives from the key, never the hostname |
| Console | Cognito sign-in (email and password) | User identity for plans, entitlements, and billing |
The two are deliberately separate: a console account does not grant API access, and an API key does not sign into the console. A separate operator-only surface (/rules*) uses Cognito identity tokens and is not part of the customer API.
Platform API keys
Lifecycle, honestly stated
- Keys are provisioned per tenant, per environment, by the platform team, and stored in AWS Secrets Manager. There is no self-serve key purchase or mint against the platform today; keys generated locally in the console browser are not registered until provisioned. Getting a key starts with your tenant engagement; see Enterprise.
- Keys are environment-scoped. A dev key returns
401on prod, always. - The API validates keys against a SHA-256 hash map loaded at startup, and the plaintext key material is scrubbed from the process environment after parsing. Validation adds no measurable latency.
- Rotation goes through the platform team. Plan for it: read the key from configuration, not from code.
Roadmap, one line: scoped tokens and self-serve key issuance from the console are planned; today the console's key screens generate material that still requires platform-side provisioning.
Lockout
Failed authentication is tracked per client IP: 5 failures within a 300-second window locks the IP out for 900 seconds, and the lockout gate runs before key verification, so a locked-out IP gets 429 auth_lockout even with a correct key. Each success decays the failure counter by one. The practical rule for clients: treat 401 as fatal and stop, never retry a bad key in a loop, or your gateway locks itself out. Full details: Authentication.
Rate limits and body caps
Independent of auth, every environment enforces per-IP and per-tenant rate limits, a 1 MB body cap, and a 1,000-record telemetry batch cap, with Retry-After on retryable responses. See Errors and limits.
Console sign-in
The console authenticates users against Amazon Cognito with an in-app sign-in flow. Sign-in gates plans and entitlements (assistant queries, prediction tiers, live API configuration); guest mode exists deliberately, with the globe and deterministic analytics available and 10 assistant queries. Billing runs through Stripe; the console never sees card details.
Transport
All hosted surfaces (consoles, platform API, docs) are TLS-only. Browser calls to the platform API are additionally constrained by a per-environment CORS allowlist; when no origins are configured, CORS is off entirely and browsers cannot call the API cross-origin. Build integrations server-side. See API overview.
Key storage guidance
- Keep keys in a secrets manager or environment variables (
CONSTELLATION_API_TOKENis the convention); never in source control, never in a browser bundle. - The fleet agent's
config.tomlcontains the key in plaintext; keep it mode0600on a host with controlled access. - Prefixes (
cos_live_,cos_dev_,cos_sbx_) identify a key's environment at a glance; use them in incident triage to size blast radius. - If a key leaks, contact the platform team for rotation and treat every environment the key's prefix names as exposed.