Athena

Security Model

Headers, key rights, and operational security guidance for Athena.

Header-Based Scope

  • X-Athena-Client: target logical client
  • x-athena-key / x-api-key / Authorization: Bearer: API key transport
  • x-athena-admin-key: static admin key for privileged control plane operations

API Key Rights

Athena supports granular right grants for management and execution operations. Use rights to enforce least privilege per automation or user context.

For the complete gateway key model, including client binding, IP policy, virgin_mode, and fail-open versus fail-closed behavior, see Gateway API Keys.

Operational Security Practices

  • Use client-bound API keys where possible.
  • Rotate keys regularly and disable stale keys.
  • Restrict management/backup/provision routes to trusted networks.
  • Audit DDL and admin operations through logging tables.
  • Protect OpenAPI docs exposure according to deployment risk profile.

Backup Security

  • Use dedicated buckets and prefixes per environment.
  • Keep restore operations behind admin-key and policy controls.
  • Validate toolchain paths and storage credentials explicitly in production.

Configuration Options

Comprehensive reference for `config.yaml`, validation ranges, and Athena runtime environment variables.

Error Handling

Athena response envelope and common error classes.

On this page

Header-Based ScopeAPI Key RightsOperational Security PracticesBackup Security