Athena

Security Model

Headers, key rights, and operational security guidance for Athena.

Header-Based Scope

  • X-Athena-Client: target logical client
  • x-pg-uri: preferred direct PostgreSQL routing header
  • x-athena-jdbc-url / x-jdbc-url / X-JDBC-URL: legacy compatible direct PostgreSQL routing headers
  • x-athena-key / x-api-key / Authorization: Bearer: API key transport
  • x-athena-admin-key: static admin key for privileged control plane operations

For PostgreSQL gateway routes and PostgreSQL SQL-driver calls, x-pg-uri can replace X-Athena-Client. If the URI includes both username and password credentials, Athena can accept requests without an API key for those PostgreSQL paths.

Direct PostgreSQL header precedence

When multiple direct PostgreSQL headers are sent, Athena resolves in this order:

  1. x-pg-uri
  2. x-athena-jdbc-url
  3. x-jdbc-url / X-JDBC-URL

All accepted headers are normalized through one parser, including JDBC forms.

When API key is optional

API key can be omitted only when all of the following are true:

  • Route is an eligible PostgreSQL gateway route or PostgreSQL SQL-driver route
  • Direct PostgreSQL URI header is present
  • URI credentials include both username and password
  • No conflicting auth constraints apply

In all other cases, standard key auth and rights enforcement remain in effect.

For complete route-by-route behavior: Direct PostgreSQL Routing (x-pg-uri).

API Key Rights

Athena supports granular right grants for management and execution operations. Use rights to enforce least privilege per automation or user context.

For the complete gateway key model, including client binding, IP policy, virgin_mode, and fail-open versus fail-closed behavior, see Gateway API Keys.

Operational Security Practices

  • Use client-bound API keys where possible.
  • Rotate keys regularly and disable stale keys.
  • Restrict management/backup/provision routes to trusted networks.
  • Audit DDL and admin operations through logging tables.
  • Protect OpenAPI docs exposure according to deployment risk profile.

Backup Security

  • Use dedicated buckets and prefixes per environment.
  • Keep restore operations behind admin-key and policy controls.
  • Validate toolchain paths and storage credentials explicitly in production.

Configuration Options

Comprehensive reference for `config.yaml`, validation ranges, and Athena runtime environment variables.

Error Handling

Athena response envelope and common error classes.

On this page

Header-Based ScopeDirect PostgreSQL header precedenceWhen API key is optionalAPI Key RightsOperational Security PracticesBackup Security