Application Api
The Foundation Every Arch Deployment Depends On
Features
  • Application Registration: Register any microservice — built-in or custom — as a named, authorized participant in your distributed application.
  • Permission Management: Grant or revoke a service's access to the platform. Cryptographic keys are issued at grant time and invalidated on revocation.
  • Dual-Key Authorization: Two distinct key types protect service-to-service and client-to-service communication independently, preventing privilege escalation from the client tier.
  • Validation with Caching: Permission checks are resolved at the database and cached for fifteen minutes in memory, delivering fast authorization decisions under high inter-service traffic without sacrificing correctness.
  • Guardian Key Lifecycle: Manages the Bootstrap Key that unseals the platform on startup. The Bootstrap Key is encrypted with AES-GCM. The Guardian starts Sealed on every process restart and holds the Bootstrap Key in memory only while Unsealed — it is never written to disk.
  • Hardware Security Module Integration: First-class support for the YubiHSM 2 stores the Bootstrap Key in tamper-resistant hardware. If the HSM detects physical tampering, it zeroizes its contents.
  • Sealed Startup: When enabled, the Application Api launches in a Sealed state. All authorization requests are denied until an authorized operator explicitly unseals the Guardian via the Control Panel.
  • Encrypted Communication: All API requests and responses are wrapped in encrypted envelopes using the Protected<T> framework with AES-256-CBC encryption and MessagePack binary serialization. Plaintext never leaves the service layer.
How It Compares
Application Api Against Cloud and Self-Hosted Authorization Platforms
Authorization With Hardware at Its Root
Cloud providers and self-hosted frameworks both handle machine-to-machine authentication — as a byproduct of their broader identity models. The Application Api handles the same requirement with application-layer envelope encryption, a dual-key authorization model, and optional hardware-backed key storage, in a self-hosted platform built from the ground up for environments where sovereignty is a hard requirement.
Feature
Application Api
US Cloud (AWS/Azure/GCP)
EU Cloud (OVH/Hetzner/Scaleway)
ABP Framework
Machine-to-machine authentication
Application-layer envelope encryption
Dual-key authorization model
Hardware security module support
✓ (YubiHSM 2)
Separate service¹
Sealed startup mode
Official .NET client package
✓ (Native .NET)
Self-hosted
Unified platform management
CLOUD Act exempt
✓²
Air-gappable
No third-party data custody
¹ US cloud providers offer hardware security module support as separately provisioned and billed services (AWS CloudHSM, Azure Dedicated HSM, GCP Cloud HSM).
² EU cloud providers (OVHcloud, Hetzner, Scaleway) are not subject to the US CLOUD Act. However, data remains on the provider's infrastructure — CLOUD Act exemption does not mean sole data custody.
Tech Sovereignty
Arch
Company
About Contact