How It Works
From Installation to Sovereign Platform
Four Steps to a Production-Ready Distributed Application
Arch is a complete distributed application platform you deploy, configure, and own. The path to a running system follows a deliberate sequence — Control Panel, Application API, the APIs your application needs, then the application you build on top of them. Each step is designed to hand you directly into the next.
Step 1
Install the Control Panel
The Administration Console
The Control Panel is where the Arch platform begins. It is the single administration console through which every microservice is registered, every setting configured, and every deployment value encrypted before it reaches your pipeline. Before any service can communicate within your distributed system, it must first be known to the Control Panel.

The Control Panel is available as a Docker image or as a .zip package for IIS installation, and requires a SQL Server database. Install it on your internal network — it is designed to reach into your deployments from the inside, not to live alongside them. Once running, it remains your command center for the life of the platform.
What the Control Panel Does
From the Control Panel, you configure each microservice — access settings, database connections, hardware module parameters, and third-party integrations. Every value it produces is encrypted before you copy it into a deployment file. Your pipeline never carries a raw secret.

When you are ready to bring a service online, the Control Panel generates its encrypted configuration values and registers it with the Application API. A health check confirms the service is healthy before anything else depends on it. The entire deployment ceremony for every microservice in your system runs through this one console.
Step 2
Bring the Application Api Online
The Authorization Authority
The Application Api is the security backbone of the entire platform. Once deployed and registered through the Control Panel, it authenticates every service-to-service request in your network — including requests made by the custom Apis you will build later. Every microservice receives its identity from the Application Api at registration time, and until registration happens, the service cannot communicate with anything else in the platform. The system has no bypass.
Hardware-Backed Key Storage
For deployments that demand the highest level of protection, the Application Api supports the YubiHSM 2 hardware security module. When HSM mode is enabled, the platform starts in a sealed state — authorization is denied platform-wide until an operator physically unseals it through the Control Panel. The Bootstrap Key never enters memory unprotected.

Development uses an identical workflow with the HSM simulator, so the unsealing ceremony is practiced and understood before it ever reaches a production environment.
Step 3
Deploy the APIs Your Application Needs
A Catalog of Production-Ready Services
Arch ships with eight APIs that cover the infrastructure work every application requires. Each is a standalone microservice — independently deployable, independently scalable — and each connects to your application through a NuGet client. Deploy the ones you need, register them through the Control Panel, and your application gains their capabilities immediately.
Keys Api
Secure storage for secrets. The Keys Api holds passwords, connection strings, and encryption keys — sensitive values that do not belong in a standard database. Every secret is encrypted at rest and available only to authorized services within your platform.
Tokens Api
Time-sensitive unique identifiers, safe to share outside your application. The Tokens API issues them, tracks them, and expires them — so your application delivers a token where it would otherwise have to expose an internal Id.
Email Api
Transactional email delivery and address management through a consistent interface. The Email Api integrates with Postmark to send templated messages and handles email verification end-to-end, including incoming webhook callbacks. The Tokens Api works alongside it, keeping internal user Ids out of every verification link your platform sends.
Users Api
Full user account management backed by zero-knowledge authentication. The Users Api handles registration, login, password recovery, and account deletion — without ever storing a password hash. There is no hash to steal. It draws on the Keys, Tokens, and Email Apis to deliver every part of the user lifecycle.
Comments Api
Threaded conversations attached to any context your application defines. The Comments Api supports articles, direct messages, and nested discussions — all encrypted at the maximum level Arch offers.
Entity Api
Generic encrypted storage for any object model. The Entity Api stores, versions, and archives entity data while tracking changes over time. The entire entity serialization is always encrypted.
Files Api
Encrypted file storage with streaming delivery. The Files Api handles large uploads and downloads as streams and caches small files in both server and client memory for fast delivery. Every file written to disk is encrypted.
Step 4
Build Your Application
The Platform Is Yours to Extend
Your application server is the component you write. It calls into any Arch Api through its NuGet client, inheriting the platform's authorization and resilience with each request — no additional configuration required. You focus on the logic that makes your application distinctive.

When your application needs capabilities beyond the core catalog, you extend the network with custom Apis built on the Arch framework. They register with the Application Api the same way every built-in service does, join the same authorization model, and gain the same horizontal stack — encrypted communication, structured logging, telemetry, and resilience all built in.
From Server to Screen
The user-facing layer of your application communicates with your server through relay packages that mirror the same client interfaces. For the Email and Users Apis, Blazor UI components are available today. The platform is designed so that end-to-end encryption spans from each Arch Api to the user's device — the full communication chain is protected at every layer you build.
Tech Sovereignty
Arch
Company
About Contact