Security model

ATM uses public AT Protocol records for portable facts and private ATM tables for sensitive operational state. Public records should be useful for interoperability without leaking customer, processor, or fulfillment data.

1. 01

   App service-auth

   Proves the app server is allowed to call an app-facing ATM method.

2. 02

   Buyer assertion

   Proves the app saw a signed-in buyer for this action without granting ATM PDS write access.

3. 03

   Dashboard session

   Proves a human is signed into ATM and can manage their own account context.

4. 04

   OAuth grant

   Allows ATM or an app to write allowed records to a user's repo when needed.

App service-auth and buyer assertions should be short-lived and use unique jti values. Webhook delivery is at-least-once, so apps must deduplicate delivery ids and app order ids before side effects.

• Mint fresh service-auth for each durable XRPC action.
• Use the exact route NSID as lxm.
• Store webhook delivery ids before fulfillment.
• Use ATM payment ids and app order ids as idempotency anchors.
• Treat browser redirects as UI continuity, not payment truth.

ATM keeps processor identifiers private. Apps can see app-scoped payment facts and app fee data for payments they originated, but they do not get broad connected-account access, KYC data, bank details, or processor account ids.

App dashboards and app events are scoped to the app's originated payments and enabled modules. Creator dashboards remain the place for connected-account owner controls such as payouts, disputes, tax, and account management.

Store the least data needed for payment, support, compliance, and fulfillment. Do not copy private checkout fields, buyer messages, emails, addresses, attendee answers, processor ids, or assertion JWTs into public protocol records.