Edge Agent Credentials (Template)¶
This document is a template. Do not store real secrets in this repository.
If you need to share credentials with a teammate, use a secret manager (1Password, Doppler, AWS Secrets Manager, etc.) or an encrypted channel.
What the edge agent needs¶
1) EDGE_SECRET (shared secret)¶
The Mac mini edge agent (see ../archety-edge) authenticates to the backend using an Authorization: Bearer ... token.
Current deployed edge client behavior (archety-edge):
- Uses the raw EDGE_SECRET as the Bearer token for both HTTP (/edge/message) and WebSocket (/edge/ws).
- Includes X-Edge-Agent-Id for WebSocket correlation.
Backend behavior (this repo):
- Accepts an HMAC-derived token format (recommended).
- Accepts the raw secret only in non-production (ENVIRONMENT != production), as a legacy fallback.
Generate a strong secret:
Set in backend (Railway variables):
Set in edge agent (Mac mini .env):
2) REGISTRATION_TOKEN (legacy / optional)¶
There is a lightweight /edge/register endpoint that accepts a token that simply starts with edge_ (MVP-era behavior).
The current archety-edge implementation does not require registration and does not call /edge/register.
If you still use registration for your setup, treat it as a one-time bootstrap secret and rotate it after use.
Example format:
Backend URLs¶
Canonical domains (rebrand):
- Production API: https://api.ikiro.ai
Legacy Railway URLs may still exist as aliases:
- https://archety-backend-prod.up.railway.app
- https://archety-backend-dev.up.railway.app
Where to put real values¶
- Backend: Railway → Service → Variables
- Edge agent (Mac mini):
../archety-edge/.env(not committed)