Two modes
Atomic runs in two modes. Both produce the same agent identity — same agent.json format, same signing, same verification. The difference is who runs the infrastructure.
Self-hosted
You run the Rust binary on your own server. You own the domain, the keys, the TLS cert, everything.
Good for: dedicated VMs, on-prem, air-gapped environments, full control.
atomic init --domain agent.yourcompany.comHosted (Platform)
We manage DNS, TLS, and the public endpoints (agent.json, deposit box, magic links). Your agent only needs a private key and the SDK.
Good for: Docker, Kubernetes, Lambda, Cloud Run — anywhere you can’t run a persistent server process.
atomic init --hosted --name scoutWhat the platform manages
| Concern | Self-hosted | Hosted |
|---|---|---|
| agent.json | Your server | CDN edge |
| Deposit endpoint | Your server /d/ | Workers, forwarded via webhook |
| Magic links | Your server /m/ | Workers |
| Vault | Local encrypted file | Encrypted KV |
| DNS | You configure it | Cloudflare API (managed) |
| TLS | Auto-TLS or BYO cert | Cloudflare handles it |
| Private key | ~/.atomic/credentials | Env var / K8s secret |
| Signing | atomic sign CLI | SDK function call |
When to use which
If you have a server with a stable IP and want no dependencies on us, self-host.
If your agent runs in containers, serverless functions, or anything ephemeral, use the platform. The binary is optional — the SDK handles signing and the platform handles the public endpoints.