Challenge Response Authentication Method


CRAM is a term you may have heard of when reading about the atPlatform. CRAM stands for challenge response authentication mechanism. It is an algorithm/mechanism used in cryptography commonly used for authentication in protocols.


You use your CRAM secret to activate your atSign and authenticate into your (secondary server)[/atplatform/secondary-server] secondary server for the first time. Once authenticated, you may add, update, delete, and lookup keys in your own secondary server.

When users get their atSign from, they receive their CRAM secret in the form of a QR code. A CRAM secret is just a long string of randomly generated characters. The CRAM secret can also be fetched from a REST API since sometimes the QR code can be cumbersome. It is recommended that you let the SDK handle these API requests as it is easier and safer.

CRAM is made easy with the atPlatform. Since the CRAM secret was generated and given by Atsign, that would be like Atsign generating your password for you. To opposite this, atPlatform’s SDKs and authentication services (such as at_onboarding_flutter) make it easy to generate a .atKeys file for subsequent logins to your secondary. This .atKeys file is generated by your device and contains the necessary keys to encrypt/decrypt data in your secondary server and the secondary server of other atSigns. The .atKeys file is closely related to PKAM which you can read more about here.


In the atProtocol, CRAM is a verb.

The cram verb is used to bootstrap authenticate one’s own self as an owner of a Secondary Server. It is intended to be used once until a set of PKI keys are cut on the owner’s mobile device and from then on we use the pkam verb.

The following regex represents the syntax of the cram verb: r'^cram:(?<digest>.+$)'

Learn more about the cram verb here .

Key Definitions

  • CRAM: challenge response authentication mechanism
  • CRAM Secret: a long string of characters associated with each atSign for activation
  • .atKeys file: holds encryption keys for PKAM authenticating
  • OTP: one-time password