Public Key Authentication Mechanism


PKAM stands for public key authentication mechanism. It is a mechanism for encrypting/decrypting data between two parties.


The atPlatform’s packages and SDKs help apps generate a RSA PKAM public/private keypair and save this in a .atKeys file containing these keys. Since Atsign provided the CRAM secret, this poses an vulnerability since this is a shared secret between you and Atsign. To avert this, a new RSA PKAM keypair is generated on your device and the CRAM secret is no longer valid. The PKAM keypair is used for all subsequent authentications, and as you are the only one with access to the private key, you are the only one who is able to authenticate.

The PKAM public key is given out to other clients who want to send data to you. The data they send to you is encrypted using your public key and is decrypted using your private key. Read more on asymmetric encryption here.

The PKAM private key used by the client to authenticate into their own secondary server. It is just like the CRAM secret except it was generated by you (as opposed by Atsign) and completely owned by you.


In the atProtocol PKAM is a verb.

The pkam verb is used to authenticate one’s own self as an owner of a Secondary Server using a PKI style authentication.

The following regex represents the syntax of the pkam verb: ^pkam:(?<signature>.+$)

Learn more about the pkam verb here.

Key Definitions

  • PKAM: public key authentication mechanism
  • PKI: public key infrastructure
  • RSA: “Rivest-Shamir-Aldeman” is an assymetric encryption algorithm. Read more here