Security overview¶
In RG Platform, security is the architecture, not a layer on top of it. Every component has its own identity, every transport is authenticated and encrypted, the edge accepts nothing inbound, and credentials are short-lived and individually revocable. The properties that keep the platform safe — outbound-only connectivity, per-cluster device identity, tenant isolation — are the same properties that make it work.
Per-component identity¶
Every actor in the platform has a distinct, non-overlapping identity: users, machine/API credentials, devices, and nodes. A device's identity is bound to a key the device generated during pairing and is valid only on its own cluster — it authenticates nowhere else and represents nothing else. Nodes within a cluster mutually authenticate to each other by asymmetric key, never by a shared secret, so no single leaked secret admits a rogue node. Users and machine callers are separate identity classes with their own credentials and lifecycles. Because the identity classes don't overlap, a credential of one kind can never be mistaken for or escalated into another — a device key cannot act as a user, and a node's key cannot stand in for an API credential.
Transport and mutual authentication¶
Each connection uses authentication appropriate to who is on each end. Users reach the platform over modern TLS. Devices and their cluster mutually authenticate, so the device proves its identity to the cluster and the cluster proves its identity to the device — neither trusts the other on assertion alone. Nodes communicate over an encrypted private mesh in which they authenticate each other by key. The common thread is that no transport relies on a shared password or an implicit trust boundary: identity is proven cryptographically at every hop, which is what lets the platform span untrusted networks without exposing the devices behind them.
Zero inbound at the edge¶
The platform's defining security invariant is that nothing at the edge accepts an internet-inbound connection. Devices and bridges connect only outward, so there is no listening port to scan, no management interface exposed to the internet, and no inbound service to exploit. A device's own web GUI — often the weakest point of remote hardware — is reachable solely through the tunnel the device itself opened, and only to RG-authorized users. This invariant collapses a large class of remote-access risk: an attacker on the public internet has no address, port, or service to attack at the device, because by construction none is offered.
Credential lifecycle¶
Credentials are deliberately short-lived, self-rotating, and individually revocable.
- User tokens are short-lived and cluster-scoped: a cloud session is exchanged for a credential valid only on one cluster and only until it expires.
- Device credentials rotate automatically through the heartbeat channel, so a device's authentication material refreshes over time without manual handling.
- API secrets are revealed exactly once at creation and stored only as irreversible hashes, so the platform never holds a recoverable copy of a secret.
- Revocation is per identity by unique identifier and takes effect on the next request, so removing access is immediate and precise rather than fleet-wide.
Together these mean access is granted narrowly, refreshed automatically, and withdrawn cleanly — the credential system fails toward least privilege.