Proxy-Authorization header of every CONNECT request. No custom SDK, no bearer tokens, no OAuth handshakes at the proxy layer — every HTTP client that supports proxy-auth works out of the box.
Credential format
| Field | Value |
|---|---|
| Username | avp_live_<12-char-hex> (or avp_test_* for test mode) |
| Password | 64-char hex secret (returned once at mint / rotate) |
Proxy-Authorization: Basic ... header encoding for you. You pass http://username:password@host:port and they do the base64 themselves.
Three ways to pass credentials
- Proxy URL (recommended)
- Explicit header
- Environment variable
/developer dashboard generates.Test vs live mode
Keys come in two flavours, distinguished by prefix:| Prefix | Behaviour |
|---|---|
avp_test_* | Request metering runs but no billing. Great for CI / scripted QA. Stop working if you set liveMode: false explicitly at mint; stay in test mode indefinitely. |
avp_live_* | Real billing. Overage charges (if opted-in) hit your Stripe source. Use these for production. |
test key in shared repositories / CI, live keys in your secrets manager only. See Rotating secrets for rotation best practice.
Security — what the gateway does with your secret
- Base64-decoded once on every CONNECT.
- Looked up by
keyIdin the DB; secret is never stored in plaintext — onlybcrypt(secret, 12). - Successful
bcrypt.comparecaches the (keyId, secret) pair in memory for 30 seconds to keep hot paths below 1 ms. - On rotation, the gateway cache is flushed immediately — the old secret stops being accepted within milliseconds, not waiting for the 30-second TTL.
api.atlasvpn.live:7777 over the wire protocol documented here. Any URL / email / form that does is a phishing attempt — report to security@atlasvpn.live.