Tenant Dashboard
Tenant operator UI
Use dashboard.attesto.eu for tenant-facing operations. This page covers external tenant workflows only.
Identity and access
Tenant users sign in through the email-first dashboard flow. The first screen asks for an email address, then Attesto routes the user to the configured password, community identity, invite, signup, or organization SSO path. Tenant owners configure Entra ID, generic OIDC, and SAML providers in Settings → Identity Providers.
- Use tenant roles for dashboard access: owner, admin, developer, and user.
- Use marketplace developer accounts only on the marketplace; they do not grant dashboard access.
- Use auditor invites for audit portal access; auditors do not receive tenant operator privileges.
- Review Tenant SSO before enforcing organization SSO for a domain.
Systems and keys
- Create one system per production service or isolated environment.
- Copy the generated system key when it is displayed and store it server-side.
- Rotate keys when a system changes ownership, hosting boundary, or deployment trust.
- Disable unused systems instead of reusing their keys for unrelated services.
Proofstream views
Stream pages show event sequence, receipt state, window and checkpoint state, witness/quorum status, anchor status, fork evidence, and verifier bundle readiness.
- A receipt proves that Attesto accepted a specific event into a specific stream head.
- A checkpoint summarizes a closed range and links to consistency evidence.
- Fork evidence requires immediate investigation before relying on that stream history.
- Bundle export becomes available only when policy requirements are satisfied.
Webhooks and connectors
Webhooks notify your systems when Attesto evidence changes. Connectors write source-system observations into Proofstream. Use the dashboard to create and revoke tenant webhooks, signed webhook connectors, repository webhook connectors, S3/R2 object commitments, and Local Vault installations. Store every returned secret server-side; the dashboard intentionally does not reveal it again.
- Webhook subscriptions deliver signed notifications; receivers must verify the raw-body signature.
- Signed webhook connectors ingest custom source events through a connector-specific signed envelope.
- Repository connectors verify GitHub/GitLab delivery signatures before writing normalized evidence.
- S3/R2 object commitments record object metadata and integrity without proxying object bytes.
- Local Vault relays customer-edge events outbound and can act as a customer-side witness when policy enables it.
Evidence exports
Exports are immutable evidence artifacts for the selected tenant scope and date range. Share exported bundles with auditors or counterparties only after confirming the range, policy, and retention requirements.
Truth Package generation, download/access, and successful
cryptographic verification are themselves lifecycle evidence.
Package generation records truth_package.generated,
download or auditor access records truth_package.accessed,
and a backend-validated verifier report records
truth_package.verified.
Audit portal handoff
audit.attesto.eu is the read-only portal for external auditors invited by a tenant. Auditors authenticate through the audit flow, inspect only the tenant scopes they were granted, download approved exports, and review events, receipts, checkpoints, and bundle evidence without becoming tenant operators.
The audit sign-in flow is intentionally separate from dashboard and marketplace identity. An auditor enters an email address, receives a single-use magic link when the address belongs to an invited or active auditor, and then completes authenticator-app TOTP. The link is valid for 15 minutes; first-time auditors are guided through TOTP enrollment before normal access. The request-link response is always generic so an attacker cannot enumerate auditor email addresses.
The auditor landing page lists only active tenant grants with the approved scope, expiry date, 30-day event count, and latest anchor indicator. The tenant view remains read-only from there: expired or revoked grants are denied before events, exports, Proofstream bundles, forks, or IVC epochs are loaded. Audit sessions do not sign the auditor into the dashboard, marketplace, or any internal Attesto staff surface.
| Audit portal action | What is recorded | Why it matters |
|---|---|---|
| Open dashboard | auditor.view.dashboard per tenant in scope. | The tenant can see that the auditor viewed their audit landing page. |
| Open tenant audit view | Read-only access check against active, non-expired auditor grant. | Expired or revoked grants fail closed. |
| View event/export/bundle data | Tenant audit entries such as event, export, bundle, and Proofstream bundle views. | Review activity becomes tenant-visible evidence. |
| Download approved export | truth_package.accessed with auditor context and package hash. | Export access becomes part of the Proof of Evolution lifecycle. |
| Verify Proofstream bundle or IVC epoch | auditor.verify.proofstream_bundle or auditor.verify.proofstream_ivc_epoch with verifier result and problems. | Auditors can distinguish verified evidence from failed or incomplete evidence. |
- Create auditor access from the dashboard only for the scope and period needed.
- Revoke auditor access when the review is complete or the reviewer changes role.
- Every meaningful export access is recorded as lifecycle evidence.
- Auditors should verify bundles locally before relying on them in an assurance file.
Verify portal and public verifier API
verify.attesto.eu is the
public verification and API origin. Use it for server-side SDK calls,
POST /v1/public/verify, POST /v2/verify,
health checks, and the public signing key endpoint. It is not a
tenant settings UI and it does not require a tenant dashboard session
for public proof-object verification.
- Use online verification when a receiving system can call the public verifier API.
- Use offline verification when a reviewer must verify a bundle without backend access.
- Pin expected witness or signing keys according to the verifier's trust policy.
- Treat a failed verifier report as evidence that must be investigated, not as a UI warning.
Billing
Billing settings show the active tenant plan, self-service Starter/Growth/Realtime subscription paths, and the Stripe billing portal. New tenant signup requires choosing a self-service tier. Stripe Checkout starts the configured 30-day tenant trial, and the verified Stripe webhook activates the selected plan. Enterprise remains sales-negotiated.