Glossary

Agent — See Atrium Agent.

Atrium Agent — The on-premises network integration component. A single Docker container running a Go binary that handles RADIUS authentication, session tracking, and firewall-based session termination. Deployed on the customer's local network, one per site. Stateless — recovers its voucher list from the Atrium Server on restart.

Atrium Server — The core application: API server (Fastify/TypeScript) and frontend PWA (React). Handles visitor lifecycle, authentication, the admin dashboard, the kiosk UI, document management, notifications, and integrations. The system of record for all visitor data.

Check-in — The process of recording a visitor's arrival. Can happen via the admin dashboard (manual) or the kiosk (self-service with QR scan). Triggers WiFi voucher creation and host notification.

Check-out — The process of recording a visitor's departure. Revokes WiFi credentials and triggers session termination. Can be manual or automatic (expiry).

CoA (Change of Authorization) — A RADIUS message (RFC 5176) sent to a firewall to modify an active session's attributes. Used alongside Disconnect-Message (DM) for session termination.

Control Plane — The background service managing licensing, software updates, feature flags, and release distribution across all Atrium deployments. Both SaaS and self-hosted instances communicate with it.

DM (Disconnect-Message) — A RADIUS message (RFC 5176) sent to a firewall to terminate an active session. Part of the session termination flow.

Device token — A long-lived JWT issued to a kiosk tablet during the pairing process. Bound to a specific tenant and site. Restricted scope — can only perform check-in operations.

Entitlement — A feature or capacity included in a license tier. Divided into quantity limits (max sites, max visitors) and premium features (CRM integration, WLAN access).

Expiry — Automatic transition of a checked-in visit to "expired" when the expected departure time passes without manual check-out. Triggers the same cleanup as check-out (voucher revocation, session termination).

Grace period — The time window (default: 30 days) during which a self-hosted Atrium instance continues to operate normally after losing connectivity to the Control Plane. After the grace period, the instance enters read-only mode.

Host — The person within the organization who invited a visitor. Not a role — any authenticated user can be a host. Receives check-in notifications for their visitors.

IdP (Identity Provider) — The system that authenticates user identity. Atrium supports a built-in IdP (email/password) and external OIDC-compliant providers (Entra ID, Okta, Google Workspace).

Kiosk — A tablet placed in the lobby for visitor self-service check-in. Runs the Atrium PWA in a dedicated mode with a device token.

Member — The standard user role. Can invite visitors, view their own visitors, and receive notifications. Cannot access admin functions.

mTLS (Mutual TLS) — TLS where both client and server present certificates. Used for Atrium Agent authentication — the WebSocket connection itself is the authenticated session.

NATS JetStream — The event streaming system used internally for asynchronous processing (notifications, CRM sync, PDF generation, audit logging).

OIDC (OpenID Connect) — The authentication protocol used for external identity provider integration. Built on top of OAuth 2.0.

Outbox — The transactional outbox pattern: domain events are written to a database table within the same transaction as the state change, then published to NATS asynchronously. Ensures events are never lost.

PII (Personally Identifiable Information) — Data that can identify a person: name, email, signature, IP address. Subject to GDPR retention policies in Atrium.

Pre-registration — Creating a visit before the visitor arrives. Generates a QR code and sends an invitation email.

PWA (Progressive Web App) — The frontend technology used for both the admin dashboard and the kiosk UI. Supports offline capability via Service Workers.

QR code — A signed JWT token encoded as a QR image, sent to visitors in the pre-registration email. Self-validating (can be verified offline by the kiosk), single-use, time-limited.

RADIUS — Remote Authentication Dial-In User Service. The protocol used for guest WiFi authentication. The Atrium Agent includes an embedded RADIUS server.

Read-only mode — The state an Atrium instance enters when the license grace period expires. Existing data is accessible, but new operations (check-ins, visits, configuration changes) are blocked.

RLS (Row-Level Security) — PostgreSQL feature that enforces tenant data isolation at the database level. Every query is filtered by tenant_id automatically.

Site — A physical location (office, campus, factory). The primary unit of configuration in Atrium. Visits, kiosks, documents, and agent connections are scoped to sites.

Site-Admin — A user role with management access to one or more assigned sites. Can manage documents, kiosks, and network settings for their sites.

SKU — Stock Keeping Unit. The license tier identifier (e.g., saas-professional, self-hosted-enterprise). Determines entitlements and limits.

Tenant — An organization using Atrium. All data is tenant-scoped. In SaaS mode, multiple tenants share infrastructure with full data isolation. In self-hosted mode, the deployment contains one tenant.

Tenant-Admin — The highest user role. Full access across all sites. Manages users, sites, IdP configuration, and tenant-wide settings.

Voucher — A time-bound set of WiFi credentials (username + password) generated at check-in. Authenticated via RADIUS by the Atrium Agent.

WeasyPrint — The PDF generation engine. A Python-based HTML-to-PDF renderer running as a stateless sidecar container. Converts signed document HTML snapshots into archival PDFs.