AT-1 SERVE-DB

The verifiable backend

A PocketBase-shapeddeveloper experience — one binary, REST, auth and an admin console — but every answer is proof-carrying, every change is a tamper-evident audit event, and you can delete a subject with a certificate. Point it at a folder and run at1 serve-db DIR. Nine capabilities, all behind one fail-closed auth gate.

1 binary
self-host the whole backend — REST, auth, admin console, audit stream
proof-carrying
every /query answer ships a receipt that re-verifies; tamper → false
?asof
byte-exact time-travel to any past state without a restore
fail-closed
one auth gate (bearer or HS256-JWT) — no token, no answer

One binary. Point it at a folder.

Self-host the whole backend — verified REST, auth, live audit stream and the admin console — from a single command. Every request passes one authentication gate; without a valid bearer token or HS256-JWT, nothing is served.

at1 serve-db ./data --auth bearer
#   verified backend up: REST /query, admin console, live audit stream

# a proof-carrying query — the answer ships a receipt
curl -H "authorization: Bearer $TOKEN" \
  "http://localhost:8090/query?sql=select+region,sum(amount)+from+txns+group+by+region"
#   -> { rows: [...], receipt: "…", verified: true }

# byte-exact time-travel to a past state — no restore
curl -H "authorization: Bearer $TOKEN" \
  "http://localhost:8090/query?sql=select+*+from+txns&asof=2026-05-14"
#   -> the store exactly as it stood on 2026-05-14
The backend you already know — made provable

You get the shape teams reach for a lightweight backend to get: REST endpoints, authentication and an inline admin console from one self-hosted binary. What’s different is underneath — the answer to a query is a receipt you can re-verify, the history is a tamper-evident audit trail you can replay to any date, and a deletion comes with a signed certificate. It fails closed: no valid token, no answer.

Nine capabilities, one auth gate

Everything below runs behind the same fail-closed authentication (bearer token or HS256-JWT). Turn on what your deployment needs.

Verified backend

A proof-carrying REST /query: every answer ships a receipt that re-verifies against the data, so a tampered answer returns false. Byte-exact time-travel with ?asof, a live SSE audit stream, and an inline admin console — the PocketBase developer experience, made provable.

Compute on compressed

Scan-free derived columns from a ~20-byte formula — 0 bytes stored for the column itself. Extract features and run anomaly detection straight against the compressed store, without a decompress-and-rescan tax.

Offline self-verifying export

Turn any query into an ~11 KB HTML file that re-verifies itself offline — no server, no network. Open it anywhere; edit one byte and it turns red. A report you can email that proves its own numbers.

Delete a subject — with a certificate

GDPR / POPIA crypto-erasure that removes one subject and hands back an Ed25519 certificate of the deletion — while every surviving record stays provably byte-exact. Right-to-be-forgotten you can show an auditor.

Sealed-model co-serving

Serve your data and a non-extractable model from one process — weights are only ever decrypted in RAM, never written in the clear. The license gate fails closed, so an unlicensed process serves nothing.

OEM / white-label embed

A partner overlays custom logic on top of the verified query path, bills a per-tenant verified rollup, and renders a branded “Verified by AT-1” page — your product, our proofs underneath.

Verified read-replication

A follower proves it is byte-exact faithful to the leader by matching a single 32-byte state root — about 551× less to verify than re-checking the whole dataset. Trust a replica without re-downloading it.

Signed transparency log

RFC-6962 Certificate Transparency for a database change log: inclusion and consistency proofs mean a third party can audit that nothing was quietly rewritten — using only the public key, no access to your data.

Cross-org PSI federation

Two organizations compute a joint sum or intersection where only blinded points cross the wire— unmatched rows are never transmitted. Answer “how many customers do we share?” without either side handing over its list.

Who this is for

  • Builders who want the one-binary backend experience, but need every answer and change to be provable.
  • Regulated & audited teams— tamper-evident history, GDPR erasure with a certificate, and a signed transparency log a third party can check.
  • OEMs & platforms that white-label a verified backend and bill a per-tenant verified rollup.
  • Cross-org collaboratorswho need a joint total or intersection without handing over either side’s raw list.

One binary. Every answer proof-carrying. Every change audited. Every deletion certified.