Skip to main content

Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Cloud Architecture

The Quint cloud runs on AWS ECS Fargate at api.quintai.dev. Five services handle the end-to-end pipeline:
ServiceRole
ingestAuthenticates deploy tokens, validates events, publishes to SNS
pipelineConsumes SQS, writes to Postgres actions (partitioned by month)
session-processorUpserts sessions table from session lifecycle events
alert-processorEvaluates rules, writes to alerts table
apiServes dashboard + public API from Postgres + Redis

Ingest pipeline

See Ingestion for the event schema, batch parameters, and overflow/recovery rules.

Data model

Postgres 16 on RDS. Key tables:
TableContents
organizationsTenant root
agentsPersistent agent identities across sessions
sessionsOne row per agent invocation, stamped with session_id from the edge
actionsTool calls + HTTP events, partitioned by created_at month
alertsRule-fired alerts
api_tokensDeploy tokens (SHA256-hashed, Redis-cached)
machinesRegistered edge daemons
enforcement_policiesCloud-authored policies pushed to edge
Row-level security is enabled on all tenant tables using the app.current_org_id session variable.

Authentication

Two paths:
  • Daemon → Ingest: Bearer token. Token is SHA256-hashed and looked up in Redis (write-through cache from api_tokens). Token types: install, enrollment, service, personal. Daemon boots with install token, registers, receives a service_token for subsequent calls.
  • Dashboard → API: Supabase JWT (cloud mode) or API key (local/CI mode).
See Auth Overview for the full token hierarchy and RBAC for permission scopes.

Multi-tenancy

Every event carries org_id stamped at ingest from the token. Postgres RLS filters on app.current_org_id. Redis keys are org-prefixed. See Multi-tenancy for isolation guarantees.

Fleet aggregation

The Fleet service aggregates agent activity across machines in one org. A detection on one machine is distilled into a ThreatSignature and pushed to every daemon in the fleet in ~30 seconds.