# ATAK and iTAK

KestrelOS acts as a **TAK Server**. ATAK (Android) and iTAK (iOS) connect on **port 8089** (CoT). Devices relay positions to each other and appear on the KestrelOS map.

## Connection

**Host:** KestrelOS hostname/IP  
**Port:** `8089` (CoT)  
**SSL:** Enable if server uses TLS (`.dev-certs/` or production cert)

**Authentication:**
- **Username:** KestrelOS identifier
- **Password:** Login password (local) or ATAK password (OIDC; set in **Account**)

## ATAK (Android)

1. **Settings** → **Network** → **Connections** → Add **TAK Server**
2. Set **Host** and **Port** (`8089`)
3. Enable **Use Authentication**, enter username/password
4. Save and connect

## iTAK (iOS)

**Option A - QR code (easiest):**
1. KestrelOS **Settings** → **TAK Server** → Scan QR with iTAK
2. Enter username/password when prompted

**Option B - Manual:**
1. **Settings** → **Network** → Add **TAK Server**
2. Set **Host**, **Port** (`8089`), enable SSL if needed
3. Enable **Use Authentication**, enter username/password
4. Save and connect

## Self-Signed Certificate (iTAK)

If server uses self-signed cert (`.dev-certs/`):

**Upload server package:**
1. KestrelOS **Settings** → **TAK Server** → **Download server package (zip)**
2. Transfer to iPhone (AirDrop, email, Safari)
3. iTAK: **Settings** → **Network** → **Servers** → **+** → **Upload server package**
4. Enter username/password

**Or use plain TCP:**
1. Stop KestrelOS, remove `.dev-certs/`, restart
2. Add server with **SSL disabled**

**ATAK (Android):** Download trust store from `https://your-server/api/cot/truststore`, import `.p12` (password: `kestrelos`), or use server package/plain TCP.

## OIDC Users

OIDC users must set an **ATAK password** first:
1. Sign in with OIDC
2. **Account** → **ATAK / device password** → set password
3. Use KestrelOS username + ATAK password in TAK client

## Configuration

| Variable | Default | Description |
|----------|---------|-------------|
| `COT_PORT` | `8089` | CoT server port |
| `COT_TTL_MS` | `90000` | Device timeout (~90s) |
| `COT_REQUIRE_AUTH` | `true` | Require authentication |
| `COT_SSL_CERT` | `.dev-certs/cert.pem` | TLS cert path |
| `COT_SSL_KEY` | `.dev-certs/key.pem` | TLS key path |

## Troubleshooting

**"Error authenticating" with no `[cot]` logs:**
- Connection not reaching server (TLS handshake failed or firewall blocking)
- Check server logs show `[cot] CoT server listening on 0.0.0.0:8089`
- Verify port `8089` (not `3000`) and firewall allows it
- For TLS: trust cert (server package) or use plain TCP

**"Error authenticating" with `[cot]` logs:**
- Username must be KestrelOS identifier
- Password must match (local: login password; OIDC: ATAK password)

**Devices not on map:** They appear only while sending updates; drop off after TTL (~90s).