Security Checklist

• Run behind TLS with strict HSTS and trusted proxy IPs.
• Keep ADMIN_MTLS_REQUIRED=true for admin access.
• Require MFA for admins and high-risk users.
• Rotate JWT keys and disable bootstrap admin variables after use.
• Enable Redis for rate limiting and nonce storage.
• Keep audit logs and export to your SIEM if required.

Tokens

• Access tokens are short-lived.
• Refresh tokens are hashed, rotated, and reuse triggers revocation.
• Replay protection uses a nonce store.
• For inter-service calls, enforce mTLS on /oauth/token and /oauth/userinfo at the proxy.