# Security

- JWT required for all routes except `/health`.
- JWKS validation used for token verification.
- Required claims: `sub` (user ID), `tenantId`, `roles`.
- Authorization scopes: `crm.read`, `crm.write`, `crm.admin`.
- Tenant isolation enforced on every query via `tenant_id`.