# Security Model

## Principles

- Tokens are internal-only and never exposed to untrusted clients directly.
- Permissions are centrally managed in the gateway.
- Providers only validate identity; they do not set sessions or permissions.

## JWTs

- Access tokens are short-lived and contain minimal claims.
- Refresh tokens are stored hashed and revocable.

## Multi-tenant isolation

- User membership is scoped by tenant.
- Roles and permissions are evaluated per tenant.

## Operational safeguards

- Rotate JWT secrets regularly.
- Use TLS in production.
- Enable HTTP-only cookies for refresh tokens when needed.