7 lines
286 B
Markdown
7 lines
286 B
Markdown
# Security
|
|
|
|
- JWT required for all routes except `/health`.
|
|
- JWKS validation used for token verification.
|
|
- Required claims: `sub` (user ID), `tenantId`, `roles`.
|
|
- Authorization scopes: `crm.read`, `crm.write`, `crm.admin`.
|
|
- Tenant isolation enforced on every query via `tenant_id`.
|