core/identity-gateway/docs/security.md

Security Model

Principles

• Tokens are internal-only and never exposed to untrusted clients directly.
• Permissions are centrally managed in the gateway.
• Providers only validate identity; they do not set sessions or permissions.

JWTs

• Access tokens are short-lived and contain minimal claims.
• Refresh tokens are stored hashed and revocable.

Multi-tenant isolation

• User membership is scoped by tenant.
• Roles and permissions are evaluated per tenant.

Operational safeguards

• Rotate JWT secrets regularly.
• Use TLS in production.
• Enable HTTP-only cookies for refresh tokens when needed.