Identity Security

Identity Security

Minimum security expectations:

• Use HTTPS only.
• Validate redirect URIs strictly.
• Rotate client secrets and signing keys regularly.
• Use short-lived access tokens with refresh rotation.
• Monitor unusual login attempts and token abuse.

Environment separation

• Sandbox identity and production identity must be isolated.
• Never reuse sandbox credentials in production.

Login policy

• Passkeys preferred
• TOTP fallback
• Recovery flow with audit trail