Security Considerations

Authentication

  • Header: Authorization: Bearer <JWT>

  • Algorithms allowed: RS256, ES256

  • Required claim: sub (used as user id/tenant key)

  • Checks: iat must not be in the future; expired tokens yield WWW-Authenticate: Bearer error="expired_token"

  • Public key source: JWT_PROVIDER_PUBLIC_KEY must be Base64‑encoded DER (SPKI)

Note: Swagger labels the auth scheme as oneclick-jwt, but requests must use the standard Authorization header.

Debug Endpoints (local only)

If ENABLE_DEBUG_SIGN_ENDPOINT=true, the server exposes:

  • POST /auth/debug/keypair → generate RS256/ES256 keys (DER), optionally persist to .env

  • POST /auth/debug/sign → sign a short‑lived JWT for testing

Never enable these in production.

Transport & Keys

  • Always run behind HTTPS in production

  • Protect private keys and .env files

  • Rotate keys periodically; prefer short token TTLs for automation

Multi‑Tenant Isolation

  • Storage is scoped by sub → each user sees only their own DIDs and VCs

  • Confirmation of flows is restricted to the user that initiated them

Previousdid:web & HostingNextError Handling and Troubleshooting

Last updated