Security Considerations

To maintain the integrity of your authentication system, it's important to follow key security best practices around credentials, token handling, and environment management.

🔐 Master Credentials

• The Master username and password are highly sensitive.

• These should never be hardcoded or exposed in source code or logs.

• Store them securely using environment variables:

  • MASTER_USERNAME

  • MASTER_PASSWORD

• Restrict access to environments that hold Master credentials (e.g., CI/CD, server runtime).

---

🔑 Token Security

• Tokens should be treated like passwords.

• Always transmit them over HTTPS to prevent interception.

• Tokens should have a reasonable expiration time (expires_in) to reduce long-term risk if compromised. For now, Token have default 30 days lifetime.

• Do not store tokens in client-side locations that are vulnerable (e.g., localStorage in browsers, if exposed to XSS).

---

🧾 User Secrets

• User secrets are used to authenticate and generate tokens.

• When distributing secrets to users or partners, ensure the channel is encrypted and trusted.

---

🏷️ Environment Separation

• Clearly separate staging and production environments:

  • Use different sets of credentials.

  • Consider using separate client/user records per environment.

• Never share secrets or tokens across environments.

---

📜 Logging

• Avoid logging sensitive information like:

  • Master credentials

  • User secrets

  • Tokens

Use structured logging and redact sensitive fields if necessary.