Skip to main content

TLS requirements

All requests must use TLS with at least 128-bit transport security. Non-TLS requests may be rejected with 403. The only exception is local development on machines without a configured domain.

API keys and secrets

API keys and secrets are required for account creation. Store them in a secure backend and never expose them in browser or mobile clients.

JWT usage

JWTs are short-lived and must be refreshed before expiration. Treat them as bearer tokens and store them securely.

Nonces and replay protection

Signed requests use nonces. Nonces must be unique and unpredictable; reusing a nonce will invalidate a request.

Rate limits and audits

Login and recovery endpoints are audited and may be rate-limited. Excessive requests can lead to temporary or permanent blocks.