Production security
Orionis is intentionally small, but production deployments still need clear operational boundaries.
Secrets
- Prefer `secret_sha256_hex` in config.
- Keep plaintext client secrets outside Git.
- Use one client id per calling service.
Keys
- Inject production signing keys through `private_key_pem_env`.
- Use `keys` plus `active_kid` for overlapping key rotation.
- Use `/app/var` only for local file-backed demo keys.
- Keep private signing keys readable only by the auth server.
- Publish old and new public keys together during rotation.
Tokens
- Use short access token TTLs, usually 5 to 15 minutes.
- Validate issuer, audience, time claims, signature, token use, and scopes.
- Do not reuse tokens across audiences.
- Keep rate limiting and audit logs enabled for `/oauth/token` and `/readyz`.