docs / operations / security

Security model

What the service holds, what it never touches.

  • The service holds only its issuer signing key (encrypted at rest) and bot tokens. Cold, owner, payment, KES, and VRF keys never enter it.
  • Sensitive fields — signing key, bot token, client secret — are encrypted with OUROPASS_FIELD_KEY (AES-256-GCM).
  • The public sub claim is a salted HMAC pseudonym.
  • Admin RBAC: viewer < operator < owner, with step-up re-signing and an immutable audit log.
  • Releases are built reproducibly from pinned base images and run as a non-root user.
Found an issue in these docs? Edit this page on GitHub ↗