docs / operations / security
Security model
What the service holds, what it never touches.
- The service holds only its issuer signing key (encrypted at rest) and bot tokens. Cold, owner, payment, KES, and VRF keys never enter it.
- Sensitive fields — signing key, bot token, client secret — are encrypted with
OUROPASS_FIELD_KEY(AES-256-GCM). - The public
subclaim is a salted HMAC pseudonym. - Admin RBAC:
viewer<operator<owner, with step-up re-signing and an immutable audit log. - Releases are built reproducibly from pinned base images and run as a non-root user.
Found an issue in these docs? Edit this page on GitHub ↗