Signed op1 tokens (mint_signed_token :541, validate_signed_token :551) carry a nonce that is never persisted or checked. A leaked token is valid until it expires, with no way to revoke it.
Fix options (pick one or combine)
- Nonce blacklist: persist rejected nonces (SQLite, small on-disk set) until each nonce's expiry. Cheap; short-window mitigation.
- Key-version prefix: include a signing-key version in the token payload; rotate the key to invalidate every outstanding token in one operation.
- Refresh-token model: short-lived access tokens (minutes) + refresh tokens (revocable).
Ship at minimum the key-version prefix; it's the smallest durable revocation surface.
Size: M
Signed
op1tokens (mint_signed_token:541,validate_signed_token:551) carry a nonce that is never persisted or checked. A leaked token is valid until it expires, with no way to revoke it.Fix options (pick one or combine)
Ship at minimum the key-version prefix; it's the smallest durable revocation surface.
Size: M