# SigID Security

SigID keeps protocol-critical auth on a dedicated hosted auth origin and keeps product surfaces separate from tenant operations.

## Main Security Boundaries

- `auth.sigid.org` owns OAuth/OIDC authorization, consent, callbacks, token issuance, discovery, JWKS, passkey ceremonies, and MFA interstitials.
- `identity.sigid.org` owns the global user account, passkeys, MFA, sessions, recovery, connected apps, personal agents, wallets, vaults, and delegations.
- `dashboard.sigid.org` owns tenant operations such as applications, domains, branding, billing, policy, audit, SSO, SCIM, and webhooks.
- `www.sigid.org` owns content and discovery only.

## Token Validation Requirements

Backends must validate:

- signature
- issuer
- audience
- expiry and not-before
- tenant context
- scopes
- subject type
- delegation `act` claim when present
- DPoP or confirmation claim when required

Do not authorize based on decoded-but-unverified JWTs, frontend state, hidden buttons, email addresses, or route names.

## Agent Security

Agent challenge-response uses tenant-bound, single-use challenges. SigID verifies key usability, revocation state, and the signature over the canonical challenge payload before issuing tokens. Registration uses uniqueness checks and proof-of-work where public registration is exposed.

## Operational Security

Tenant branding is constrained to hosted auth and related trust surfaces. Dashboard remains SigID-owned. Audit logs cover applications, operators, billing, policies, agent activity, delegation, wallet actions, and security-sensitive changes.

## Read Next

- `https://docs.sigid.org/reference/security-model/`
- `https://docs.sigid.org/reference/oauth-oidc/`
- `https://docs.sigid.org/developers/verify-tokens/`