Skip to content

Backend: Implement signed JWT service tokens for internal services (replace shared API keys) #219

Open
Feature
Open
Backend: Implement signed JWT service tokens for internal services (replace shared API keys)#219
Feature
Labels
architectureArchitecture refactorsauthAuthentication/authorizationbackendBackend service/API worksecuritySecurity hardeningtestingTests and coverage
@greatest0fallt1me

Description

@greatest0fallt1me
greatest0fallt1me
opened on Apr 22, 2026

Description

Replace long-lived shared API keys with short-lived, signed JWT service tokens for internal service-to-service calls. Include key rotation, audience/issuer checks, and structured permission claims.

Requirements and context

  • Must be secure, tested, and documented.
  • Must support key rotation without downtime.
  • Must include clear migration plan (support both for a window).

Suggested execution

git checkout -b feature/service-jwt-tokens

Implement changes

  • Add JWT verification middleware for internal routes.
  • Add token minting for service accounts (admin-only).
  • Integration tests for token validity, expiry, and audience checks.
  • Document in docs/security/service-auth.md.

Test and commit

npm test

Example commit message

feat(auth): service JWT tokens with rotation and migration plan

Guidelines

  • Timeframe: 96 hours.

Metadata

Metadata

Assignees

No one assigned

    Labels

    architectureArchitecture refactorsauthAuthentication/authorizationbackendBackend service/API worksecuritySecurity hardeningtestingTests and coverage

    Type

    Feature

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions