v0.0.1 · system status
Open APIOpenAPI 3.1Zero token storage
§ 07 · CHANGELOG Shipped · RSS

What we shipped.

Every release. Every refusal case added. Every JWKS edge case discovered the hard way.

Subscribe via RSS /changelog.xml
0.0.1
APR 26, 2026
feature

Initial release

First public version. Eight verification endpoints, structured findings, JWKS rotation analysis, CI OIDC support, and a public health endpoint for monitoring.

Verification

  • POST /v1/inspect/token decodes any JWT and reports structural-risk warnings (ALG_NONE, JKU_PRESENT, KID_MISSING, EXP_MISSING) without making trust claims.
  • POST /v1/validate/jwt runs full verification — signature, issuer, audience, algorithm, time, required claims — against either an inline VerifyPolicy or a registered issuer profile. Always returns 200 with structured findings[] on failure.
  • POST /v1/test/auth-regression batches multiple validation checks and aggregates a suite-level pass/fail, with expected_failure_codes for negative fixtures.

OIDC + CI

  • POST /v1/providers/discover performs OpenID Connect Discovery 1.0 with normalized output and JWKS reachability classification.
  • POST /v1/lint/oidc-config static-analyses an OIDC config for weak algorithms, insecure URIs, JWKS reachability, and discovered/configured jwks_uri mismatch.
  • POST /v1/validate/ci-oidc validates GitHub Actions and GitLab CI OIDC tokens with provider-specific claim assertions (expected_repository, expected_ref, expected_project_path, expected_ref_protected).

Operations

  • POST /v1/validate/jwks-rotation classifies rotation between two JWKS snapshots as no_change, safe_overlap, overlap, or disjoint, with optional sample-token verification.
  • GET /v1/presets/{provider} returns starter VerifyPolicy templates for auth0, okta, cognito, github_actions, and gitlab.
  • GET /v1/health reports overall status plus component-level state (api, profile_registry, jwks_cache, http_client) for external monitoring and the public status page.

Platform

  • Algorithm support: HS256/HS384/HS512, RS256/RS384/RS512, ES256/ES384, EdDSA.
  • JWKS resolver with single-flight per-profile refresh, Cache-Control max-age honored up to a configured upper bound, and per-profile cold-cache hydration.
  • Per-plan rate limiting and monthly verify quotas.
  • Audit middleware tags every request with a request_id, duration, status, and (on validation failures) the first failing dimension as failure_category.
  • Structured Finding taxonomy: every error code listed in the Errors reference with severity, evidence, and remediation hints.

Available now

  • HTTP API exposed under /v1/.
  • OpenAPI 3.1 spec for client generation, downloadable from the docs index.
  • Public status page polling /v1/health every 30s with component-level pips.
  • Examples in curl, Node, Python, GitHub Actions, and GitLab CI on the Examples page.
Subscribe via RSS ← back to home