The security
posture.

JWTShield never stores bearer tokens. We hash for the audit trail and discard the raw token at the close of each verification request. Evidence records the decision, not the secret.

Today

• Zero token storage. Tokens are hashed for audit, never persisted.
• JWKS cache with explicit TTL and refresh-on-kid-miss.
• Argon2id for API key secret hashing.
• Per-tier rate limit + monthly cap enforced server-side via Redis.
• CORS allowlist locked to jwtshield.com origins.

Roadmap

• SOC 2 Type II — Q3 2026.
• Dedicated regional cache + per-issuer profiles — Q3 2026.
• SAML SSO + named contact for Enterprise — Q3 2026.
• ISO 27001 / HIPAA / GDPR DPA — 2027.

Disclose a vulnerability: security@jwtshield.com.