Security

JWT Handling

• Do not hardcode JWT tokens into frontend code.
• Do not expose JWT tokens in browser environments.
• Prefer calling the RFQ HTTP API from a server-side component.

Transport

• Use HTTPS for all production requests.

Storage

• Avoid storing JWT tokens in locations that are easy to exfiltrate (for example localStorage).
• Prefer server-side secret storage or an httpOnly cookie pattern.

Rotation

• Rotate JWT tokens periodically.

Logging

• Do not log tokens.
• When reporting errors, redact secrets.