| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2 | ❌ |
We release patches for security vulnerabilities in the latest version.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via GitHub's private vulnerability reporting feature:
- Go to the repository's Security tab
- Click "Report a vulnerability"
- Fill in the details
We aim to respond within 48 hours and will keep you updated on the fix.
- Keep your dependencies up to date
- Use
pip auditto check for known vulnerabilities - Report any security concerns promptly
APIAuth uses several security controls:
- Encryption: AES-256-GCM for keystore encryption
- Key Derivation: PBKDF2 with 100,000 iterations for master key derivation
- Storage: Only SHA-256 hashes of API keys and JWT signing secrets are stored
- Key Rotation: Previous key values are hashed out on rotation
- Verification: Constant-time hash comparison for API key verification
- Offline Operation: No telemetry, no network calls, fully air-gapped capable
| Threat | Mitigation |
|---|---|
| Keystore theft | AES-256-GCM encryption with PBKDF2-derived key |
| Key exposure on rotation | Previous values hashed with SHA-256 before rotation |
| Timing attacks | Constant-time comparison for hash verification |
| Replay attacks | JTI-based JWT tracking with revocation support |
| Supply chain | Dependabot weekly updates, pinned GitHub Actions SHAs |
- No PII stored in keystore
- GDPR-compliant by design (no personal data collection)
- SOC 2 compatible audit trail via
apiauth auditcommand