Authdog is built so the secure path is the default path. This page summarizes how sessions, tokens, keys, and provisioning are handled, and the compliance-ready defaults you inherit for free.

## Per-environment key isolation and rotation

Every environment has its **own signing keys**, connections, and user store. A leaked credential or misconfiguration in one environment can never reach another. Signing keys are rotated on a managed schedule, and the environment's **public key** (`pk_...`) lets clients verify sessions without ever handling a private key.

## Short-lived signed sessions

Sign-in issues a **signed-JWT session** delivered as the `authdog-session` cookie (`HttpOnly`, `SameSite=Lax`, `Secure` in production) or as an `Authorization: Bearer` token. Sessions are short-lived and signed, so a stolen token has a small window and can't be forged. See [Sessions & tokens](/docs/concepts/sessions-tokens) for the token model.

## Edge session validation

Sessions are validated at the edge, close to the user, before requests reach your origin. Validation is stateless against the environment's public key, so it stays fast and doesn't depend on a central session store.

## MFA and breach-aware passwords

Enable **TOTP MFA** to require a second factor after primary sign-in. The password policy is **breach-aware** — credentials known from public breaches are rejected — so weak and compromised passwords never make it into your user store.

## Enterprise SSO

Delegate authentication to a customer's identity provider over **SAML 2.0 or OIDC**, with first-class support for Okta, Entra ID, JumpCloud, Ping, and BeyondTrust. Customers keep their own MFA, session, and lifecycle policies.

## Provisioning and deprovisioning

Automated lifecycle keeps access in sync with the source of truth. SCIM 2.0 and HRIS feeds create, update, and — critically — **deactivate** users when they leave, so offboarding in the IdP revokes app access with no manual step. See [Provisioning](/docs/concepts/provisioning).

## Audit events

Identity events — sign-ins, role changes, provisioning updates — are recorded and available through the Events API for auditing, alerting, and downstream sync.

## Webhook signature verification

Outbound webhooks are **HMAC-signed** with an `X-Authdog-Signature: t=...,v1=...` header and delivered with durable retry. Always verify the signature and check the timestamp before acting on a payload, so you only trust events that genuinely came from Authdog.
