Security
Auth patterns, threat modeling, and security decisions made before the incident rather than after.
Architecture Decisions 1
- API Key Rotation Without Downtime
Dual-key validation window, gradual client migration, and the revocation list we keep in Redis.
Engineering Notes 1
- IAM Least Privilege for CI Deploy Roles
Scoped OIDC roles for GitHub Actions — no long-lived AWS keys in repository secrets.
Opinions 1
- JWT vs Session Tokens for Internal APIs
Why we use opaque session tokens at the gateway and JWT only for service-to-service calls.