Minting Security
Authentication
All minting mutation endpoints require an authenticated session with a valid JWT. Anonymous or public execution is explicitly disallowed for the minting control plane.
Role-Based Access
Control Plane Isolation
The minting control plane (job submission, batch management, export generation) is architecturally separated from the resolver plane (scan resolution, token activation). This separation ensures:
- Minting operations cannot be triggered from resolver endpoints.
- Resolver endpoints operate with minimal privileges and do not expose minting controls.
- No minting mutation endpoint is publicly callable.
Resolver Security
Resolver endpoints that handle scan resolution operate under a separate security model:
- Scans capture GDPR-safe telemetry (truncated IP addresses, coarse geolocation).
- Bot traffic is detected and served static responses without triggering telemetry or activation.
- Token activation (for
first_scanmode) is performed with internal validation to prevent unauthorized state changes.
Export Security
Export artifacts are stored in private cloud storage with access controls:
- Only users with brand-level access can request and download exports.
- Downloads use short-lived signed URLs (5-minute TTL) that expire automatically.
- No permanent public URLs are generated for export artifacts.
Idempotency Protection
The idempotency mechanism prevents duplicate job creation from repeated submissions, ensuring that replay attacks or network retries cannot create unintended minting activity.
Concurrency Safety
The background processing model includes exclusive job locking to ensure:
- Only one worker processes a given job at any time.
- No duplicate tokens or serial numbers are generated under concurrent load.
- Partial progress is preserved in the event of worker failure.