- Access token: 15 minutes expiry
- Refresh token: 7 days expiry
- Tokens use HS256 algorithm
- Minimum 8 characters
- Must include: uppercase, lowercase, numbers, special characters
- Bcrypt hashing with 12 rounds
- Account locks after 5 failed login attempts
- 30-minute lockout period
- Failed attempts tracked per user
| Endpoint | Limit | Window |
|---|---|---|
/auth/register |
5 requests | per minute |
/auth/login |
5 requests | per minute |
/credit/calculate-score |
10 requests | per minute |
/loans/apply |
3 requests | per hour |
| Default | 100 requests | per hour |
- Passwords: Bcrypt hashing
- JWTs: HS256 signing
- Database: SQLAlchemy ORM (SQL injection protection)
- Configurable allowed origins
- Credentials support enabled
- Preflight request handling
- All authentication events logged
- 10-year retention for audit logs
- Includes: user_id, IP address, user agent, timestamp
- Never commit secrets: Use environment variables
- Rotate keys regularly: JWT_SECRET_KEY, SECRET_KEY
- Use HTTPS in production: Enable FORCE_HTTPS
- Enable MFA: Two-factor authentication available
- Monitor audit logs: Review for suspicious activity
See Configuration Guide for security settings.