Security
Learn about UseGrant's security features
The system is built on and for zero trust.
Your service implementations and use cases remain completely private with you, on your servers.
Information we collect: your signup email, sole purpose is to authenticate you to the app. It is not used with the oauth implementation in any way. We do not collect or store any data about your services or intended usage patterns.
Logs: We only log essential system information (never any user data) to ensure the app operates as expected. These logs are retained for a short period, with most being cleared within 24 hours and none kept for more than 30 days.
We also issue private keys for your project, which are used to sign the tokens. These private keys are never exposed to the public and are only used to sign the tokens. Also, these private keys can be configured to be rotated every 24 hours.
This ensures maximum privacy and reduces the risk of sensitive information being exposed. By limiting the data we store, we minimize the potential impact of any data breaches.
Breach Resistant
These measures make the system breach resistant. We make sure all the best practices are followed to ensure the security of the system. But, even in the unlikely event of a breach, there is no actionable information at risk. Only you use our services, not the other way around.
During the authentication process, your service will contact the following public endpoints to verify the token if it signed by us.
First, your service will contact the following endpoint to discover the URL of the jwks endpoint.
Next, it will contact the following endpoint to get the public keys.
The jwks endpoint contains the public keys used to verify the token signature.
Requests to these endpoints are not logged.
These are public endpoints and this workflow is the openid standard. These endpoints will be accessible via your project's URL or custom domain, if configured.