Skip to content

Security And Audit

Use this page when you need to decide who can change SigID settings and how your team reviews important identity events.

What Business Teams Control

Business and operations teams usually control:

  • who can manage workspace settings
  • who can create or edit applications
  • who can invite users or manage organizations
  • who can configure SSO
  • who can view audit events
  • who owns login and recovery support
  • who approves production launch changes

Routine Security Checks

Control What to check
Roles Only the right people can manage apps, users, organizations, SSO, secrets, and billing.
Audit Important login, user, organization, app, secret, and webhook events are visible.
MFA Sensitive operator or workspace actions require stronger verification when appropriate.
Secrets Client secrets and webhook signing secrets are never placed in browser code.
Access reviews Workspace owners periodically review operators and organization owners.
Incidents Support, security, and engineering know who owns identity incidents.

Common Launch Risks

  • production redirect URL is missing or wrong
  • development issuer is used in production
  • app asks for more access than users expect
  • client secret is exposed in browser code
  • backend accepts tokens without audience or tenant checks
  • no owner is assigned for audit review
  • support does not know what users see during recovery

When Something Goes Wrong

  1. Identify the affected workspace, app, or organization.
  2. Check recent audit events.
  3. Confirm whether the issue is sign-in, SSO, recovery, token validation, or webhook delivery.
  4. Assign one owner for user communication.
  5. Ask developers to check backend validation or webhook logs when code is involved.
  6. Review roles and settings after the incident.

Developers should verify resource-boundary checks with Protect Backend APIs.

For deeper model details, use Reference: Security Model.