Security Overview

Purpose

This page provides a high-level view of Keymate's security capabilities and links to detailed guidance on token binding, client governance, machine identity, and tenant boundary protection.

Who This Section Is For

Security engineers evaluating Keymate's security posture
Architects designing secure authorization flows
Platform teams integrating Keymate into production environments

What You Will Find Here

Token protection through sender-constrained tokens and DPoP
OAuth client credential and scope management
Machine identity trust via mTLS and SPIFFE
Tenant boundary protection and admin action governance

Recommended Starting Points

Sender-Constrained Tokens & DPoP

How Keymate binds tokens to clients using proof-of-possession.

OAuth Client Security

Client lifecycle, secret rotation, scope and claim governance.

Machine Identity & Trust

Workload identity verification via mTLS and SPIFFE.

Tenant Boundary Protection

Cross-tenant isolation and admin action safeguards.

Architecture
Platform Components
Operations

Purpose​

Who This Section Is For​

What You Will Find Here​

Recommended Starting Points​