1010 B
title, status, type, priority, created_at, updated_at
| title | status | type | priority | created_at | updated_at |
|---|---|---|---|---|---|
| Migrate JWT verification from HS256 shared secret to asymmetric keys (JWKS) | todo | task | low | 2026-03-21T11:14:29Z | 2026-03-21T11:14:29Z |
The backend currently verifies Supabase JWTs using an HS256 shared secret (SUPABASE_JWT_SECRET). Supabase recommends migrating to asymmetric keys (RS256) for better security.\n\nInstead of storing a shared secret, the backend would fetch public keys from Supabase's JWKS endpoint (https://<project>.supabase.co/.well-known/jwks.json) and verify tokens against those.\n\n## Changes needed\n\n- [ ] Update backend/src/app/core/auth.py to fetch and cache JWKS public keys\n- [ ] Change jwt.decode from HS256 to RS256 with the fetched public key\n- [ ] Remove SUPABASE_JWT_SECRET from config, docker-compose, deploy workflow, and .env files\n- [ ] Update tests\n\n## References\n\n- https://supabase.com/docs/guides/auth/signing-keys\n- https://supabase.com/docs/guides/auth/jwts