Security Posture
KeyIdentity treats security as an architectural property, not an operational afterthought. The following describes the security commitments embedded in the protocol specification and the infrastructure that implements it.
Network Zone Isolation Model
Cryptographic Standards
Retailer-Scoped Authorization Tokens (RSATs) are signed using Ed25519 (EdDSA) and verified cryptographically at validation. The JWT protected header declares alg: EdDSA and the signing key is a node-level Ed25519 private key loaded at startup from environment configuration.
Key rotation is supported through a current/previous verify key model. When a new signing key is deployed, the previous public key is retained as a secondary verification key. Tokens signed by the outgoing key remain valid for their remaining lifetime, enabling zero-downtime rotation without service interruption.
RSATs enforce a maximum time-to-live of 120 seconds. Token expiry is bound in the JWT exp claim and verified on every validation request. Expired tokens are rejected regardless of signature validity. The signing key fingerprint (SHA-256 truncated) is recorded in the audit trail with each issuance operation.
Network Zone Isolation
The Authorization Node operates within a four-zone network model with explicit allowed and denied traffic flows. Zones are enforced at the network layer through firewall rules (cloud security groups or host-based firewalls depending on deployment reference).
External
TLS-terminated ingress only. No direct access to application or data zones.
Application
API services. Communicates with data zone on designated ports only.
Data
PostgreSQL and Redis. No inbound connections except from application zone.
Management
Monitoring, log aggregation, bastion access. Isolated from all other zones except designated management flows.
Audit Trail Integrity
Every state-mutating operation is recorded in an append-only audit trail. The application service account has no UPDATE or DELETE grants on audit tables. Audit entries include operation type, actor, timestamp, and affected resource identifiers.
Audit trail completeness is a verification gate at Day 30 of the sandbox evaluation. Every mutating operation must have a corresponding audit entry, verified through automated reconciliation.
Biometric Non-Persistence
No biometric data enters the KeyIdentity Federation Protocol. Biometric verification occurs exclusively on certified local hardware (Edge Appliance). The biometric template exists only on the device where enrollment occurred. No central biometric database exists, has ever existed, or can be constructed from data within the protocol.
This is a hardware-enforced architectural property, not a policy commitment. The Edge Appliance secure enclave has no network stack. The hardware does not provide a path for biometric data to leave the device.
Access Control
The Authorization Node enforces role-based access with least-privilege boundaries. Four defined roles — admin, observer, API client, and auditor — operate with zone-scoped permissions. All containers run as unprivileged users. Secrets are managed through environment-scoped mechanisms with restricted filesystem permissions.
Responsible Disclosure
KeyIdentity accepts responsible security disclosures. If you identify a vulnerability in any KeyIdentity system or specification, report it to: security@keyidentitypay.com
All disclosures are treated confidentially. KeyIdentity acknowledges receipt within two business days and provides an initial assessment within five business days. Reporters acting in good faith will not face legal action.