Docs · For developers
Key design decisions
The engineering decisions that shape VirtualID's security posture, summarized for people building on or evaluating the platform.
Session tokens — TTL, renewal & sender-binding
Sessions are issued as short-lived, renewable, DPoP-bound tokens (RFC 9449). Each token is cryptographically bound to a non-exportable key held on the client device, so a stolen bearer token is useless on its own — an attacker would also need the device's private key. Access tokens are short-lived and rotated through single-use refresh tokens; refresh reuse revokes the whole session family. See Authentication for the full sign-in and cross-device flows.
These summaries are the reviewable basis for the platform's security claims. For hands-on verification, the API reference is the machine-readable source of truth.