Chapter 4 Assignment
Audit your tokens + secrets
The brief
Document where every secret lives. Rotate JWT_SECRET in dev — what breaks? Add audience + expiry validation to your JWT verify. Add one Sentinel rate-limit rule to /api/auth/login.
You've completed this when
- Token rotation works without downtime
- No secrets in committed .env
- Rate limit verified by k6 test
Worked through every criterion?
Push your code to GitHub, paste the link in your notes.md, and move on.
Continue to ch.5: The Grit Defensive Stack