WB-S-1 — Attacker forges JWT to gain API access
Component: Wallet Backend. Mitigations: HMAC-SHA256 signature verified on every request;
iss/audvalidated. Action: Rotate JWT signing secret on schedule
| Property | Value |
|---|---|
| Section | Spoofing |
| Owner | platform |
Mapped Controls
| Control | Title |
|---|---|
| SID-AUTH-02 | JWT Bearer Token Session Management |
Source: STRIDE analysis (April 2026), architecture/stride-threat-model.md