Protect client credentials
Store client secrets and service tokens in your own secret manager and rotate them deliberately.
[Public security guidance]
Security Documentation
Public security guidance for external integrators. This page focuses on disclosure, secure secret handling, JWT verification, and the public boundary for reviewed access.
Secure integration practices
Verify issued JWTs
Validate Knogin-issued tokens against the public JWKS endpoints instead of relying on private signing assumptions.
Treat reviewed access as a separate boundary
Do not infer unpublished routes, schema details, or partner-only workflows from the public documentation surface.
Responsible disclosure
If you believe you found a vulnerability affecting the public site or documented integration surface, please report it privately.
- 1Send a clear description of the issue, the affected surface, and the observed impact.
- 2Include safe reproduction steps and timestamps where possible.
- 3Do not attempt privilege escalation, persistence, or access to customer data.
- 4Allow time for triage, remediation, and coordinated follow-up.
Security contact
Use this mailbox for vulnerability disclosure and security-reporting matters only.
security@knogin.comIf you need integration access or a buyer review, use the integration guide or contact form instead.