Found 3 relevant sources:
From GitHub (backend/docs/auth.md):Auth uses short-lived JWTs (15 min) with refresh tokens stored in HTTP-only cookies. Token rotation on every refresh. Session table tracks active sessions with device fingerprint and IP.
From memory (decision, Feb 3):Switched from session-based auth to JWT after the horizontal scaling incident. Sticky sessions were causing failover issues. Kept server-side session tracking for revocation capability -- pure stateless JWT wasn't acceptable for security.
From Confluence (Security Playbook, page 12):Refresh token rotation follows OWASP guidelines. On suspected token reuse, all sessions for that user are invalidated. Rate limiting: 5 failed attempts per 15 min window, then progressive backoff.
Synthesis:The auth flow is JWT-based with server-side session tracking for revocation. This hybrid approach was a deliberate decision from February to solve scaling issues while keeping security controls. The key architectural constraint: never go fully stateless -- the session table is load-bearing for the security model.