v0.2.1

Security hardening.

• TokenIssuer validates secret/key length at construction (CWE-665)
• JWT jti uses secrets.token_hex instead of uuid4 (CWE-330)
• Warn when audience unset and on first in-memory token revocation
• verify_password logs unexpected errors instead of silently returning False (CWE-755)

v0.2.0 — security hardening

Full OWASP review fixes. See CHANGELOG.md for details.

v0.1.0

Initial release.

• JWT access + refresh tokens (HS256/384/512, RS*, ES*).
• argon2id password hashing with needs_rehash.
• DI guards: requires_user, requires_claims, requires_scopes.
• In-memory RevocationList with lazy expiry sweep.
• init_auth(app, config=...) plugin entry point.