Please do not open a public GitHub issue for security vulnerabilities.

To report a security issue, open a GitHub Security Advisory (private disclosure). You can also use the "Report a vulnerability" button on the Security tab.

Please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce or a proof-of-concept
• Affected versions
• Any suggested fix, if you have one

• Acknowledgement within 48 hours
• Assessment and triage within 5 business days
• Fix and advisory published after a patch is ready (coordinated disclosure)

This policy covers the @nik2208/node-auth npm package and the companion MCP server in this repository. It does not cover third-party dependencies — please report those directly to their respective maintainers.

• Never commit JWT_SECRET, REFRESH_TOKEN_SECRET, or other secrets to source control.
• Rotate API keys and JWT secrets if you suspect they have been exposed.
• Keep the library updated to receive security patches (npm update @nik2208/node-auth).
• Review the hardening guide in the documentation.