# Authentication Guidelines

## JWT Audience Validation

JWT authentication MUST be verified. Skipping audience validation can
lead to token substitution attacks.

Authority: RFC 7519 Section 4.1.3

## Password Hashing

Password hashing MUST be enforced using industry-standard algorithms.
Plain text password storage is a critical security vulnerability.

Authority: OWASP Password Storage Cheat Sheet
Authority: CWE-256