MFA Policy
{
"mfa": {
"required": true, // Force MFA for all users
"methods": ["totp", "webauthn"], // Allowed methods
"gracePeriod": 7, // Days before MFA is enforced
"rememberDevice": true, // Skip MFA on trusted devices
"rememberDuration": 30 // Days to remember device
}
}Session Policy
{
"session": {
"maxConcurrent": 5, // Max sessions per user
"timeout": 3600, // Idle timeout in seconds
"absoluteTimeout": 86400, // Max session duration
"deviceBinding": true, // Bind session to device
"fuzzyMatchThreshold": 0.7 // Device fingerprint tolerance
}
}Password Policy
{
"password": {
"minLength": 8,
"requireUppercase": true,
"requireLowercase": true,
"requireNumber": true,
"requireSpecial": false,
"checkBreached": true, // Check HaveIBeenPwned
"maxAge": 90, // Days before password expires
"preventReuse": 5 // Remember last N passwords
}
}Branding
{
"branding": {
"name": "My Company",
"logo": "https://...",
"favicon": "https://...",
"primaryColor": "#10B981",
"backgroundColor": "#0A0A0A"
}
}Branding settings are used in OAuth consent screens and email templates.