Security

PassThru Security White Paper · Version 1.0 · April 2026

Keys Exposed

Code Vulnerabilities

Security Layers

—

Live CVE Scan

Loading live security status…

Private Key Never Leaves the Vault

PassThru uses Azure Key Vault's CryptographyClient for remote signing. The private key used to sign Apple Wallet passes is generated inside Key Vault and is never exported, downloaded, or transmitted outside of Key Vault.

Your app builds the pass manifest and computes a SHA-256 hash
The hash (32 bytes) is sent to Key Vault over TLS
Key Vault signs it using the RSA-2048 private key inside HSM-backed storage
Only the signature bytes come back — never the key
The signed pass is assembled and delivered

Network Isolation

All backend services run inside an Azure Virtual Network with no public internet access:

Resource	Public Access	How It's Accessed
API Gateway (APIM)	Yes (rate-limited)	HTTPS — only public entry point
Function App	No	APIM + CI/CD only (IP allowlist)
Cosmos DB	No	Private endpoint via VNet
Key Vault	No	Private endpoint via VNet

7 Layers of Security

Layer	Control
1. Authentication	Firebase Auth + Google OIDC with Cloudflare Turnstile
2. API Keys	SHA-256 hashed, 256-bit entropy, tenant-scoped
3. Gateway	APIM validates JSON schemas, rate limits, adds security headers
4. Function Keys	Azure platform-enforced auth on all management endpoints
5. Network	VNet isolation, no public access to Function App
6. Private Endpoints	Cosmos DB + Key Vault only reachable inside VNet
7. Managed Identity	RBAC with least-privilege roles, zero credentials in code

Encryption

Purpose	Method
Data at rest	AES-256 (Azure-managed keys)
Data in transit	TLS 1.2+
Pass signing	RSA-2048 + SHA-256 (PKCS#7)
API keys at rest	SHA-256 hashed (irreversible)
Key Vault storage	HSM-backed (FIPS 140-2 Level 2)
APNs push	Mutual TLS (client certificate)

Automated Certificate Lifecycle

Signing certificates are automatically renewed before expiry:

Timer checks cert expiry every 2 weeks
CSR generated inside Key Vault (private key stays in vault)
CSR submitted to Apple's App Store Connect API
Signed cert merged back into Key Vault

No manual certificate handling. Fully automated and auditable.

Vulnerability Scanning

Tool	Scope	Result
Semgrep	246 rules, 46 source files	0 findings
Gitleaks	Secret detection across all commits	0 real findings
npm audit (backend)	All production dependencies	0 vulnerabilities
npm audit (dashboard)	All production dependencies	0 vulnerabilities

CI/CD Security

OIDC deployment — no stored Azure credentials in GitHub
No secrets in code — enforced via Gitleaks scanning
Automated builds — every push triggers build + deploy

Compliance

Framework	Status
GDPR	Aligned — DPA available on request
CCPA	Below threshold — privacy policy in place
SOC 2	Controls aligned — audit available on request
PCI DSS	Not applicable — no cardholder data stored

Incident Response

In the event of a data breach, affected tenants will be notified within 72 hours. A post-incident report will be provided within 30 days.

Contact

For security inquiries or to report a vulnerability:
Marckoy Industries LLC
Email: support@passthru.dev