APIs, secrets, and lies: The messy reality of zero-trust at scale

Signicat grew through acquisitions and pursued product-led growth with self-service APIs. However, real-world scalability, security, compliance, and technical debt threatened delivery of that vision.

This technical retrospective covers the battles won and lost with cache drift, latency spikes, risk profiles, organizational competency gaps, naive OIDC implementations, token leakage exposure, and secret sprawl while serving millions of users per day. The team pieced together known standards and patterns, eliminating tokens from browsers (BFF), client secrets from microservices (SPIFFE), and extending OIDC with mTLS support (RFC 8705).

This session delivers a blueprint for platform engineers and identity architects who need to deliver invisible, secure-by-default authorization for developer-friendly APIs across on-prem and public clouds to serve people today and AI agents tomorrow.