Hey everyone, I just pushed a bunch of fixes to create-authenik8-app after digging through the security feedback from the community. No new flashy features. Just making the Identity Engine more solid and reliable because auth is not the place to mess around. Here is what actually changed and why I touched it: Guest/incognito mode no longer has a fake-auth bypass. The old logic was too loose with non-temp tokens. Now it properly verifies real JWTs, only issues a signed guest token when there is truly no token, rejects invalid bearer tokens with a clean 401, and puts the user on req.user like it should. Access token sessions are now written to Redis when signToken runs. Refresh tokens also update the session properly on refresh. This was missing before and it made things inconsistent. IP whitelisting is safer now. I switched to req.ip by default, added optional trustProxyHeaders support for people behind proxies, and made TTLs per-entry instead of one shared value for the whole set.…