We shipped Wayforth — a search and payment rail for AI agents — and before expanding the managed services catalog we ran a full security audit. Here's how we fixed it. The Stack FastAPI · PostgreSQL · Railway · Base blockchain Supabase Auth · Stripe · Fernet AES-128 · BSL 1.1 uvx wayforth-mcp Enter fullscreen mode Exit fullscreen mode Critical Findings (5) C1 — JWT not cryptographically verified Fix: JWKS-based ES256 verification via Supabase's public endpoint — no shared secret needed. def verify_supabase_jwt ( token : str ) -> dict : jwks = get_jwks () # cached 1hr header = jwt . get_unverified_header ( token ) key = next ( k for k in jwks if k [ " kid " ] == header [ " kid " ]) public_key = ECAlgorithm . from_jwk ( key ) return jwt . decode ( token , public_key , algorithms = [ " ES256 " ], audience = " authenticated " ) Enter fullscreen mode Exit fullscreen mode C2 — CORS wildcard + credentials Fix: Explicit origins only.…