Zero trust at the edge: identity, device posture, and API calls from browsers

Use short-lived access tokens bound to audience and scope; refresh with rotation to reduce replay windows.

Device posture checks belong near identity providers; do not try to replicate them purely with CORS headers.

Correlate gateway denials with user sessions to detect token theft attempts quickly.

Alert on spikes in 401/403 separated from 429 to distinguish auth incidents from quota issues.