Stateless JWTs for a fleet of bedside Companions.

A skilled nursing facility might run dozens of Companions across two floors, and a network operator might run thousands across a region. Every one of those devices wakes up, streams audio, posts vitals, and pulls down config. If each request meant a lookup against a central session table, the session table would become the whole product.

So CareOS does not keep server-side sessions. Devices carry a signed JWT, and the Go API validates it with HMAC-SHA256 against a shared secret held in memory. No Firestore hop, no Redis hop on the hot path — just a constant-time signature check and a parsed claim set. A request authenticates in microseconds, and it authenticates the same way whether the device is two racks from the API or two states away.

Where Redis still earns its keep

Stateless does not mean stateless about everything. Tokens get hashed with SHA-256 before they touch our Redis Ring, which is sharded across nodes so no single instance owns the keyspace. The cache holds rate-limit counters, short-lived device presence, and the denylist. We never store the raw token; if the cache is compromised, the attacker holds hashes of revoked credentials, which is exactly nothing useful.

The honest tradeoff

Stateless auth has one real cost: you cannot revoke a token by deleting a row. Revocation means publishing the hashed token id to the denylist and letting it expire naturally. We accept that tradeoff because tokens are short-lived and scoped per device, and because the alternative — a synchronous DB check on every audio frame — is incompatible with realtime care.

What this buys at the bedside: a Companion in a basement room with one bar of facility wifi still authenticates in a single round trip. A nurse asking it to draft a note does not watch a spinner. A daughter calling her father does not hear dead air while the device re-handshakes. The auth layer disappears, which is exactly what an auth layer is supposed to do.