This primarily refers to "auditing the signup, login and JWT token based authentication" part of the app.
This feature was developed a while ago and never really stress tested. Also the JWT token has an expiry date but I don't think we ever implemented the "revoke and reissue new token" flow on the app frontend. So this would involve that.