RBAC vs ABAC vs ReBAC
A practical guide to choosing role-based, attribute-based, or relationship-based authorization for real products, with examples for SaaS apps, internal tools, B2B org models, and shared resources.
devauthauthorization
Posts tagged “auth”
Tiny explainers grouped by topic. Spend less time Googling, more time building.
Passkeys / WebAuthn in Practice
A practical guide to shipping passkeys with WebAuthn: registration, sign-in, recovery, account settings, and the RP ID/origin gotchas that usually break rollouts.
devauthpasskeys
Session Cookies vs JWTs vs PASETO
A practical guide to choosing session cookies, JWTs, or PASETO for web apps, SPAs, mobile apps, and APIs without cargo-culting stateless auth.
devauthsecurity
OAuth 2.1 & OpenID Connect, Explained for Builders
A practical guide to OAuth 2.1 and OpenID Connect for real apps: authorization code + PKCE, refresh tokens, ID tokens, and machine-to-machine flows without the usual auth confusion.
devauthoauth
JWTs — Expiration, Rotation, and Revocation
Design access + refresh flows that are safe: short-lived access tokens, rotating refresh tokens with reuse detection, device-scoped sessions, and practical revocation strategies.
devsecurityauth
Password Storage the Right Way — salts, peppers, and modern hashes
Use Argon2id (or bcrypt) with unique per‑user salts, optional KMS‑backed pepper, and safe on‑login migrations. Includes copy‑paste snippets for Node, Python, and Go.
devsecurityauth
Authentication vs. Authorization — what’s the difference and how they fit together
A clear, practical comparison: authN proves who you are; authZ decides what you can do. Learn identities, sessions/tokens (OIDC/OAuth2), roles/scopes/permissions, and common pitfalls.
devsecurityauth
JWT vs server sessions — when to use which
Stateless tokens are convenient, but server sessions are still the default for many apps.
webauthca-duh