RBAC vs ABAC vs ReBAC
Most teams do not need every authorization model. This shows where RBAC, ABAC, and ReBAC fit, and what gets painful later if you pick the wrong one.
devauthauthorization
Posts tagged “auth”
Tiny explainers grouped by topic. Spend less time Googling, more time building.
Passkeys / WebAuthn in Practice
What shipping passkeys actually involves: registration, sign-in, recovery, account settings, and the RP ID/origin mistakes that break rollouts.
devauthpasskeys
Session Cookies vs JWTs vs PASETO
Three ways to carry auth state, three different tradeoffs. Here’s where session cookies, JWTs, and PASETO fit without stateless-auth cargo culting.
devauthsecurity
OAuth 2.1 & OpenID Connect for Builders
The auth stack most teams inherit, minus the jargon: code + PKCE, refresh tokens, ID tokens, and machine-to-machine flows that actually matter.
devauthoauth
JWTs — Expiration, Rotation, and Revocation
Design access + refresh flows that are safe: short-lived access tokens, rotating refresh tokens with reuse detection, device-scoped sessions, and practical revocation strategies.
devsecurityauth
Password Storage the Right Way — salts, peppers, and modern hashes
Use Argon2id (or bcrypt) with unique per‑user salts, optional KMS‑backed pepper, and safe on‑login migrations. Includes copy‑paste snippets for Node, Python, and Go.
devsecurityauth
Authentication vs. Authorization — what’s the difference and how they fit together
A clear, practical comparison: authN proves who you are; authZ decides what you can do. Learn identities, sessions/tokens (OIDC/OAuth2), roles/scopes/permissions, and common pitfalls.
devsecurityauth
JWT vs server sessions — when to use which
Stateless tokens are convenient, but server sessions are still the default for many apps.
webauthca-duh