JWTs — Expiration, Rotation, and Revocation
Design access + refresh flows that are safe: short-lived access tokens, rotating refresh tokens with reuse detection, device-scoped sessions, and practical revocation strategies.
devsecurityauth
Posts tagged “auth”
Tiny explainers grouped by topic. Spend less time Googling, more time building.
Password Storage the Right Way — salts, peppers, and modern hashes
Use Argon2id (or bcrypt) with unique per‑user salts, optional KMS‑backed pepper, and safe on‑login migrations. Includes copy‑paste snippets for Node, Python, and Go.
devsecurityauth
Authentication vs. Authorization — what’s the difference and how they fit together
A clear, practical comparison: authN proves who you are; authZ decides what you can do. Learn identities, sessions/tokens (OIDC/OAuth2), roles/scopes/permissions, and common pitfalls.
devsecurityauth
JWT vs server sessions — when to use which
Stateless tokens are convenient, but server sessions are still the default for many apps.
webauthca-duh