Authentication
authentication
Community
Verify a JWT Without a JWT Library
How I verify HS256 JSON Web Tokens with the Web Crypto API and zero npm dependencies. Decodes the segments, checks the signature in constant time, and refuses to trust `alg: none`.
JWT vs Sessions and When Stateless Bites Back
Sessions are the right default for first-party web apps. JWTs make sense at federation boundaries. Stateless is a property of where state lives, not whether it exists.
OAuth2 and OpenID Connect: The Flows That Actually Matter
OAuth 2.0 is delegation. OpenID Connect is identity. Most bugs come from confusing the two. The four flows that matter, the eight checks I review, and what to never roll yourself.
Webhook Signature Verifier With Replay Protection
How I verify Stripe-style webhook signatures and stop someone from re-POSTing yesterday's `invoice.paid`. Stdlib HMAC, a tolerance window, and an idempotency cache that lives in any Redis-shaped store.
