JWT
0 lessons
1 system design
3 community items
jwt
Community
3 items
Code Snippet
Verify a JWT Without a JWT Library
How I verify HS256 JSON Web Tokens with the Web Crypto API and zero npm dependencies. Decodes the segments, checks the signature in constant time, and refuses to trust `alg: none`.
Article
JWT vs Sessions and When Stateless Bites Back
Sessions are the right default for first-party web apps. JWTs make sense at federation boundaries. Stateless is a property of where state lives, not whether it exists.
Article
OAuth2 and OpenID Connect: The Flows That Actually Matter
OAuth 2.0 is delegation. OpenID Connect is identity. Most bugs come from confusing the two. The four flows that matter, the eight checks I review, and what to never roll yourself.
