0
Intermediate Backend

Authentication & Authorization

JWT, OAuth, sessions, and access control patterns.

Securing Your Application

Authentication verifies who users are; authorization determines what they can do.

Authentication Methods

  • Session-based: Server stores session, client has session ID cookie
  • JWT (JSON Web Tokens): Stateless, self-contained tokens
  • OAuth 2.0: Delegated authorization (Login with Google)
  • Magic Links: Passwordless email authentication
  • Passkeys: WebAuthn-based passwordless auth

JWT Structure

// JWT has 3 parts: header.payload.signature
{
  "header": { "alg": "HS256", "typ": "JWT" },
  "payload": { "sub": "1234", "exp": 1234567890 },
  "signature": "..."
}

Authorization Patterns

  • RBAC: Role-Based Access Control (admin, user, guest)
  • ABAC: Attribute-Based Access Control
  • Permissions: Granular action-based (can:read, can:write)

Security Best Practices

  • Hash passwords with bcrypt or Argon2
  • Use HTTPS everywhere
  • Set secure, httpOnly cookies
  • Implement rate limiting
  • Validate and sanitize all inputs