Blog

Pick the provider that matches your stack. Drop in the SDK. Ship sign-in in under a day. Full walkthrough.

You can. You probably shouldn't. The full cost analysis most build-vs-buy posts skip.

The honest comparison — and why most dev-first SaaS teams should consider a fourth option.

Ship SSO when a deal requires it, not before. The signs that it's time — and how to architect so it's two weeks, not two quarters.

One auth layer, tenant_id on every row, Postgres row-level security if you trust your ORM. Scales to most B2B SaaS.

Worth it for B2C. Overkill for internal tools. Nuanced for SaaS. The honest take on when to adopt.

Every step in your signup flow halves your conversion. Auth usually adds two or three unnecessary steps. Fixes that pay for themselves.

Three specific things will bend. All are cheap to fix ahead of time. Don't wait for the incident.

Great for day one. Painful by month twelve. Here are the specific walls you'll hit, in order.

Auth0 is solid. It's also priced for companies much bigger than yours. Here's what to switch to, and why.

Three steps. Standard OIDC. Any library implements it identically. No excuse for this to eat a sprint.

The real question isn't "stateless vs stateful." It's "can I revoke this credential in a hurry?"

Most teams budget the initial build. Nobody budgets the next five years. The real math, year by year.

RBAC until it breaks. ABAC when it breaks. Never invent your own policy language. The full rollout path.

When to stop duct-taping and make it real. The four signals that it's time — and the migration path that doesn't break users.

Not much in the product. A lot in auth. The specific things you'll hit in month N.

Append-only, timestamped, with subject and object identified. Five specific requirements that most home-grown logs miss.

What actually works when Auth0 is overkill and rolling your own is a distraction. The pragmatic path for small B2B SaaS.

Recognize the symptoms before they become a quarter of rework. Each sign has a fix — and a lower-friction alternative.

Three env vars, one redirect URI update, one cookie flag. The leap shouldn't require a rewrite.

Server components + a signed session cookie. The cleanest pattern, walked through end to end.

One store, one load function, one redirect guard. Svelte makes this shorter than any other framework.

Load the SDK, link to the provider. Sign users in from a static site without a server or client secret.

Short-lived signed URLs over email. Less UX friction than passwords, half the code.

Argon2id, a sessions table, a rate limiter, and a reset flow. Ship it by dinner if you stop second-guessing.

Logging everything is logging nothing. Pick the events that matter, structure them properly, and make them searchable.

Four components, clear boundaries, no surprises at 100k users. Boring architecture, predictable performance.

Four things to architect today so your first enterprise deal doesn't stall a quarter while you retrofit.

Your session table is the first thing that breaks at real scale. Four things to fix before you get there.

Start with roles. Add attribute-based rules only when roles break. Don't invent your own policy language.

Not "we'll add it later." Later means rewriting every query, and the rewrite is a security bug waiting to happen.

Nothing breaks at 10k. Plenty of things start to bend. Here's what to fix before you hit real scale.

Trusting the token without verifying the signature, or accepting `alg: none`. Two bugs, same root cause.

The build takes weeks. The maintenance takes forever. Here's the realistic five-year cost of rolling your own.

XSS runs code in your origin. CSRF rides your browser. Different threats, different defenses. Confusing them leads to half-applied fixes.

SameSite=Lax made classic CSRF hard. Rare doesn't mean gone — and several modern patterns bring it back.

Not the whole site. The login, password-reset, and MFA endpoints specifically — by account, not just by IP.

It's almost always the auth SDK blocking first paint. Here's how to identify and fix it.

The classic: change-email without re-auth, combined with a password reset, lets an attacker take over an account.

Short sessions feel secure. They're mostly just annoying, and they push users toward worse habits.

If you don't rotate the session ID on login, you're vulnerable. Every framework does this automatically — every hand-rolled system forgets.

Three bugs that almost every hand-rolled reset flow has. Here's how to fix each.

Cookies, unless you have a specific reason not to. The reasons "not to" are usually wrong.

Six rules. Apply all of them and you've covered 95% of the attack surface. Skip one and you're in the other 5%.

Argon2id if you must. Magic links or SSO if you can. The best password DB is the one you don't have.

Nearly identical to Google. The quirks: GitHub gives you a real API token, and Apps beat OAuth Apps for anything beyond sign-in.

Three steps, well-documented spec, one library call per step. No excuse to let this eat a sprint.

Sessions are simpler and revocable. Use them unless you have a specific reason JWTs help.

A protocol that auto-syncs users from your customer's identity provider. Not optional for enterprise deals past a certain revenue threshold.

It's an XML-based SSO protocol from 2005. You'll meet it when your first enterprise customer signs.

If your access token is short-lived and your user is active, probably. If not, you're adding complexity for no benefit.

OAuth authorizes. OIDC authenticates. Most people mean OIDC.