Spotlight
![All you need to know before adding auth to your project](/knowledge-base/assets/images/auth-sitrep-95de7f3bb88997789d2ce3d5cd8d19e7.jpg)
Auth situation report
Before adding auth to your project, there is a lot to consider. The auth space is currently very active, with new vendors appearing and old ones repositioning themselves. How to pick the right one? What to search for? What are the common pitfalls? Read to find out.
![What's the difference between authentication and authorization?](/knowledge-base/assets/images/authn-authz-e644db01636d20f576556e2779bf4999.jpg)
To authenticate or to authorize - what is the difference?
Authentication vs authorization - which one is which? Even experienced software developers confuse the two. Let’s make it crystal clear once and for all - what is the difference and why it matters.
![Authorization may seem simple but always ends up more complex than you guess](/knowledge-base/assets/images/path-f065a9fc8eaaece3ff2988c46fce73b1.jpg)
So you want to build your own authorization?
When writing new software, it's hard to notice complexity creeping in. Authorization is one of the aspects where things start deceptively simple and before you notice, you end up in a zoombombing scandal.
![Multitenant architecture comparison](/knowledge-base/assets/images/creating-a-multitenant-application-dc60bb1eceeae7b837ceecb96a602ac9.jpg)
How to secure a multitenant application architecture
How to create and secure an application where multiple users share one account, are part of multiple organizations, and interact with other accounts.
![A digital avatar giving a box of virtual components to another digital avatar](/knowledge-base/assets/images/post-849358ee69b95d845d419294467d6bb3.jpeg)
Challenges building solutions for user sharable resources
Sharing resources between users seems like it should be simple, then why are there no obvious simple solutions? Maybe it isn't so simple after all.
![It's not worth gambling on data privacy of your users](/knowledge-base/assets/images/gamble-9bf7cbfdbb8d17fd37f450498eec7760.jpg)
Why companies gamble on user data privacy
Despite GDPR, we still hear about embarrassing data leaks, often at big tech companies. What is so difficult about protecting your users data? Turns out, it's just business...
![Login standardization](/knowledge-base/assets/images/oauth-login-trust-standardization-49229b9116a2a590aaf2ae46564f8de8.jpg)
OAuth Login should be standardized and this is why it cannot be
The problem of trust relationships in OAuth, how clients hold all the power, and why login/user identity should be standardized.
![Unlocking JWT security in web apps](/knowledge-base/assets/images/how-to-verify-jwt-in-web-app-28726f480d960dfb2c26a504f5a73bd0.png)
Validating JWTs in Web APIs
Securing a web application or api requires actually validating the access token that is being used. When using JWTs, there are two mechanisms for doing this.
![API Client secret vault](/knowledge-base/assets/images/securely-store-client-key-secret-9db446340affb4e3fe160612f91a35e3.png)
Securely store client IDs and secret access keys
API access is provided through client IDs and secret access keys and because of the authority attached to these credentials they must be secured as safely as possible.
![Selecting the right HTTP error code](/knowledge-base/assets/images/hiding-resources-from-attackers-4efba32281444d388efe4959685a5e03.png)
Choosing the right error code 401, 403, or 404
Here we’ll break down the most common HTTP error responses used for the purposes of API security.
![Magic links and passwordless login](/knowledge-base/assets/images/magic-links-passwordless-login-a1a8eeb10b3b390b1deea64cc860889b.png)
Magic links and Passwordless login
Making user signup and login easy is critical to having a successful app. Magic links and passwordless login helps, however it can create many problems longer term, and not ones that have easy solutions.
![Long running transactions with refresh tokens](/knowledge-base/assets/images/post-867d84fe1eeff92feef379ac1ba6e537.png)
Handling security of long running transactions
A deep dive into security of long running offline transactions using refresh tokens and service client tokens.
![JWT role myths](/knowledge-base/assets/images/authorization-token-access-token-jwt-myths-7399e537ba13a37337ad9cd556e7928a.jpg)
JWT access token misconceptions
Tackling the myths of JWT roles at scale, what scopes are, and are CIAM providers expensive?
Videos
Case studies
![Authorize Gitlab to access AWS without access keys](/knowledge-base/assets/images/post-f2d752052188abbe9799f6a0f0973738.png)
AWS + Gitlab - Leveling up security of your CICD platform.
Stop using aws access keys and secrets today!
![Capitol building cybersecurity vulnerabilities](/knowledge-base/assets/images/breach-enabling-emergency-data-protection-case-study-bd69b22795b2338100ca2b923905350e.jpg)
Breach - Enabling emergency data protection
In the wake of unauthorized access to the US capitol building presents a unique cybersecurity opportunity to reexamine best practices in this data security case study.
![Case study of Zoombombing](/knowledge-base/assets/images/zoombomb-7ece509bd2be91d63c98e578d94f4c43.jpg)
Zoombombing - a case study of data protection
Zoombombing is a relatively recent phenomenon, although underlying causes aren't new. In this case study, I take a look at what went wrong and how a company can protect itself from similar issues.