Author

Emilian Gheonea

Founder & Lead Engineer, EmbedAuth

Senior Blockchain & Full-Stack Software Engineer. I build EmbedAuth — an embeddable authentication platform for SaaS — and write about the auth problems most teams hit too late.

GitHub LinkedIn

Background

I'm a senior blockchain and full-stack engineer. Before EmbedAuth I spent years shipping production systems where authentication, session management, and key handling were never optional — and where getting them wrong meant losing user funds, not just a bad login screen.

That background is why EmbedAuth treats auth as a security surface, not a feature checkbox. Token rotation, iframe sandboxing, JWT signing keys, OAuth callback hardening — these decisions ship by default, not as add-ons.

What I write about here

  • OAuth 2.0 / OIDC flow edge cases that bite in production
  • JWT design: RS256 vs HS256, revocation, key rotation
  • Multi-tenant session architecture for B2B SaaS
  • Embedding auth inside iframes safely (CSP, third-party cookies, postMessage)
  • Passwordless: magic links, OTP, passkeys, and the UX/security tradeoffs
  • Brute-force defense, rate limiting, and the OWASP authentication failures that keep recurring

How I approach these articles

Everything I publish here comes from building and operating real authentication systems, not from summarizing other blog posts. When I describe a failure mode — algorithm-confusion attacks on JWTs, refresh-token reuse detection, account enumeration through timing — it's because I've had to design against it. Where there's a genuine tradeoff (stateful vs. stateless sessions, synced vs. device-bound passkeys), I try to lay out both sides rather than pretend there's one right answer.

My goal is that an engineer can read a piece, understand why a recommendation exists, and apply it the same afternoon.

Elsewhere

If you want a topic covered in depth, open an issue on GitHub or message me on LinkedIn. I read every one.

Articles by Emilian Gheonea