EmbedAuth Blog
Deep, opinionated writing on OAuth, JWT, passwordless flows, session design, and the architectural choices behind production auth systems.
Authentication
Stateful sessions vs. stateless tokens, cookie security flags, refresh token rotation, idle and absolute timeouts, and how to revoke access when it matters.
Authentication
Embedded authentication keeps users in your product when they sign in, instead of bouncing them to a third-party domain. Here's how it works, what it changes, and the tradeoffs you sign up for.
Multi-Tenant Auth
How to model organizations, users, roles, and isolation when one user can belong to many tenants — and the architectural decisions that are painful to reverse later.
Security
Credential stuffing, broken session handling, JWT confusion attacks, account enumeration, and the other ways login systems get broken in production — plus the concrete fixes for each.
OAuth & OIDC
OAuth 2.0 explained without the marketing copy — what the redirects are really doing, where the tokens come from, what PKCE protects against, and the parts the spec doesn't make obvious.
Passwordless
What passkeys actually are, how WebAuthn works under the hood, why they resist phishing where passwords and OTPs fail, and how to adopt them without locking users out.
React Auth
Iframe-based auth looks like a clean way to embed a sign-in form. The browser thinks otherwise. Here's what actually breaks — cookies, postMessage, ITP, focus, autofill — and the patterns that survive contact with real users.
JWT
A JWT is three base64-encoded strings separated by dots. What's in them, how signatures actually work, why "stateless auth" is a half-truth, and the mistakes that keep showing up in production code.
Security
How to design rate limiting for login, OTP, and reset endpoints — algorithms, what to key on, lockout strategies, and avoiding the traps that let attackers through or lock out real users.