An identity provider told us who you were, and we believed it
Single sign-on has a quiet premise: when a user arrives from an identity provider, that provider has already vouched for them, so you can skip the pas…
Tech news from the best sources
Single sign-on has a quiet premise: when a user arrives from an identity provider, that provider has already vouched for them, so you can skip the pas…
We wrote once about the feature tax : the trick of charging you to flip a boolean that's already written, on infrastructure that's already running. Th…
We had a three-replica cluster that kept disagreeing with itself. Background jobs ran two and three times over. The answer wasn't in the logs; it was …
Sign-in worked flawlessly in dev. Then a real user pasted a real code and got "invalid format" — before the code ever reached Supabase. The credential…
Ory Kratos is an open-source, API-first identity and user management system handling registration, login, recovery, verification, and session manageme…
One of the easiest mistakes in agent identity design is to collapse ownership and key custody into the same thing. If a human owns an agent, it can fe…
Most auth bugs do not come from the login button. They show up after login: a user is created in Clerk but not in your app database a session expires …
Your users are in San Francisco, Jakarta, São Paulo, and Sydney. They have WhatsApp open all day. They check it before they check their SMS inbox. Whe…
Here is something most developers shipping SMS OTP in 2026 do not want to sit with: the channel they are trusting to verify their users is failing rou…
Authentication answers "who are you?" Authorization answers the harder question: "are you allowed to do this?" By the time a request reaches this stag…
In the first four chapters of this series I've talked about what the Auth Gateway decides. This chapter is about who it decides for. We run a multi-te…
In Chapter 3 the controller branched on something called the "endpoint type": switch endpointType ( perms ) { case "OPEN" : ... case "AUTHENTICATED" :…
Most auth services start simple — verify the token, return 200 or 401. Then requirements accumulate. Tenant isolation. Service accounts. Token revocat…
If you've been on a platform team long enough, you've probably watched this slow-motion failure: You ship an auth library. Three services adopt it. Si…
In Chapter 1 I claimed our entire Auth Gateway is built on top of one NGINX directive: auth_request . This chapter is a deep dive into how that direct…