Common OAuth 2.0 Grant Types and When You Should Use Each One
Learn about the most common OAuth 2.0 grant types, how they work, and when to use each one. A practical guide for developers and security teams.
Top Open-Source Auth0 Alternatives in 2026: Secure & Self-Hosted Options
Explore the best open-source Auth0 alternatives in 2026. Compare features, deployment models, security, and use cases to choose the right identity solution for your team.
How to Migrate From Auth0 to an Open-Source Identity Provider
Learn how to migrate from Auth0 to an open-source identity provider with this step-by-step guide. Covers planning, data export, implementation, SDK updates, testing, and go-live best practices.
Demonstrating Proof-of-Possession (DPoP): A Complete Guide for Modern OAuth Security
Learn what Demonstrating Proof-of-Possession (DPoP) is, why it’s important for secure APIs, and how to implement it. Includes practical examples for developers.
Base64 Made Easy: How to Encode and Decode Data
Learn how Base64 encoding works, why it’s used, and how to encode or decode data safely. Includes practical examples and a free online Base64 tool.
What is SCIM Provisioning and How Does it Work?
Learn what SCIM provisioning is, how it works, its benefits and drawbacks, and how SaaS teams can implement it securely and at scale.
OWASP Top 10 2025: A10—Mishandling of Exceptional Conditions
What 2025:A10 Mishandling of Exceptional Conditions means, how unpredictable errors can turn into vulnerabilities, and best practices for robust error handling and fail-safe design.
OWASP Top 10 2025: A03—Software Supply Chain Failures
What 2025:A03 Software Supply Chain Failures means, how attacks happen, and a practical checklist to secure your pipeline
How Do Authenticator Apps Work?
Learn how authenticator apps work: TOTP secrets, QR provisioning, clock drift, recovery codes, and why passkeys (WebAuthn) stop phishing.
Connect Supabase with any Auth Provider
Use your existing SSO or IdP with Supabase. Learn how to exchange JWTs for full RLS access and single sign-on integration.
Why HMAC Is Still a Must-Have for API Security in 2025
Discover why HMAC remains the foundation of secure API authentication in 2025. Learn how it protects APIs, prevents tampering, and ensures message integrity.
Generate & Verify HMAC Signatures in Python, Node.js, Go
Learn how to generate and verify HMAC signatures in Python, Node.js, and Go. Secure your API with practical examples, code snippets, and a free online HMAC generator.
Login & Signup UX – Complete 2025 Guide to Authentication Best Practices
Optimizing your login and sign-up experience is crucial in 2025. This guide covers UX principles, patterns like passwordless login and passkeys, real-world login screen examples, and a handy checklist to improve conversion and security.
Insecure Direct Object Reference (IDOR): Examples & API Prevention
What IDOR is, how it happens in web & APIs, real-world examples, and a practical checklist to prevent object-level authZ bugs (BOLA).
Comprehensive Guide to Cryptographic Failures (OWASP Top 10 A02)
Learn what cryptographic failures are, see real-world examples, and get OWASP best practices to secure data in transit & at rest.
OTP Bypass: How OTP Bots Beat SMS 2FA (+ Fixes)
See how OTP bot apps bypass SMS 2FA and ship fixes fast: adaptive CAPTCHA, entity rate limits, risk scoring, and Authgear fraud protection.
5 Common TOTP Mistakes Developers Make (and How to Fix Them in 2026)
TOTP codes not working in 2026? See the 5 most common mistakes developers make — clock drift, Base32 secrets, RFC 6238 mismatches, and weak verification logic — and how to fix each one with Python and JavaScript code examples.
What is TOTP? A short guide for developers (RFC 6238 explained)
What is TOTP (Time-based One-Time Password)? A concise RFC 6238 explanation for developers with code examples (Node, Python, Go), troubleshooting tips, and a free online TOTP tool.
The Complete Guide to Machine-to-Machine (M2M) Authentication — OAuth Client Credentials Flow
Learn how M2M tokens work, implement OAuth 2.0 Client Credentials, host JWKS, rotate keys, and secure service-to-service authentication with examples in curl, Node, Python, and Go.
What Is JWKS? JSON Web Key Set and JWKS URI Explained
Learn what JWKS is, how JWKS URI works, JWK format examples, and practical tips to generate and manage keys for secure token verification.
JWE vs JWT: Key Differences, Use Cases, and Security Tips
Learn the differences between JWE and JWT, when to use each, and how to secure your tokens. Includes free debugging and key generation tools.
Why Your Password Complexity Policy Is Making You Less Secure (And What to Do Instead)
If your website still forces users to include "at least one uppercase letter, one number, and one special character" in their passwords, you're implementing outdated security practices that research shows actually make passwords weaker.
Membership for Webflow with Authgear
Webflow is sunsetting its native User Accounts feature, leaving many site owners searching for a new way to manage member logins and gated content. If you rely on Webflow for authentication, it’s time to explore alternatives—before your users lose access. This article shows how Authgear can seamlessly replace Webflow’s soon-to-be-retired accounts, keeping your community secure and engaged.
Authgear Takes the Passkey Pledge: Our Commitment to a Passwordless Future
Authgear proudly joins the FIDO Alliance's Passkey Pledge, building on our early adoption since 2022. Passkeys eliminate password vulnerabilities while enhancing user experience through biometric verification. We're committed to making passwordless authentication the default, creating a digital ecosystem where security and convenience perfectly coexist.