Understand the OIDC specification with a practical breakdown of flows, tokens, claims, scopes, and endpoints. Learn the key concepts developers actually need to implement secure authentication.
Learn about the most common OAuth 2.0 grant types, how they work, and when to use each one. A practical guide for developers and security teams.
Learn what Demonstrating Proof-of-Possession (DPoP) is, why it’s important for secure APIs, and how to implement it. Includes practical examples for developers.
Learn how Base64 encoding works, why it’s used, and how to encode or decode data safely. Includes practical examples and a free online Base64 tool.
Learn what SCIM provisioning is, how it works, its benefits and drawbacks, and how SaaS teams can implement it securely and at scale.
Learn how authenticator apps work: TOTP secrets, QR provisioning, clock drift, recovery codes, and why passkeys (WebAuthn) stop phishing.
Discover why HMAC remains the foundation of secure API authentication in 2025. Learn how it protects APIs, prevents tampering, and ensures message integrity.
Learn how to generate and verify HMAC signatures in Python, Node.js, and Go. Secure your API with practical examples, code snippets, and a free online HMAC generator.
See how OTP bot apps bypass SMS 2FA and ship fixes fast: adaptive CAPTCHA, entity rate limits, risk scoring, and Authgear fraud protection.
TOTP codes not working in 2026? See the 5 most common mistakes developers make — clock drift, Base32 secrets, RFC 6238 mismatches, and weak verification logic — and how to fix each one with Python and JavaScript code examples.
What is TOTP (Time-based One-Time Password)? A concise RFC 6238 explanation for developers with code examples (Node, Python, Go), troubleshooting tips, and a free online TOTP tool.
Learn how M2M tokens work, implement OAuth 2.0 Client Credentials, host JWKS, rotate keys, and secure service-to-service authentication with examples in curl, Node, Python, and Go.
Learn what JWKS is, how JWKS URI works, JWK format examples, and practical tips to generate and manage keys for secure token verification.
Learn the differences between JWE and JWT, when to use each, and how to secure your tokens. Includes free debugging and key generation tools.
Learn how JWT authentication works, its pros and cons, and when to use it for secure, scalable applications. Explore alternatives like OAuth, API keys, and SAML for authentication and access management.
Learn everything about role-based access control (RBAC), its benefits, pros and cons, key rules, and comparisons with ABAC and ACL. Discover how Authgear simplifies RBAC for secure and scalable access management.
Learn everything you need to know about PKCE, a security extension for OAuth 2.0 that helps protect your API from authorization code interception and other attacks. Discover how PKCE works, its benefits, and best practices for implementation.
In this we teach how add a full user authentication feature to any React Native application under 10 minutes.
Discover how biometric authentication works, from fingerprints to facial recognition. Explore the technology, benefits, challenges, and its role in shaping the future of secure identity verification.
Almost all popular online services use some form of hash technique to store passwords securely. In this post we cover the different hashing functions, best practices and how to pick the best one for your application and organisation.
Social login allows users to log in to your website using their existing account on social sites like Facebook, Twitter (X), and Google. In this post, we show how to implement social login in a Laravel project using any social login provider.
What is Broken Access Control? Clear examples, API/IDOR scenarios, and a practical prevention checklist (RBAC/ABAC, deny-by-default, testing). Updated for the coming OWASP Top 10 2025.
OAuth 2.0 is the standard behind "Sign in with Google" and every major API. Here's exactly how it works, with diagrams and code.
This blog post demonstrates how to add authentication features to ASP.NET apps with Authgear by implementing an OpenID Connect flow.
