Learning path

Authentication for backend developers

A curated route through identity, credentials, MFA, authorization, login architecture, token lifecycle, OAuth flows, scopes, service accounts, browser security risks, cookies, CORS preflight behavior, and protected API behavior.

10 guides and tools

Authentication architecture

Compare identity, credentials, permissions, sessions, JWTs, OAuth, OpenID Connect, and login tradeoffs.

10 guides and tools

Browser security risks

Connect CORS, cookies, bearer tokens, CSRF, XSS, storage choices, session fixation, and safe browser authentication design.

13 guides and tools

Protected API behavior

Design permission checks, least privilege, authentication failures, gateway checks, OAuth resource servers, API keys, and clear API responses.

Start here

Pillar guides

These articles are the strongest entry points into the authentication cluster.

Related tools

Local tools for auth debugging

Use these browser-based tools while inspecting tokens, timestamps, encoded values, and API responses.

Available tool

JWT Decoder

Decode JWT header and payload claims locally in your browser without uploading tokens or verifying signatures.

Open tool

Available tool

Unix Timestamp Converter

Convert Unix timestamps to UTC and local dates, or convert date strings to seconds and milliseconds locally in your browser.

Open tool

Available tool

HTTP Status Code Lookup

Search common HTTP status codes locally in your browser with REST API usage notes, retry guidance, and backend examples.

Open tool

Available tool

URL Encoder / Decoder

Encode full URLs, encode query parameters, and decode percent-encoded URL strings locally in your browser.

Open tool

How to study

Follow the trust boundary.

Authentication becomes easier when you track where trust is created, stored, transmitted, refreshed, revoked, and checked. The important questions are not only "JWT or session?" but also how logout, token theft, browser storage, and API authorization behave.

Start with identity and permission boundaries, then move into architecture choices, token lifecycle, and OAuth flows. After that, study browser risks such as CSRF and XSS, because storage and request behavior can change the real security properties of a design.

For adjacent API response design, browse the API Design Learning Path. For the broader security path, browse the Backend Security Learning Path.

FAQ

Authentication learning questions

What should backend developers learn first about authentication?

Start with authentication vs authorization, password hashing, MFA, sessions vs JWTs, access tokens vs refresh tokens, OAuth vs OpenID Connect, JWT claims, session fixation, and browser risks such as CORS, CSRF, and XSS.

Is JWT always better than server-side sessions?

No. JWTs are useful for stateless API verification and federated identity, but sessions are often simpler when immediate logout and server-side control matter.

How does OAuth relate to authentication?

OAuth 2.0 is primarily an authorization framework. Login usually needs OpenID Connect or provider-specific identity behavior on top of OAuth concepts.

Can the JWT Decoder verify whether a token is valid?

No. The JWT Decoder only decodes header and payload data locally. A backend must still verify signature, issuer, audience, expiration, and permissions.