Developer recipes
Copy-paste, framework-agnostic recipes for the identity work developers actually do. Each one is built on the open standards, links to the spec it implements, and avoids any single vendor. Free to read and use, no email required.
Wire OpenID Connect authorization code flow with PKCE into the Next.js App Router, with httpOnly session cookies and no client-side token storage.
The canonical, framework-agnostic walkthrough of the authorization code grant with PKCE, the flow OAuth 2.1 recommends for every client type.
Verify a JSON Web Token's signature against a provider's JWKS and check every claim that matters, with the pitfalls that cause real vulnerabilities.
Turn any HTTP API into an OAuth 2.1 resource server: validate the bearer access token, enforce scopes per route, and return correct error responses.
Build a SCIM 2.0 server so identity providers can create, update, and deprovision users in your app automatically, with the minimum endpoints that satisfy real connectors.
Implement passkey registration and login using the WebAuthn API and a server-side verification library, the phishing-resistant replacement for passwords.