Auth & Identity

The foundation of modern app auth: third-party login, API authorization, SSO, and machine-to-machine access all use OAuth 2.0.

Every API that accepts an OAuth access token uses bearer token transport. Know the header format and the security implications of each transport method.

Required for all public clients (SPAs, mobile apps, desktop apps). If you're building a non-confidential OAuth client, PKCE is mandatory per current best practice.

The original RFC 6749 allowed patterns now known to be insecure. RFC 9700 is the current security baseline — follow it, not just the base OAuth spec.

Sign-in with Google/Apple/GitHub all use OIDC. If your app authenticates users via a third party, you're using OIDC whether you know it or not.

JWTs are the token format for OIDC ID tokens and many OAuth implementations. Understanding the structure and security tradeoffs is essential.

When your app verifies a JWT from an identity provider, it fetches the public key as a JWK from the OIDC discovery endpoint.

Passkeys are the modern replacement for passwords. WebAuthn is the browser API. Every new auth system should evaluate it for primary or MFA flow.

Enterprise customers expect SCIM for automatic user lifecycle management from their IdP (Okta, Entra ID). Required for enterprise SaaS SSO packages.

Scheduling integrations, calendar exports, meeting invites, and CalDAV sync all use iCalendar format. Know this when building calendar features.