Authentication
Validating client identities using sessions, authorization headers, API keys, or JWT tokens.
What you'll learn
- Session-Based Authentication
- Token-Based Authentication (JWT)
- OAuth 2.0 Authorization Code Flow
- API Keys
- Multi-Factor Authentication (MFA)
- Password Security
TL;DR
Validating client identities using sessions, authorization headers, API keys, or JWT tokens.
Visual System Topology
Authentication Network Handshake Flow
Concept Overview
Authentication is the process of verifying the identity of a user, service, or system — answering "who are you?" before granting access. It is the foundational security layer that all authorization decisions are built upon. Without reliable authentication, any authorization policy is meaningless.
Modern authentication has evolved far beyond simple username/password checks. Production systems use session tokens, JWTs, OAuth 2.0 flows, API keys, and multi-factor authentication (MFA) to balance security with user experience. The critical design question: where does session state live — in the server (stateful sessions) or in the token itself (stateless JWTs)?
Authentication is distinct from authorization: authentication verifies identity; authorization verifies permission. Both are covered in Module 8 in depth (OAuth, JWT, SAML, RBAC). This topic covers the foundational patterns.
Key Architectural Pillars
Session-Based Authentication
Server generates a session ID on login and stores session data server-side (database, Redis). The session ID is stored in a cookie. On each request, the server looks up the session ID to retrieve the user's context. Stateful — the server must maintain session storage. Does not scale horizontally without a shared session store.
Token-Based Authentication (JWT)
Server generates a signed JWT on login and sends it to the client. The client sends the JWT in the Authorization header on every request. The server validates the signature cryptographically — no database lookup needed. Stateless — any server instance can validate the token. Tokens cannot be invalidated until they expire (logout problem).
OAuth 2.0 Authorization Code Flow
Industry standard for delegated authorization. The user authenticates with an identity provider (Google, GitHub) and grants the application permission to access their data. The app receives an access token and optional refresh token. The app never sees the user's password.
API Keys
Static tokens issued to services or developers for machine-to-machine authentication. Simpler than OAuth flows. Should be scoped (limited permissions), rotatable, and never embedded in client-side code (security risk). Store hashed in the database; never in plaintext.
Multi-Factor Authentication (MFA)
Requiring a second factor beyond a password: something you know (password) + something you have (TOTP app, SMS code, hardware key). Dramatically reduces account takeover risk even if passwords are leaked in a breach.
Password Security
Passwords must be hashed with a slow, memory-hard algorithm (bcrypt, Argon2id, scrypt) before storage. Never store plaintext or use fast hashes (MD5, SHA-1). Add a unique salt per password to prevent rainbow table attacks. Enforce minimum entropy requirements.