authentication

django-allauth provides ready-made social auth (Google, Facebook, GitHub, etc.). I configure providers in settings with API keys. It handles OAuth flows, token management, and account linking. Users can login with multiple providers. I customize templ

Extending Django's user model should be done early in projects. I use AbstractBaseUser for full control or AbstractUser to extend the default. Setting AUTH_USER_MODEL points Django to my custom model. I add fields like phone, avatar, or preferences. F

BiometricPrompt provides secure authentication via fingerprint, face, or iris. I create BiometricPrompt with callback handling success, error, and failure. PromptInfo configures title, subtitle, description, and allowed authenticators. Negative button

Custom auth backends enable alternative authentication methods. I subclass ModelBackend and override authenticate(). Common use cases include email login, LDAP, OAuth, or custom token auth. The backend returns a user object or None. I add it to AUTHEN

Using email instead of username for authentication is a common requirement. I extend AbstractBaseUser and create a custom user manager early in the project because switching later means complex data migrations. The key is setting USERNAME_FIELD = 'ema

While JWT works well for user authentication, service-to-service communication often uses simpler API key authentication. I generate cryptographically random API keys using SecureRandom.hex(32) and store them hashed in the database, similar to passwor

Password reset workflows require careful security design to prevent account takeover. I generate time-limited, single-use tokens using Rails' signed_id feature which creates tamper-proof tokens without database storage. The token expires after a short

Laravel Sanctum provides lightweight API authentication for SPAs and mobile apps. For SPAs on the same domain, Sanctum uses Laravel's session cookies with CSRF protection. For mobile apps or third-party clients, it issues API tokens stored in a person

JWT tokens provide stateless authentication for APIs. I use djangorestframework-simplejwt for token generation and validation. The TokenObtainPairView issues access and refresh tokens on login. I configure token lifetimes in settings. For protected en

Sign in with Apple provides secure, privacy-focused authentication required for apps with third-party login. Users create accounts with Face ID or Touch ID, and Apple generates unique identifiers per app. I use ASAuthorizationController to initiate th

Stateless authentication with JWT tokens simplifies horizontal scaling but introduces security concerns around token lifetime and revocation. I use short-lived access tokens (15 minutes) combined with longer-lived refresh tokens stored in an encrypted

Spring Security secures applications with authentication and authorization. I configure security with SecurityFilterChain bean defining protected and public endpoints. JWT (JSON Web Tokens) provides stateless authentication—tokens contain user claims