Loading…
Tag
#Authentication
2 posts
June 8, 2026
The Ticking Clock: Why Short-Lived JWTs Are Your Best Defense
Stateless JWTs can't be revoked on demand — once issued, they live until they expire. This deep dive covers why short lifetimes (5–15 min) are the strongest control you have, how the access/refresh token split actually works, refresh token rotation with reuse detection, and the sender-constrained token guidance from RFC 9700 (Jan 2025).
JWTAuthenticationSecurity
June 3, 2026
Backend-for-Frontend (BFF): The Missing Piece in Your Fullstack App
Your frontend is doing too much — orchestrating microservices, parsing messy payloads, and worst of all, holding auth tokens the browser can't keep safe. The Backend-for-Frontend pattern moves all of that to a server layer you control. Here's why it matters (especially after the September 2025 npm attack that hit packages with 2.6B weekly downloads) and how Next.js gives you one for free.
Next.jsArchitectureSecurity