Authentication Patterns with Claude Code: JWT, Sessions, and OAuth Done Right

Authentication is where security mistakes have the most impact. Claude Code needs explicit constraints to generate secure auth implementations. CLAUDE.md for Authentication ## Authentication Rules ### JWT - Use RS256 (asymmetric) for production, HS256 only for development - Token expiry: access token 15min, refresh token 7 days - Store access token in memory (not localStorage) - Store refresh token in httpOnly cookie - Never put sensitive data in JWT payload (only userId, role) ### Session - Use express-session with Redis store (not in-memory) - Session cookie: httpOnly, secure (production), sameSite: strict - Regenerate session ID on login ### Passwords - Hash with bcrypt, cost factor 12 - Never log or transmit passwords in plain text - Minimum entropy: 8 chars, require uppercase + number ### OAuth - Validate state parameter (CSRF protection) - Use PKCE for public clients - Verify token signatures from provider - Don't trust email as unique identifier (use provider's user ID) ### Prot

Authentication Patterns with Claude Code: JWT, Sessions, and OAuth Done Right

Related Articles

Why Colocation Might Matter More Than We Think

Why std::mutex Beats Spinlocks (Even TTAS) Under Real Contention

Qwen3.5-Omni: Vibe Coding Gets a New Twist! Write Code by Talking to Your Camera

Why users abandon your app mid-task

Litter-Robot Promo Codes and Deals: Up to $150 Off

Related Articles

News
Why Colocation Might Matter More Than We Think
Medium Programming • 1d ago

News
Why std::mutex Beats Spinlocks (Even TTAS) Under Real Contention
Medium Programming • 1d ago

News
Qwen3.5-Omni: Vibe Coding Gets a New Twist! Write Code by Talking to Your Camera
Medium Programming • 1d ago

News
Why users abandon your app mid-task
Medium Programming • 1d ago

News
Litter-Robot Promo Codes and Deals: Up to $150 Off
Wired • 1d ago