[{"data":1,"prerenderedAt":796},["ShallowReactive",2],{"post-authentication-in-backend-development":3},{"id":4,"title":5,"author":6,"body":7,"category":775,"cover":776,"date":777,"description":778,"extension":779,"featured":780,"meta":781,"navigation":782,"path":783,"published":782,"readingTime":784,"seo":785,"sitemap":786,"stem":787,"tags":788,"updated":794,"__hash__":795},"posts/posts/authentication-in-backend-development.md","Complete Conceptual Guide to Authentication Fundamentals in Backend Development","Kashyap Kumar",{"type":8,"value":9,"toc":759},"minimark",[10,15,20,29,36,39,42,64,70,74,78,85,95,99,102,117,124,128,131,148,154,158,161,168,183,189,194,198,201,205,228,232,258,262,265,720,723,749,752,755],[11,12,14],"h2",{"id":13},"overview-of-authentication-fundamentals-in-backend-development","Overview of Authentication Fundamentals in Backend Development",[16,17,19],"h3",{"id":18},"what-is-authentication-and-why-is-it-important","What is Authentication and Why is it Important?",[21,22,23,24,28],"p",{},"In the simplest terms, ",[25,26,27],"strong",{},"Authentication (AuthN) is the process of verifying who a user is",". When you log into a website or app, the backend needs a way to confirm that you are indeed the person you claim to be before it gives you access to your private data stored in the system.",[21,30,31,32,35],{},"Without authentication, the internet as we know it couldn't exist. Just imagine if anyone could read your emails, transfer money from your bank account, or post as you on social media just by typing in your username. We can't do that, right? It's because ",[25,33,34],{},"authentication creates a secure boundary between public data and private information",".",[21,37,38],{},"Let's consider a real-world example: The Airport",[21,40,41],{},"What happens at an airport:",[43,44,45,52,58],"ul",{},[46,47,48,51],"li",{},[25,49,50],{},"Identification",": You show your Passport (the \"Credentials\").",[46,53,54,57],{},[25,55,56],{},"Authentication",": The TSA agent checks the passport against your face and their database to verify it's real and it's yours.",[46,59,60,63],{},[25,61,62],{},"Authorization"," (The next step): Your Boarding Pass determines which gate you can go to. (Note: Authentication is \"Who are you?\", Authorization is \"What are you allowed to do?\").",[65,66,67],"blockquote",{},[21,68,69],{},"Authorization is a separate but related concept. It determines what you can do after you've been authenticated. We'll discuss it in other posts.",[11,71,73],{"id":72},"fundamental-concepts-of-authentication-in-backend-development","Fundamental Concepts of Authentication in Backend Development",[16,75,77],{"id":76},"the-stateless-nature-of-the-web","The \"Stateless\" Nature of the Web",[21,79,80,81,84],{},"To understand backend authentication, you must first understand that ",[25,82,83],{},"the web is stateless",". This means that every time you click a link or refresh a page, the server \"forgets\" who you are. It treats every single request as if it’s seeing you for the very first time.",[21,86,87,88,91,92,35],{},"To fix this, we use two main methods to stay logged in: ",[25,89,90],{},"Sessions"," and ",[25,93,94],{},"Tokens (like JWT)",[16,96,98],{"id":97},"sessions-the-coat-check-analogy","Sessions (The \"Coat Check\" Analogy)",[21,100,101],{},"In a Session-based system:",[103,104,105,108,111,114],"ol",{},[46,106,107],{},"You provide your password.",[46,109,110],{},"The server verifies it and creates a \"Session File\" in its memory (like a coat check room).",[46,112,113],{},"The server gives you a Session ID (the little plastic tag).",[46,115,116],{},"Every time you ask for a page, you show that ID. The server looks at its \"coat room,\" finds your session, and remembers who you are.",[21,118,119],{},[120,121],"img",{"alt":122,"src":123},"Session-based Authentication","/blog-post-images/authentication-in-backend/session-based-auth-flow-diagram.png",[16,125,127],{"id":126},"tokens-jwt-the-member-badge-analogy","Tokens / JWT (The \"Member Badge\" Analogy)",[21,129,130],{},"In a Token-based system (like JSON Web Tokens or JWT):",[103,132,133,135,142,145],{},[46,134,107],{},[46,136,137,138,141],{},"Instead of storing something on the server, the server gives you a ",[25,139,140],{},"signed, encrypted badge"," (the Token).",[46,143,144],{},"This badge contains your info (User ID, Expiration date).",[46,146,147],{},"Because the badge is digitally \"sealed\" by the server, the server doesn't need to look anything up in a database. It just looks at the badge, verifies the seal hasn't been tampered with, and lets you in.",[21,149,150],{},[120,151],{"alt":152,"src":153},"Token-based Authentication","/blog-post-images/authentication-in-backend/token-based-auth-flow-diagram.png",[16,155,157],{"id":156},"hashing-never-store-plain-text-passwords","Hashing: Never Store Plain Text Passwords",[21,159,160],{},"As a backend engineer, you should never store a user's actual password (e.g., \"P@ssword153\") in your database. If a hacker steals it, they have everyone's login.",[21,162,163,164,167],{},"Instead, we use ",[25,165,166],{},"Hashing",". Always. A hash function turns a password into a long string of gibberish.",[43,169,170,177,180],{},[46,171,172,173],{},"\"P@ssword123\" becomes ",[174,175,176],"code",{},"$2b$10$n9jB0...",[46,178,179],{},"It is a one-way street: You can't turn the gibberish back into the actual password.",[46,181,182],{},"When the user logs in later, you hash the password they just typed and see if the gibberish matches the gibberish in the database.",[21,184,185],{},[120,186],{"alt":187,"src":188},"Hashing Passwords","/blog-post-images/authentication-in-backend/password-hashing-flow-diagram.png",[65,190,191],{},[21,192,193],{},"Salting is an additional security measure where you add a random string to the password before hashing it, making it even harder for hackers to crack. Read more about it.",[11,195,197],{"id":196},"other-terms-in-authentication","Other Terms in Authentication",[21,199,200],{},"As you grow as a developer, you will encounter different flavors of authentication depending on whether a human or a machine is talking to your server.",[16,202,204],{"id":203},"common-http-schemes","Common HTTP Schemes",[43,206,207,213,222],{},[46,208,209,212],{},[25,210,211],{},"Basic Auth",": The simplest form. The username and password are combined, encoded in Base64, and sent in the header. It's like writing your name and password on the outside of the envelope. (Only safe over HTTPS!).",[46,214,215,218,219],{},[25,216,217],{},"Bearer Token",": A category where the sender says, \"I am the bearer of this secret token; give me access.\" ",[25,220,221],{},"JWTs are the most common type of Bearer token.",[46,223,224,227],{},[25,225,226],{},"API Keys",": A long, unique string (like sk_live_678...) given to a developer. It’s like a permanent VIP pass for a specific software tool to talk to your API.",[16,229,231],{"id":230},"advanced-modern-auth","Advanced & Modern Auth",[43,233,234,240,246,252],{},[46,235,236,239],{},[25,237,238],{},"OAuth 2.0",": This isn't just a login; it's a \"delegation\" framework. It allows one site to access data from another (e.g., \"Log in with Google\"). It's like giving a valet a \"valet key\" that starts the car but can't open the trunk.",[46,241,242,245],{},[25,243,244],{},"Passwordless Authentication",": Instead of a password, the server sends a \"Magic Link\" to your email or a code to your phone (OTP). The server verifies you by checking if you have the keys to your own house (your email/phone).",[46,247,248,251],{},[25,249,250],{},"Personal Access Tokens (PAT)",": Used primarily by developers (like on GitHub) to access APIs from the command line. They act like passwords but can be scoped to specific tasks and revoked easily.",[46,253,254,257],{},[25,255,256],{},"mTLS (Mutual TLS)",": High-security auth used between two servers. Not only does the client verify the server's identity, but the server also requires the client to present its own digital certificate (X.509 Certificate). It's like two secret agents showing each other their badges simultaneously before speaking. No credentials transmitted over the network, making it very secure. Its use case includes microservice-to-microservice communication.",[11,259,261],{"id":260},"conclusion","Conclusion",[21,263,264],{},"So we now know how backend authentication works conceptually. Confusion is super common between various terms and strategies in backend authentication. The following structure would help you understand the relationships between them:",[266,267,272],"pre",{"className":268,"code":269,"language":270,"meta":271,"style":271},"language-bash shiki shiki-themes github-light","Authentication\n│\n├── 1. Identity Verification (Login Phase)\n│   ├── Username + Password\n│   ├── OAuth Login (Google, GitHub, etc.)\n│   └── Multi-Factor Authentication (OTP, 2FA)\n│\n├── 2. Session Management (After Login)\n│   │\n│   ├── A. Stateful (Server stores session)\n│   │   ├── Session ID (stored in DB / memory)\n│   │   └── Cookie-based auth\n│   │\n│   └── B. Stateless (Server stores nothing)\n│       │\n│       ├── Token-Based Authentication\n│       │   │\n│       │   ├── Bearer Token  ← (IMPORTANT)\n│       │   │   ├── JWT (JSON Web Token)\n│       │   │   ├── Personal Access Token (PAT)\n│       │   │   └── OAuth Access Token\n│       │   │\n│       │   └── API Keys (simpler tokens)\n│\n└── 3. Authorization (Permissions)\n    ├── Roles (Admin, User)\n    └── Scopes (read, write, delete)\n","bash","",[174,273,274,283,289,315,333,357,379,384,406,414,438,470,485,492,514,522,536,546,567,591,613,631,640,663,668,683,700],{"__ignoreMap":271},[275,276,279],"span",{"class":277,"line":278},"line",1,[275,280,282],{"class":281},"s7eDp","Authentication\n",[275,284,286],{"class":277,"line":285},2,[275,287,288],{"class":281},"│\n",[275,290,292,295,299,302,305,309,312],{"class":277,"line":291},3,[275,293,294],{"class":281},"├──",[275,296,298],{"class":297},"sYBdl"," 1.",[275,300,301],{"class":297}," Identity",[275,303,304],{"class":297}," Verification",[275,306,308],{"class":307},"sgsFI"," (Login ",[275,310,311],{"class":297},"Phase",[275,313,314],{"class":307},")\n",[275,316,318,321,324,327,330],{"class":277,"line":317},4,[275,319,320],{"class":281},"│",[275,322,323],{"class":297},"   ├──",[275,325,326],{"class":297}," Username",[275,328,329],{"class":297}," +",[275,331,332],{"class":297}," Password\n",[275,334,336,338,340,343,346,349,352,355],{"class":277,"line":335},5,[275,337,320],{"class":281},[275,339,323],{"class":297},[275,341,342],{"class":297}," OAuth",[275,344,345],{"class":297}," Login",[275,347,348],{"class":307}," (Google, ",[275,350,351],{"class":297},"GitHub,",[275,353,354],{"class":297}," etc.",[275,356,314],{"class":307},[275,358,360,362,365,368,371,374,377],{"class":277,"line":359},6,[275,361,320],{"class":281},[275,363,364],{"class":297},"   └──",[275,366,367],{"class":297}," Multi-Factor",[275,369,370],{"class":297}," Authentication",[275,372,373],{"class":307}," (OTP, ",[275,375,376],{"class":297},"2FA",[275,378,314],{"class":307},[275,380,382],{"class":277,"line":381},7,[275,383,288],{"class":281},[275,385,387,389,392,395,398,401,404],{"class":277,"line":386},8,[275,388,294],{"class":281},[275,390,391],{"class":297}," 2.",[275,393,394],{"class":297}," Session",[275,396,397],{"class":297}," Management",[275,399,400],{"class":307}," (After ",[275,402,403],{"class":297},"Login",[275,405,314],{"class":307},[275,407,409,411],{"class":277,"line":408},9,[275,410,320],{"class":281},[275,412,413],{"class":297},"   │\n",[275,415,417,419,421,424,427,430,433,436],{"class":277,"line":416},10,[275,418,320],{"class":281},[275,420,323],{"class":297},[275,422,423],{"class":297}," A.",[275,425,426],{"class":297}," Stateful",[275,428,429],{"class":307}," (Server ",[275,431,432],{"class":297},"stores",[275,434,435],{"class":297}," session",[275,437,314],{"class":307},[275,439,441,443,446,448,450,453,456,459,462,465,468],{"class":277,"line":440},11,[275,442,320],{"class":281},[275,444,445],{"class":297},"   │",[275,447,323],{"class":297},[275,449,394],{"class":297},[275,451,452],{"class":297}," ID",[275,454,455],{"class":307}," (stored ",[275,457,458],{"class":297},"in",[275,460,461],{"class":297}," DB",[275,463,464],{"class":297}," /",[275,466,467],{"class":297}," memory",[275,469,314],{"class":307},[275,471,473,475,477,479,482],{"class":277,"line":472},12,[275,474,320],{"class":281},[275,476,445],{"class":297},[275,478,364],{"class":297},[275,480,481],{"class":297}," Cookie-based",[275,483,484],{"class":297}," auth\n",[275,486,488,490],{"class":277,"line":487},13,[275,489,320],{"class":281},[275,491,413],{"class":297},[275,493,495,497,499,502,505,507,509,512],{"class":277,"line":494},14,[275,496,320],{"class":281},[275,498,364],{"class":297},[275,500,501],{"class":297}," B.",[275,503,504],{"class":297}," Stateless",[275,506,429],{"class":307},[275,508,432],{"class":297},[275,510,511],{"class":297}," nothing",[275,513,314],{"class":307},[275,515,517,519],{"class":277,"line":516},15,[275,518,320],{"class":281},[275,520,521],{"class":297},"       │\n",[275,523,525,527,530,533],{"class":277,"line":524},16,[275,526,320],{"class":281},[275,528,529],{"class":297},"       ├──",[275,531,532],{"class":297}," Token-Based",[275,534,535],{"class":297}," Authentication\n",[275,537,539,541,544],{"class":277,"line":538},17,[275,540,320],{"class":281},[275,542,543],{"class":297},"       │",[275,545,413],{"class":297},[275,547,549,551,553,555,558,561,564],{"class":277,"line":548},18,[275,550,320],{"class":281},[275,552,543],{"class":297},[275,554,323],{"class":297},[275,556,557],{"class":297}," Bearer",[275,559,560],{"class":297}," Token",[275,562,563],{"class":297},"  ←",[275,565,566],{"class":307}," (IMPORTANT)\n",[275,568,570,572,574,576,578,581,584,587,589],{"class":277,"line":569},19,[275,571,320],{"class":281},[275,573,543],{"class":297},[275,575,445],{"class":297},[275,577,323],{"class":297},[275,579,580],{"class":297}," JWT",[275,582,583],{"class":307}," (JSON ",[275,585,586],{"class":297},"Web",[275,588,560],{"class":297},[275,590,314],{"class":307},[275,592,594,596,598,600,602,605,608,610],{"class":277,"line":593},20,[275,595,320],{"class":281},[275,597,543],{"class":297},[275,599,445],{"class":297},[275,601,323],{"class":297},[275,603,604],{"class":297}," Personal",[275,606,607],{"class":297}," Access",[275,609,560],{"class":297},[275,611,612],{"class":307}," (PAT)\n",[275,614,616,618,620,622,624,626,628],{"class":277,"line":615},21,[275,617,320],{"class":281},[275,619,543],{"class":297},[275,621,445],{"class":297},[275,623,364],{"class":297},[275,625,342],{"class":297},[275,627,607],{"class":297},[275,629,630],{"class":297}," Token\n",[275,632,634,636,638],{"class":277,"line":633},22,[275,635,320],{"class":281},[275,637,543],{"class":297},[275,639,413],{"class":297},[275,641,643,645,647,649,652,655,658,661],{"class":277,"line":642},23,[275,644,320],{"class":281},[275,646,543],{"class":297},[275,648,364],{"class":297},[275,650,651],{"class":297}," API",[275,653,654],{"class":297}," Keys",[275,656,657],{"class":307}," (simpler ",[275,659,660],{"class":297},"tokens",[275,662,314],{"class":307},[275,664,666],{"class":277,"line":665},24,[275,667,288],{"class":281},[275,669,671,674,677,680],{"class":277,"line":670},25,[275,672,673],{"class":281},"└──",[275,675,676],{"class":297}," 3.",[275,678,679],{"class":297}," Authorization",[275,681,682],{"class":307}," (Permissions)\n",[275,684,686,689,692,695,698],{"class":277,"line":685},26,[275,687,688],{"class":281},"    ├──",[275,690,691],{"class":297}," Roles",[275,693,694],{"class":307}," (Admin, ",[275,696,697],{"class":297},"User",[275,699,314],{"class":307},[275,701,703,706,709,712,715,718],{"class":277,"line":702},27,[275,704,705],{"class":281},"    └──",[275,707,708],{"class":297}," Scopes",[275,710,711],{"class":307}," (read, ",[275,713,714],{"class":297},"write,",[275,716,717],{"class":297}," delete",[275,719,314],{"class":307},[21,721,722],{},"Choosing the right strategy for your use case is very important. Here’s a quick guide:",[43,724,725,731,737,743],{},[46,726,727,730],{},[25,728,729],{},"For user‑facing web apps",": Session-based (with shared session store) or token-based (with careful CSRF/XSS protection).",[46,732,733,736],{},[25,734,735],{},"For APIs and mobile apps",": Token-based (JWT) with short-lived tokens and refresh tokens.",[46,738,739,742],{},[25,740,741],{},"For third‑party integrations",": OAuth 2.0/OIDC.",[46,744,745,748],{},[25,746,747],{},"For machine‑to‑machine",": API keys or mTLS.",[21,750,751],{},"Hybrid approaches are also common, where you might use sessions for the web app and JWTs for API access. Always consider the security implications of your choice and implement best practices to protect your users' data.",[21,753,754],{},"Thanks for reading!",[756,757,758],"style",{},"html pre.shiki code .s7eDp, html code.shiki .s7eDp{--shiki-default:#6F42C1}html pre.shiki code .sYBdl, html code.shiki .sYBdl{--shiki-default:#032F62}html pre.shiki code .sgsFI, html code.shiki .sgsFI{--shiki-default:#24292E}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":271,"searchDepth":285,"depth":285,"links":760},[761,764,770,774],{"id":13,"depth":285,"text":14,"children":762},[763],{"id":18,"depth":291,"text":19},{"id":72,"depth":285,"text":73,"children":765},[766,767,768,769],{"id":76,"depth":291,"text":77},{"id":97,"depth":291,"text":98},{"id":126,"depth":291,"text":127},{"id":156,"depth":291,"text":157},{"id":196,"depth":285,"text":197,"children":771},[772,773],{"id":203,"depth":291,"text":204},{"id":230,"depth":291,"text":231},{"id":260,"depth":285,"text":261},"Backend","/blog-covers/authentication-in-backend-development.png","2026-03-28","Learn the core concepts of authentication in backend development, including JWT, OAuth, and session management.","md",false,{},true,"/posts/authentication-in-backend-development","10 min read",{"title":5,"description":778},{"loc":783,"lastmod":777},"posts/authentication-in-backend-development",[789,790,791,792,793],"authentication","backend","jwt","oauth","session-management","2026-03-24","zrSM0ISTJlEZC-_I088K6NTmp7koqqlebV-92ND_PaE",1777897734781]