← DeployCloud

User Authentication Guide

Every app needs users to prove who they are, stay signed in, and get signed out everywhere when something goes wrong. Identity, session and revocation drive every authentication decision, from Cloudflare Workers to a container on DigitalOcean.

The pragmatic 2026 default is to buy the identity layer and own the authorization logic. Clerk, Auth0, Supabase Auth, Firebase Authentication and Amazon Cognito store credentials and run MFA and OAuth flows; your code verifies a session and decides what the user may do.

Sessions vs JWTs

Server-side sessions put a random ID in an HttpOnly, Secure cookie and look it up on each request — trivially revocable, and the right default when one backend sits near a database or Redis. JWTs are signed tokens verifiable anywhere, ideal for edge runtimes like Cloudflare Workers and multi-service APIs, but revocation needs extra machinery. If you use JWTs, keep access tokens short-lived (5–15 minutes), rotate refresh tokens on every use, and store tokens in HttpOnly cookies — never localStorage, where any injected script can read them.

💬 Chat with our AI →

Build it or buy it

Rolling your own is reasonable for plain email-and-password apps: Auth.js or Better Auth wire up the flows, with passwords hashed via argon2id or bcrypt. Buy when requirements grow:

💬 Chat with our AI →

Social login and passkeys

Offer the one or two OAuth providers your audience already uses — Google for consumer apps, GitHub for developer tools. Link accounts by the provider's stable user ID, never by email, since emails change and collide. Add passkeys (WebAuthn) as a parallel path: they are phishing-resistant, sync through Apple, Google and password managers, and are supported by every provider above.

💬 Chat with our AI →

Hardening checklist

Rate-limit login, signup and password-reset endpoints. Return identical errors for wrong email and wrong password. Require fresh re-authentication before email changes or account deletion. Set cookies Secure and SameSite=Lax at minimum, invalidate sessions server-side on password change, and log every auth event with IP and user agent so incidents can be reconstructed later.

💬 Chat with our AI →

Frequently asked questions

Should I store JWTs in localStorage?

No — any script injected into your page can read localStorage. Use HttpOnly, Secure cookies with short-lived access tokens and rotating refresh tokens.

Are sessions or JWTs better on Cloudflare Workers?

JWT verification runs at the edge with no central lookup. If you need instant revocation, keep a denylist or session record in KV or a Durable Object.

Do passkeys replace passwords?

Not yet for most audiences. Ship passkeys as the fast path and keep a password or magic-link fallback until your usage data says otherwise.

When is managed auth worth the dependency?

The moment MFA, enterprise SSO or organization management lands on a deadline. Confirm the provider supports user export before you commit.

💬 Chat with our AI →

💬 Chat with our AI →

Generate a blueprint free →

Explore the full desk on the home page →