Security

Authentication (authn) verifies identity -- who are you? Authorization (authz) verifies permissions -- what can you do? Conflating the two is one of the most common security architecture mistakes in distributed systems.

OAuth 2.0 is a delegation framework that lets users grant third-party applications limited access to their resources without sharing credentials. OpenID Connect (OIDC) adds a standardized identity layer on top, providing authentication in addition to OAuth's authorization.

JSON Web Tokens (JWTs) are self-contained, signed tokens that carry claims between parties. Designing tokens correctly -- choosing signing algorithms, claim sets, lifetimes, and rotation strategies -- is critical for security and scalability in distributed systems.

Zero Trust eliminates the concept of a trusted network perimeter. Every request is authenticated, authorized, and encrypted regardless of its origin -- whether from the public internet, the corporate network, or between internal microservices.

Encryption in transit (TLS) protects data as it moves between systems. Encryption at rest (AES-256, envelope encryption) protects data stored on disk. Together they ensure data confidentiality against network sniffers, stolen disks, and compromised storage systems.

API security encompasses authentication, input validation, rate limiting, and protection against the OWASP API Top 10 threats. Threat modeling systematically identifies what can go wrong, who would attack, and what the impact would be, guiding security investments to the highest-risk areas.