Authentication Guide

Authentication Foundations

eJThB7's authentication module provides three layers of security:

1. Secure Communication

All authentication requests are encrypted with TLS 1.3 by default. Use the secure flag for all cookies.

2. Token Signing

We use HMAC with SHA-256 for JWT signing. Store your secret in environment variables, never hardcoded.

3. Rate Limiting

Built-in rate limiting to prevent brute-force attacks (50 requests per minute per IP).

const secureContext = createContext();
secureContext.useTLS = true;
secureContext.hstsMaxAge = 31536000;
secureContext.cookieOptions = {
    secure: true,
    httpOnly: true,
    sameSite: 'strict'
};

API Keys

Sample API Key

Create API Key

Scope

Using API Key


                                            const response = await fetch('https://api.ejthb7.example/endpoint', {
                                            method: 'GET',
                                            headers: {
                                            Authorization: 'Bearer ' + API_KEY
                                            }
                                            });

OAuth 2.0 Integration

Authorization Flow

1

Redirect user to authorization endpoint
GET https://auth.ejthb7.com/oauth/authorize
2

User grants permission

Ensure you implement proper consent screen with clear scope explanations
3

Receive authorization code
POST https://api.ejthb7.com/oauth/token

Example OAuth Implementation

// OAuth 2.0 client implementation
const client = {
    clientId: 'your-client-id',
    clientSecret: 'your-client-secret',
    redirectUri: 'https://your-app.com/callback'
};

const authUrl = await buildAuthUrl(client);
window.location.href = authUrl;

async function handleCallback(code) {
    const tokenResponse = await axios.post('/oauth/token', {
        grant_type: 'authorization_code',
        code: code,
        redirect_uri: client.redirectUri
    }, {
        auth: {
            username: client.clientId,
            password: client.clientSecret
        }
    });

    // Store token securely
    saveTokenToKeychain(tokenResponse.data.access_token);
}

JSON Web Tokens (JWT)

JWT Claims

Standard claims (RFC 7519)

Claim	Value Type	Description
iss	string	Issuer
exp	number	Expiration timestamp
iat	number	Issued at timestamp

Ensure you set appropriate expiration (24h max) and always use HTTPS.

Token Validation

Always validate the following:

Signature validity
Issuer matches expected value
Expiration time
Nonce if required

// Sample validation pattern

if (Date.now() > jwt.exp * 1000) {
  throw new Error('Token expired');
}

if (jwt.iss !== 'https://auth.ejthb7.com') {
  throw new Error('Invalid issuer');
}

verifySignature(jwt, secretKey); // This should fail if key is invalid

Security Best Practices

Key Management

🔒 Rotate API keys every 90 days via /apikeys/rotate
🔑 Use environment variables never hardcoded values
🔄 Implement automatic key rotation for production systems

Transport Security

Always use HTTPS

Mandatory TLS 1.3

HSTS headers for session security

Security Warning

Never store sensitive credentials in logs or browser storage. Always sanitize error responses to prevent information leakage.