Notes from shipping auth.
Engineering posts.
Engineering posts, product updates, and the thinking behind Authaz's auth-as-code approach.
mTLS for machine credentials: when a Bearer token isn't binding enough
Every backend ships Bearer tokens and API keys for machine-to-machine auth. Far fewer ship mTLS. What it actually adds, when it earns its weight, and what Authaz issues — RFC 8705 certificate-bound access tokens, mTLS-bound admin API keys, and a workload CA per tenant.
All posts
Security isn't a premium feature.
Some auth vendors gate MFA, audit logs, or SSO behind enterprise plans. We don't. Why Authaz charges on volume — and only passes through the costs we actually owe upstream.
JWT vs JWE: when signed is not enough
Most engineers ship signed JWTs and call it auth. Sometimes the right answer is JWE — encrypted, not just signed. Here's the difference, when each one matters, and what Authaz uses by default.
Auth as code: one YAML, every environment
How authaz.yaml + authaz apply replace dashboard clicking with version-controlled config — same shape as Kubernetes manifests, ETag-guarded so two engineers can't trample each other.
Subscribe to the engineering blog.
New posts on auth, multi-tenancy, and the practical side of identity infrastructure. No spam, ever.