Forem: Shoumik Chakravarty The latest articles on Forem by Shoumik Chakravarty (@shoumik_chakravarty). https://forem.com/shoumik_chakravarty https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3949437%2F7b9766d8-c3b8-4a97-903e-aa02720ad44a.png Forem: Shoumik Chakravarty https://forem.com/shoumik_chakravarty en Microservices Patterns Shoumik Chakravarty Tue, 26 May 2026 03:07:00 +0000 https://forem.com/shoumik_chakravarty/microservices-patterns-2192 https://forem.com/shoumik_chakravarty/microservices-patterns-2192 <h1> Microservices Patterns: A Practical Guide to Choosing the Right Architecture </h1> <p>Most teams don't fail at microservices because the pattern is wrong. They fail because they adopted <em>all</em> the patterns at once, before they understood which problems each one was actually solving.</p> <p>I've watched teams ship a service mesh, an event bus, a saga orchestrator, and a CQRS read model in the same quarter — for a system that had fewer services and limited users. The result is what's now called a <em>distributed monolith</em>: all the operational complexity of microservices with none of the independent deployability or scalability.</p> <p>This guide walks through the patterns that matter, what each one is actually for, and when <em>not</em> to use it. Code examples are in Python, with a decision matrix at the end so you can match the pattern to your problem.</p> <h2> Microservices vs. Distributed Monolith </h2> <p>A real microservice has three properties:</p> <ul> <li> <strong>Independently deployable.</strong> You can ship Service A without coordinating with the teams behind Services B, C, and D.</li> <li> <strong>Owns its data.</strong> No other service reads or writes its database directly. The only way in is through its API.</li> <li> <strong>Loosely coupled.</strong> A change to one service's internal schema doesn't break others.</li> </ul> <p>If you can't deploy a service without redeploying three others, you don't have microservices — you have a monolith with network latency. That's almost always worse than the monolith you started with. Keep this test in mind as we go through each pattern: does this pattern preserve those three properties, or quietly erode them?</p> <h2> 1. API Gateway </h2> <h3> How it works </h3> <p>An API gateway is a single entry point that sits in front of your services and handles cross-cutting concerns: routing, authentication, rate limiting, request/response transformation, and aggregation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Simplified gateway routing logic </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">import</span> <span class="n">httpx</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">SERVICE_ROUTES</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">/users</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">http://user-service:8000</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/orders</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">http://order-service:8000</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/payments</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">http://payment-service:8000</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="nd">@app.api_route</span><span class="p">(</span><span class="sh">"</span><span class="s">/{path:path}</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">PUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DELETE</span><span class="sh">"</span><span class="p">])</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">gateway</span><span class="p">(</span><span class="n">path</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="c1"># 1. Authenticate once at the edge </span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">verify_jwt</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="sh">"</span><span class="s">Invalid token</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 2. Route to the right downstream service </span> <span class="n">prefix</span> <span class="o">=</span> <span class="sh">"</span><span class="s">/</span><span class="sh">"</span> <span class="o">+</span> <span class="n">path</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="n">upstream</span> <span class="o">=</span> <span class="n">SERVICE_ROUTES</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">prefix</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">upstream</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="mi">404</span><span class="p">,</span> <span class="sh">"</span><span class="s">Unknown route</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 3. Proxy the request </span> <span class="k">async</span> <span class="k">with</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">()</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">upstream</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">path</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="k">await</span> <span class="n">request</span><span class="p">.</span><span class="nf">body</span><span class="p">(),</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="n">k</span><span class="p">:</span> <span class="n">v</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">items</span><span class="p">()</span> <span class="k">if</span> <span class="n">k</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">host</span><span class="sh">"</span><span class="p">},</span> <span class="p">)</span> <span class="k">return</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> </code></pre> </div> <h3> When to use it </h3> <p>Use a gateway as soon as you have more than two or three services that share clients. It centralizes auth, TLS termination, and rate limiting so each service doesn't reimplement them. The example above is illustrative — for production you'll pick between two deployment models.</p> <h3> Serverless vs. server-based gateway </h3> <p>There are two practical ways to run a gateway, and the choice has bigger operational implications than the choice of vendor.</p> <p><strong>Serverless gateway</strong> (AWS API Gateway, Azure API Management consumption tier, Google Cloud API Gateway, Cloudflare Workers). The cloud provider runs the gateway, you describe routes and policies declaratively, and you pay per request. There are no servers to patch, no capacity to size, and it scales from zero to bursty traffic without you tuning anything. The downsides: per-request pricing gets expensive at high sustained throughput, cold starts add latency on the first request after idle, you're locked into the provider's auth/transform model, and customizing behavior beyond what the console exposes usually means writing Lambda authorizers or Workers — which is its own operational surface. Reach for this when traffic is spiky or modest, when your team is small, or when you're already deep in one cloud and want the integration.</p> <p><strong>Server-based gateway</strong> (Kong, Envoy, Traefik, NGINX, HAProxy, Spring Cloud Gateway, EC Instances). You run the gateway as long-lived processes — usually as pods in Kubernetes or instances behind a load balancer. You get full control over plugins, request transformation, and observability, predictable cost at sustained scale (you're paying for capacity, not per request), and you can run the same gateway in any environment, including on-prem. The cost is real: you own patching, capacity planning, HA topology, and config rollout. Reach for this when you have sustained high traffic, complex routing or transformation needs, multi-cloud or hybrid requirements, or an existing platform team that already operates similar infrastructure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Kong declarative config example — server-based gateway</span> <span class="na">_format_version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.0"</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">order-service</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://order-service.default.svc.cluster.local:8000</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">orders</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/orders"</span><span class="pi">]</span> <span class="na">plugins</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">jwt</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">rate-limiting</span> <span class="na">config</span><span class="pi">:</span> <span class="na">minute</span><span class="pi">:</span> <span class="m">100</span> </code></pre> </div> <p>A rough rule of thumb: under a few hundred requests per second with unpredictable traffic, the serverless model usually wins on total cost of ownership. Above that, with steady load, the server-based model wins on per-request cost and control. Whichever you pick, treat the gateway config as code — version it, review it, and deploy it through a pipeline.</p> <h3> Tradeoffs </h3> <p>The gateway is a single point of failure and a deployment bottleneck regardless of which model you choose. Every team that needs a new route has to coordinate with whoever owns the gateway config. Keep the gateway dumb — routing, auth, rate limiting — and push business logic into the services themselves. The moment you find yourself writing if-statements about specific user IDs in the gateway, you've made it part of your application.</p> <h2> 2. Service Discovery </h2> <h3> How it works </h3> <p>In a microservices system, service instances come and go — autoscaling spins them up, deployments roll them, failures kill them. Hardcoding <code>http://order-service-prod-3:8000</code> won't survive the first deploy. Service discovery solves this with a registry: services register themselves on startup, and clients ask the registry "where is the order service right now?"<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">httpx</span> <span class="kn">import</span> <span class="n">random</span> <span class="k">class</span> <span class="nc">ServiceRegistry</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Client-side discovery against Consul, etcd, or Kubernetes DNS.</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">registry_url</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">registry_url</span> <span class="o">=</span> <span class="n">registry_url</span> <span class="n">self</span><span class="p">.</span><span class="n">_cache</span><span class="p">:</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">]]</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">resolve</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">service_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">if</span> <span class="n">service_name</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">_cache</span><span class="p">:</span> <span class="k">async</span> <span class="k">with</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">()</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">resp</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">registry_url</span><span class="si">}</span><span class="s">/v1/services/</span><span class="si">{</span><span class="n">service_name</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">_cache</span><span class="p">[</span><span class="n">service_name</span><span class="p">]</span> <span class="o">=</span> <span class="n">resp</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">"</span><span class="s">instances</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Simple client-side load balancing </span> <span class="k">return</span> <span class="n">random</span><span class="p">.</span><span class="nf">choice</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_cache</span><span class="p">[</span><span class="n">service_name</span><span class="p">])</span> <span class="c1"># In practice, refresh the cache periodically and remove failed instances </span></code></pre> </div> <h3> When to use it </h3> <p>You need service discovery the moment you have more than one instance of any service, or as soon as you're deploying to a dynamic environment (Kubernetes, ECS, Nomad). If you're on Kubernetes you get this for free — DNS resolves <code>order-service.default.svc.cluster.local</code> to a healthy pod. Don't build your own unless you have a reason.</p> <h3> Tradeoffs </h3> <p>Client-side discovery (each service queries the registry) reduces a network hop but spreads discovery logic everywhere. Server-side discovery (a load balancer fronts each service) is simpler for clients but adds a hop and another component to operate. On Kubernetes, the platform handles this — don't fight it.</p> <h2> 3. Circuit Breaker </h2> <h3> How it works </h3> <p>When a downstream service starts failing, the worst thing your service can do is keep hammering it with retries. You exhaust your own threads, queue up requests that will never succeed, and the failure cascades upstream until your whole system is down.</p> <p>A circuit breaker watches the failure rate of calls to a downstream service. When failures cross a threshold, it "opens" — for a cooldown period, calls fail fast without ever hitting the downstream. After the cooldown, it lets a small number of test requests through; if they succeed, it closes again.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">enum</span> <span class="kn">import</span> <span class="n">Enum</span> <span class="k">class</span> <span class="nc">State</span><span class="p">(</span><span class="n">Enum</span><span class="p">):</span> <span class="n">CLOSED</span> <span class="o">=</span> <span class="sh">"</span><span class="s">closed</span><span class="sh">"</span> <span class="c1"># Normal operation </span> <span class="n">OPEN</span> <span class="o">=</span> <span class="sh">"</span><span class="s">open</span><span class="sh">"</span> <span class="c1"># Failing fast </span> <span class="n">HALF_OPEN</span> <span class="o">=</span> <span class="sh">"</span><span class="s">half_open</span><span class="sh">"</span> <span class="c1"># Testing recovery </span> <span class="k">class</span> <span class="nc">CircuitBreaker</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">failure_threshold</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">5</span><span class="p">,</span> <span class="n">recovery_timeout</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">30</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">failure_threshold</span> <span class="o">=</span> <span class="n">failure_threshold</span> <span class="n">self</span><span class="p">.</span><span class="n">recovery_timeout</span> <span class="o">=</span> <span class="n">recovery_timeout</span> <span class="n">self</span><span class="p">.</span><span class="n">failure_count</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">self</span><span class="p">.</span><span class="n">last_failure_time</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="n">self</span><span class="p">.</span><span class="n">state</span> <span class="o">=</span> <span class="n">State</span><span class="p">.</span><span class="n">CLOSED</span> <span class="k">def</span> <span class="nf">call</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">func</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">state</span> <span class="o">==</span> <span class="n">State</span><span class="p">.</span><span class="n">OPEN</span><span class="p">:</span> <span class="k">if</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">self</span><span class="p">.</span><span class="n">last_failure_time</span> <span class="o">&gt;</span> <span class="n">self</span><span class="p">.</span><span class="n">recovery_timeout</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">state</span> <span class="o">=</span> <span class="n">State</span><span class="p">.</span><span class="n">HALF_OPEN</span> <span class="k">else</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sh">"</span><span class="s">Circuit breaker is OPEN — failing fast</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">func</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">_on_success</span><span class="p">()</span> <span class="k">return</span> <span class="n">result</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">_on_failure</span><span class="p">()</span> <span class="k">raise</span> <span class="k">def</span> <span class="nf">_on_success</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">failure_count</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">self</span><span class="p">.</span><span class="n">state</span> <span class="o">=</span> <span class="n">State</span><span class="p">.</span><span class="n">CLOSED</span> <span class="k">def</span> <span class="nf">_on_failure</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">failure_count</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">self</span><span class="p">.</span><span class="n">last_failure_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">failure_count</span> <span class="o">&gt;=</span> <span class="n">self</span><span class="p">.</span><span class="n">failure_threshold</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">state</span> <span class="o">=</span> <span class="n">State</span><span class="p">.</span><span class="n">OPEN</span> </code></pre> </div> <h3> When to use it </h3> <p>Use a circuit breaker around any synchronous call to a service you don't control fully — third-party APIs, services owned by another team, anything where a slow response from them shouldn't take you down. Pair it with timeouts (always set timeouts on outbound calls) and bulkheads (limit how many threads any one downstream can consume).</p> <h3> Tradeoffs </h3> <p>A circuit breaker shifts the failure from "slow timeout" to "fast error." That's almost always the right tradeoff, but your callers now need to handle the fast-fail case — usually with a fallback (cached data, a default response, a queued retry). Libraries like resilience4j, Polly, or Hystrix (now in maintenance mode — use resilience4j) implement this properly with metrics built in.</p> <h2> 4. Saga — Distributed Transactions Without Distributed Locks </h2> <h3> How it works </h3> <p>You can't run a SQL transaction across two services without distributed locks, and you don't want distributed locks. A saga replaces the ACID transaction with a sequence of local transactions, each of which has a defined compensating action that undoes it.</p> <p>For example, booking a trip might be: reserve hotel → charge card → book flight. If the flight booking fails, the saga runs compensations in reverse: refund the card, release the hotel.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Callable</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">SagaStep</span><span class="p">:</span> <span class="n">name</span><span class="p">:</span> <span class="nb">str</span> <span class="n">action</span><span class="p">:</span> <span class="n">Callable</span> <span class="n">compensation</span><span class="p">:</span> <span class="n">Callable</span> <span class="k">class</span> <span class="nc">Saga</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">steps</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="n">SagaStep</span><span class="p">]):</span> <span class="n">self</span><span class="p">.</span><span class="n">steps</span> <span class="o">=</span> <span class="n">steps</span> <span class="k">def</span> <span class="nf">execute</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">context</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="n">completed</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">try</span><span class="p">:</span> <span class="k">for</span> <span class="n">step</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">steps</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">step</span><span class="p">.</span><span class="nf">action</span><span class="p">(</span><span class="n">context</span><span class="p">)</span> <span class="n">completed</span><span class="p">.</span><span class="nf">append</span><span class="p">((</span><span class="n">step</span><span class="p">,</span> <span class="n">result</span><span class="p">))</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="c1"># Run compensations in reverse order </span> <span class="k">for</span> <span class="n">step</span><span class="p">,</span> <span class="n">result</span> <span class="ow">in</span> <span class="nf">reversed</span><span class="p">(</span><span class="n">completed</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">step</span><span class="p">.</span><span class="nf">compensation</span><span class="p">(</span><span class="n">context</span><span class="p">,</span> <span class="n">result</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">comp_err</span><span class="p">:</span> <span class="c1"># Compensations should be idempotent and logged loudly </span> <span class="n">log</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Compensation </span><span class="si">{</span><span class="n">step</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s"> failed: </span><span class="si">{</span><span class="n">comp_err</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="n">e</span> <span class="c1"># Usage </span><span class="n">saga</span> <span class="o">=</span> <span class="nc">Saga</span><span class="p">([</span> <span class="nc">SagaStep</span><span class="p">(</span><span class="sh">"</span><span class="s">reserve_hotel</span><span class="sh">"</span><span class="p">,</span> <span class="n">reserve_hotel</span><span class="p">,</span> <span class="n">release_hotel</span><span class="p">),</span> <span class="nc">SagaStep</span><span class="p">(</span><span class="sh">"</span><span class="s">charge_card</span><span class="sh">"</span><span class="p">,</span> <span class="n">charge_card</span><span class="p">,</span> <span class="n">refund_card</span><span class="p">),</span> <span class="nc">SagaStep</span><span class="p">(</span><span class="sh">"</span><span class="s">book_flight</span><span class="sh">"</span><span class="p">,</span> <span class="n">book_flight</span><span class="p">,</span> <span class="n">cancel_flight</span><span class="p">),</span> <span class="p">])</span> <span class="n">saga</span><span class="p">.</span><span class="nf">execute</span><span class="p">({</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">u_123</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">trip_id</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">t_456</span><span class="sh">"</span><span class="p">})</span> </code></pre> </div> <h3> Orchestration vs. choreography </h3> <p>Two flavors:</p> <ul> <li> <strong>Orchestration</strong> (above): a central coordinator drives each step. Easier to reason about and debug, but the orchestrator becomes a critical service.</li> <li> <strong>Choreography:</strong> each service listens for events and decides what to do next. No central point, but the flow is implicit — to understand it, you have to read every subscriber.</li> </ul> <p>Start with orchestration. Move to choreography only when the orchestrator becomes a bottleneck or you have genuinely independent teams owning each step.</p> <h3> Tradeoffs </h3> <p>Sagas give you eventual consistency, not atomicity. There will be moments when a hotel is reserved but the card hasn't been charged yet — your system must tolerate that. Every compensation must be idempotent because it might be retried. And if a compensation itself fails, you need a manual intervention path; don't pretend the system can always self-heal.</p> <h2> 5. Asynchronous Messaging </h2> <h3> How it works </h3> <p>Synchronous calls couple availability: if Service B is down, Service A's request fails. Async messaging breaks that coupling. Service A publishes an event to a broker (Kafka, RabbitMQ, NATS, SQS), and Service B consumes it whenever it's ready.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Producer </span><span class="kn">import</span> <span class="n">json</span> <span class="kn">from</span> <span class="n">kafka</span> <span class="kn">import</span> <span class="n">KafkaProducer</span> <span class="n">producer</span> <span class="o">=</span> <span class="nc">KafkaProducer</span><span class="p">(</span> <span class="n">bootstrap_servers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">kafka:9092</span><span class="sh">"</span><span class="p">],</span> <span class="n">value_serializer</span><span class="o">=</span><span class="k">lambda</span> <span class="n">v</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">v</span><span class="p">).</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">acks</span><span class="o">=</span><span class="sh">"</span><span class="s">all</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Wait for all replicas — durability over latency </span> <span class="n">enable_idempotence</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="c1"># Prevents duplicate messages from retries </span><span class="p">)</span> <span class="k">def</span> <span class="nf">on_order_placed</span><span class="p">(</span><span class="n">order</span><span class="p">):</span> <span class="n">producer</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="sh">"</span><span class="s">orders.placed</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">event_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">order</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">order</span><span class="p">.</span><span class="n">user_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="n">order</span><span class="p">.</span><span class="n">amount</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">order</span><span class="p">.</span><span class="n">created_at</span><span class="p">.</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="p">})</span> <span class="c1"># Consumer (in a different service) </span><span class="kn">from</span> <span class="n">kafka</span> <span class="kn">import</span> <span class="n">KafkaConsumer</span> <span class="n">consumer</span> <span class="o">=</span> <span class="nc">KafkaConsumer</span><span class="p">(</span> <span class="sh">"</span><span class="s">orders.placed</span><span class="sh">"</span><span class="p">,</span> <span class="n">bootstrap_servers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">kafka:9092</span><span class="sh">"</span><span class="p">],</span> <span class="n">group_id</span><span class="o">=</span><span class="sh">"</span><span class="s">inventory-service</span><span class="sh">"</span><span class="p">,</span> <span class="n">enable_auto_commit</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="c1"># Commit only after successful processing </span> <span class="n">value_deserializer</span><span class="o">=</span><span class="k">lambda</span> <span class="n">v</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">v</span><span class="p">.</span><span class="nf">decode</span><span class="p">()),</span> <span class="p">)</span> <span class="k">for</span> <span class="n">message</span> <span class="ow">in</span> <span class="n">consumer</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="nf">reserve_inventory</span><span class="p">(</span><span class="n">message</span><span class="p">.</span><span class="n">value</span><span class="p">)</span> <span class="n">consumer</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="c1"># Don't commit — message will be redelivered </span> <span class="n">log</span><span class="p">.</span><span class="nf">exception</span><span class="p">(</span><span class="sh">"</span><span class="s">Failed to process order</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> When to use it </h3> <p>Reach for async when the consumer doesn't need to respond immediately, when you have multiple consumers for the same event (one event, many subscribers), or when you want to decouple deployment lifecycles. Order placement → inventory update, audit log, fraud check, email notification — all naturally async.</p> <h3> Tradeoffs </h3> <p>Async is harder to debug. A request that used to be one HTTP call is now a chain of events across topics, with retries, dead-letter queues, and ordering caveats. You need distributed tracing (OpenTelemetry) to follow a request across services, and you need to design for at-least-once delivery — consumers must be idempotent because the same message <em>will</em> be redelivered occasionally.</p> <h2> 6. Service Mesh </h2> <h3> How it works </h3> <p>A service mesh (Istio, Linkerd, Consul Connect) puts a lightweight proxy (a "sidecar") next to every service instance. All traffic in and out flows through the sidecar, which handles mTLS, retries, timeouts, load balancing, observability, and traffic shifting — <em>without any code in your service</em>.</p> <p>A typical Istio config that routes 10% of traffic to a new version of a service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">order-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">order-service</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">order-service</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">90</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">order-service</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">10</span> </code></pre> </div> <h3> When to use it </h3> <p>A service mesh starts paying for itself somewhere around 20–30 services, when the cost of reimplementing mTLS, retries, and observability in every service exceeds the operational cost of running the mesh. Below that, a good HTTP client library and a few Kubernetes primitives will do.</p> <h3> Tradeoffs </h3> <p>A mesh is operationally heavy. You're adding a proxy to every pod (memory, CPU, latency), a control plane to manage, and a new failure mode to debug. The benefit is that all your services get consistent security, retry behavior, and telemetry for free. The cost is real complexity, and it's not the first thing you should reach for.</p> <h2> Decision Matrix </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Pattern</th> <th>When to skip it</th> </tr> </thead> <tbody> <tr> <td>Clients shouldn't know about your internal services</td> <td>API Gateway</td> <td>You have only one or two services</td> </tr> <tr> <td>Service instances are dynamic</td> <td>Service Discovery</td> <td>You're on Kubernetes (you already have it)</td> </tr> <tr> <td>Downstream failures shouldn't take you down</td> <td>Circuit Breaker</td> <td>You only make in-process calls</td> </tr> <tr> <td>Multi-service transaction without distributed locks</td> <td>Saga</td> <td>The operation fits in a single service's database</td> </tr> <tr> <td>Decouple producers from consumers</td> <td>Async messaging</td> <td>You need a synchronous response and can tolerate the coupling</td> </tr> <tr> <td>Multiple read patterns over the same data</td> <td>CQRS</td> <td>One model serves all read patterns well</td> </tr> <tr> <td>Consistent security, retries, telemetry across many services</td> <td>Service Mesh</td> <td>You have fewer than ~20 services</td> </tr> <tr> <td>Real-time data pipeline across services</td> <td>Event streaming (Kafka)</td> <td>Your throughput fits in a queue</td> </tr> </tbody> </table></div> <h2> Common Mistakes Across All Patterns </h2> <p><strong>1. Splitting by technical layer, not business capability.</strong> "Database service," "API service," "validation service" is not microservices — it's a layered monolith spread across machines. Split along business boundaries (orders, payments, inventory), where each service owns a coherent capability and its data.</p> <p><strong>2. Sharing a database between services.</strong> The moment two services read or write the same tables, you've coupled their schemas and deployment lifecycles. They're now one service in two processes. Each service owns its data; everything else goes through its API.</p> <p><strong>3. Synchronous chains.</strong> Service A calls B calls C calls D, all synchronously. The latency multiplies, the failure modes compound, and any one slow service freezes the whole chain. Break the chain with async messaging where you can.</p> <p><strong>4. No distributed tracing.</strong> Once you have more than three services, you cannot debug production without trace IDs that propagate through every call and event. Add OpenTelemetry on day one — retrofitting it later is painful.</p> <p><strong>5. Inconsistent error contracts.</strong> Each service returns errors in a different shape. Standardize early — pick one error format (RFC 7807 Problem Details is a good default) and enforce it across every service.</p> <p><strong>6. Microservices for a team of three.</strong> The cost of microservices is mostly organizational: independent deploys, on-call rotations, service ownership. If you have one team, a well-structured monolith ships faster and breaks less. Adopt microservices when your team structure starts forcing the split, not before.</p> <h2> Conclusion </h2> <p>Microservices are a response to organizational scale, not a default architecture. The patterns above exist because distributed systems introduce problems monoliths don't have — partial failure, eventual consistency, network latency — and each pattern solves one of those problems at the cost of complexity somewhere else.</p> <p>Pick the smallest set of patterns that solves your actual problems. Add the next one only when the pain of <em>not</em> having it exceeds the cost of operating it. A two-service system with an API gateway and good observability beats a six-service system with a mesh, a saga orchestrator, and a CQRS pipeline that the team can't fully explain.</p> <p>To recap:</p> <ul> <li> <strong>API Gateway</strong> when clients shouldn't see your internal topology.</li> <li> <strong>Service Discovery</strong> when instances move (and use what your platform gives you).</li> <li> <strong>Circuit Breaker</strong> around every synchronous call you don't fully control.</li> <li> <strong>Saga</strong> when a transaction has to span services — orchestration first, choreography later.</li> <li> <strong>Async messaging</strong> to decouple lifecycles and fan out events.</li> <li> <strong>Service Mesh</strong> once the cost of reimplementing security and observability per-service exceeds the cost of running the mesh.</li> </ul> <p>Start with the decision matrix. Read the source material for whichever pattern you adopt — Sam Newman's <em>Building Microservices</em>, Chris Richardson's microservices.io, and the original Netflix and Amazon engineering blogs are far more honest about tradeoffs than most vendor documentation.</p> <p><em>I wrote this after seeing a team try to implement a Service Mesh for a system with only 3 services. What’s the most 'over-engineered' setup you’ve encountered lately?</em></p> microservices architecture systemdesign cloud Securing Web APIs Shoumik Chakravarty Sun, 24 May 2026 21:20:22 +0000 https://forem.com/shoumik_chakravarty/securing-web-apis-a-practical-guide-to-authentication-authorization-methods-2had https://forem.com/shoumik_chakravarty/securing-web-apis-a-practical-guide-to-authentication-authorization-methods-2had <h1> A Practical Guide to Authentication &amp; Authorization Methods </h1> <p>Most API security incidents don't happen because attackers found a clever zero-day. They happen because a developer grabbed the first auth pattern that came to mind, shipped it, and moved on.</p> <p>I've seen API keys committed to public repos, JWTs without expiry running in production, and OAuth flows that skip PKCE on mobile clients. These aren't exotic mistakes — they're the default outcome when engineers don't have a clear map of what each method does, when it fits, and where it breaks down.</p> <p>This guide gives you that map. We'll cover every major authentication and authorization method used to secure web APIs today, with code examples in Python and a decision matrix at the end so you can match the right tool to your specific context.</p> <h2> Authentication vs. Authorization — Get This Right First </h2> <p>These two words are often used interchangeably. That's a problem, because conflating them leads to real vulnerabilities.</p> <ul> <li> <strong>Authentication</strong> answers: <em>Who are you?</em> It verifies identity.</li> <li> <strong>Authorization</strong> answers: <em>What are you allowed to do?</em> It enforces permissions.</li> </ul> <p>A request can be authenticated (we know it's from User A) but unauthorized (User A doesn't have access to this resource). A system that only checks "is this a valid token?" without checking "does this token have permission to do <em>this</em>?" is wide open to privilege escalation.</p> <p>Keep both in mind as we go through each method.</p> <h2> 1. API Keys </h2> <h3> How it works </h3> <p>An API key is a long, random string generated by the server and shared with the client. The client sends it on every request, typically in a header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">GET</span> <span class="nn">/v1/data</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">api.example.com</span> <span class="na">X-API-Key</span><span class="p">:</span> <span class="s">sk_live_a3f8c2d1e9b7...</span> </code></pre> </div> <p>On the server side, you validate it against your store:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">secrets</span> <span class="kn">from</span> <span class="n">functools</span> <span class="kn">import</span> <span class="n">wraps</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">jsonify</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="c1"># In production, store these in a database with metadata # (owner, scopes, rate limit tier, created_at, last_used) </span><span class="n">VALID_KEYS</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">sk_live_a3f8c2d1e9b7abc123</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">owner</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">client_A</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">scopes</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">]},</span> <span class="sh">"</span><span class="s">sk_live_z9y8x7w6v5u4t3s2r1</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">owner</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">client_B</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">scopes</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">write</span><span class="sh">"</span><span class="p">]},</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">require_api_key</span><span class="p">(</span><span class="n">f</span><span class="p">):</span> <span class="nd">@wraps</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="k">def</span> <span class="nf">decorated</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="n">key</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">X-API-Key</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">key</span> <span class="ow">or</span> <span class="n">key</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">VALID_KEYS</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Invalid or missing API key</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">401</span> <span class="n">request</span><span class="p">.</span><span class="n">api_client</span> <span class="o">=</span> <span class="n">VALID_KEYS</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="k">return</span> <span class="nf">f</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">return</span> <span class="n">decorated</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/v1/data</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@require_api_key</span> <span class="k">def</span> <span class="nf">get_data</span><span class="p">():</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Hello, </span><span class="si">{</span><span class="n">request</span><span class="p">.</span><span class="n">api_client</span><span class="p">[</span><span class="sh">'</span><span class="s">owner</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">})</span> </code></pre> </div> <h3> When to use it </h3> <p>API keys work well for <strong>server-to-server</strong> communication where the client is a known system (not an end user), especially for public APIs where you want to track usage per consumer, enforce rate limits, or tier access. They're also the right choice for simple internal tooling where OAuth 2.0 would be overkill.</p> <h3> Security tradeoffs </h3> <ul> <li>Keys don't expire by default — a leaked key is valid until you rotate it manually.</li> <li>They carry no user identity, only client identity.</li> <li>Never put them in URLs (they end up in server logs). Always use headers.</li> <li>Use <code>secrets.compare_digest()</code> instead of <code>==</code> to prevent timing attacks when comparing keys.</li> </ul> <h2> 2. Basic Authentication </h2> <h3> How it works </h3> <p>The client encodes <code>username:password</code> in Base64 and sends it in the <code>Authorization</code> header on every request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">GET</span> <span class="nn">/v1/resource</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s">Basic c2hvdW1pazpteXBhc3N3b3Jk</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">base64</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">request</span><span class="p">,</span> <span class="n">jsonify</span> <span class="k">def</span> <span class="nf">check_basic_auth</span><span class="p">():</span> <span class="n">auth</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">auth</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">Basic </span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">try</span><span class="p">:</span> <span class="n">decoded</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">auth</span><span class="p">[</span><span class="mi">6</span><span class="p">:]).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> <span class="n">username</span><span class="p">,</span> <span class="n">password</span> <span class="o">=</span> <span class="n">decoded</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">:</span><span class="sh">"</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="k">return</span> <span class="n">username</span><span class="p">,</span> <span class="n">password</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> </code></pre> </div> <h3> When to use it </h3> <p>Basic Auth is appropriate for <strong>internal tools</strong>, admin dashboards behind a VPN, or simple scripts that call internal APIs. It is <strong>always</strong> required over HTTPS — Base64 is encoding, not encryption, and credentials are trivially reversible over plain HTTP.</p> <h3> Security tradeoffs </h3> <ul> <li>Credentials are sent on every single request. One intercepted request = credentials compromised.</li> <li>No token expiry, no scoping, no revocation without a password change.</li> <li>Avoid for any externally exposed or user-facing API. It has no place in a mobile or browser client.</li> </ul> <h2> 3. JWT — JSON Web Tokens </h2> <h3> How it works </h3> <p>A JWT is a self-contained, signed token with three Base64URL-encoded parts: a <strong>header</strong> (algorithm), a <strong>payload</strong> (claims), and a <strong>signature</strong>. The server signs it on login; the client sends it back on every subsequent request. The server verifies the signature without hitting a database.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">eyJhbGciOiJIUzI</span><span class="mi">1</span><span class="err">NiIsInR</span><span class="mi">5</span><span class="err">cCI</span><span class="mi">6</span><span class="err">IkpXVCJ</span><span class="mi">9</span><span class="w"> </span><span class="err">←</span><span class="w"> </span><span class="err">header</span><span class="w"> </span><span class="err">.eyJ</span><span class="mi">1</span><span class="err">c</span><span class="mi">2</span><span class="err">VyX</span><span class="mi">2</span><span class="err">lkIjoiMTIzIiwiZXhwIjoxNzE...</span><span class="w"> </span><span class="err">←</span><span class="w"> </span><span class="err">payload</span><span class="w"> </span><span class="err">.SflKxwRJSMeKKF</span><span class="mi">2</span><span class="err">QT</span><span class="mi">4</span><span class="err">fwpMeJf</span><span class="mi">36</span><span class="err">POk</span><span class="mi">6</span><span class="err">yJV_...</span><span class="w"> </span><span class="err">←</span><span class="w"> </span><span class="err">signature</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">jwt</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">jsonify</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">use-a-strong-secret-from-env-not-hardcoded</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">generate_token</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">now</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">iat</span><span class="sh">"</span><span class="p">:</span> <span class="n">now</span><span class="p">,</span> <span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">:</span> <span class="n">now</span> <span class="o">+</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">hours</span><span class="o">=</span><span class="mi">1</span><span class="p">),</span> <span class="sh">"</span><span class="s">scopes</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">write</span><span class="sh">"</span><span class="p">],</span> <span class="p">}</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">verify_token</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Always specify algorithms explicitly — never pass algorithms=None </span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">])</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Token has expired</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">InvalidTokenError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Invalid token</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">login</span><span class="p">():</span> <span class="c1"># Validate credentials here (omitted for brevity) </span> <span class="n">token</span> <span class="o">=</span> <span class="nf">generate_token</span><span class="p">(</span><span class="n">user_id</span><span class="o">=</span><span class="sh">"</span><span class="s">user_123</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">access_token</span><span class="sh">"</span><span class="p">:</span> <span class="n">token</span><span class="p">,</span> <span class="sh">"</span><span class="s">token_type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Bearer</span><span class="sh">"</span><span class="p">})</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/v1/profile</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">profile</span><span class="p">():</span> <span class="n">auth</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">auth</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">Bearer </span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Missing token</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">401</span> <span class="k">try</span><span class="p">:</span> <span class="n">claims</span> <span class="o">=</span> <span class="nf">verify_token</span><span class="p">(</span><span class="n">auth</span><span class="p">[</span><span class="mi">7</span><span class="p">:])</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">claims</span><span class="p">[</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">]})</span> <span class="k">except</span> <span class="nb">ValueError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)}),</span> <span class="mi">401</span> </code></pre> </div> <h3> When to use it </h3> <p>JWTs shine in <strong>stateless, distributed systems</strong> — microservices, APIs behind a CDN, or anywhere you can't share session state between servers. They're the standard for single-page apps and mobile clients that authenticate once and carry claims across services.</p> <h3> The most common JWT mistakes </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Mistake</th> <th>Consequence</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td> <code>alg: none</code> accepted</td> <td>Anyone can forge a valid token</td> <td>Always specify <code>algorithms=["HS256"]</code> explicitly</td> </tr> <tr> <td>No expiry (<code>exp</code> claim missing)</td> <td>Leaked tokens are valid forever</td> <td>Always set <code>exp</code>; 15–60 min for access tokens</td> </tr> <tr> <td>Secret stored in code</td> <td>Any repo leak = all tokens compromised</td> <td>Load from environment variable or secrets manager</td> </tr> <tr> <td>Storing JWT in localStorage</td> <td>XSS can steal it</td> <td>Use <code>HttpOnly</code> cookies or a BFF pattern</td> </tr> <tr> <td>Trusting <code>alg</code> header from client</td> <td>Algorithm confusion attacks</td> <td>Pin algorithm server-side</td> </tr> </tbody> </table></div> <h2> 4. OAuth 2.0 </h2> <h3> How it works </h3> <p>OAuth 2.0 is a <strong>delegation framework</strong>, not an authentication protocol. It lets a user grant a third-party application limited access to their resources without sharing their password.</p> <p>The most important flows:</p> <p><strong>Authorization Code + PKCE</strong> (for browser/mobile clients — the only safe flow for public clients):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User → App → Authorization Server ← Authorization Code App → Authorization Server (code + PKCE verifier) ← Access Token + Refresh Token App → Resource Server (Access Token) ← Protected Resource </code></pre> </div> <p><strong>Client Credentials</strong> (for machine-to-machine, no user involved):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">httpx</span> <span class="k">def</span> <span class="nf">get_machine_token</span><span class="p">(</span><span class="n">client_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">client_secret</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">token_url</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">httpx</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">token_url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">grant_type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">client_credentials</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">client_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">client_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">client_secret</span><span class="sh">"</span><span class="p">:</span> <span class="n">client_secret</span><span class="p">,</span> <span class="sh">"</span><span class="s">scope</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">api:read api:write</span><span class="sh">"</span><span class="p">,</span> <span class="p">})</span> <span class="n">response</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="k">return</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">"</span><span class="s">access_token</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Use the token </span><span class="n">token</span> <span class="o">=</span> <span class="nf">get_machine_token</span><span class="p">(</span> <span class="n">client_id</span><span class="o">=</span><span class="sh">"</span><span class="s">my-service</span><span class="sh">"</span><span class="p">,</span> <span class="n">client_secret</span><span class="o">=</span><span class="sh">"</span><span class="s">from-env</span><span class="sh">"</span><span class="p">,</span> <span class="n">token_url</span><span class="o">=</span><span class="sh">"</span><span class="s">https://auth.example.com/oauth/token</span><span class="sh">"</span> <span class="p">)</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Bearer </span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h3> When to use it </h3> <p>Use OAuth 2.0 whenever you need <strong>delegated access</strong> — a user authorizing your app to act on their behalf with another service (Google Drive, GitHub, Stripe). Also use Client Credentials for any service-to-service communication within a trusted internal network.</p> <h3> Critical: always use PKCE for public clients </h3> <p>PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks. Any OAuth flow running in a browser or mobile app that cannot securely store a client secret <strong>must</strong> use PKCE. It is no longer optional — the OAuth 2.1 draft mandates it for all flows.</p> <h2> 5. OpenID Connect (OIDC) </h2> <h3> How it works </h3> <p>OpenID Connect is an <strong>authentication layer built on top of OAuth 2.0</strong>. While OAuth 2.0 says "here is an access token that grants you access to a resource," OIDC adds an <strong>ID Token</strong> (a JWT) that asserts the user's identity.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># After OAuth flow completes, decode the ID token </span><span class="kn">import</span> <span class="n">jwt</span> <span class="kn">from</span> <span class="n">jwt</span> <span class="kn">import</span> <span class="n">PyJWKClient</span> <span class="k">def</span> <span class="nf">verify_id_token</span><span class="p">(</span><span class="n">id_token</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">issuer</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">client_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="c1"># Fetch public keys from the provider's JWKS endpoint </span> <span class="n">jwks_client</span> <span class="o">=</span> <span class="nc">PyJWKClient</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">issuer</span><span class="si">}</span><span class="s">/.well-known/jwks.json</span><span class="sh">"</span><span class="p">)</span> <span class="n">signing_key</span> <span class="o">=</span> <span class="n">jwks_client</span><span class="p">.</span><span class="nf">get_signing_key_from_jwt</span><span class="p">(</span><span class="n">id_token</span><span class="p">)</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span> <span class="n">id_token</span><span class="p">,</span> <span class="n">signing_key</span><span class="p">.</span><span class="n">key</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">RS256</span><span class="sh">"</span><span class="p">],</span> <span class="n">audience</span><span class="o">=</span><span class="n">client_id</span><span class="p">,</span> <span class="n">issuer</span><span class="o">=</span><span class="n">issuer</span><span class="p">,</span> <span class="p">)</span> <span class="n">claims</span> <span class="o">=</span> <span class="nf">verify_id_token</span><span class="p">(</span> <span class="n">id_token</span><span class="o">=</span><span class="n">token_response</span><span class="p">[</span><span class="sh">"</span><span class="s">id_token</span><span class="sh">"</span><span class="p">],</span> <span class="n">issuer</span><span class="o">=</span><span class="sh">"</span><span class="s">https://accounts.google.com</span><span class="sh">"</span><span class="p">,</span> <span class="n">client_id</span><span class="o">=</span><span class="sh">"</span><span class="s">your-client-id</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">claims</span><span class="p">[</span><span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Verified user email </span><span class="nf">print</span><span class="p">(</span><span class="n">claims</span><span class="p">[</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Stable user identifier </span></code></pre> </div> <h3> When to use it </h3> <p>Any time you need <strong>"Sign in with Google/GitHub/Microsoft"</strong> or need to verify <em>who</em> the user is (not just what they can access), OIDC is the right choice. It eliminates the need to manage passwords entirely for federated identity scenarios.</p> <h2> 6. HMAC Request Signing </h2> <h3> How it works </h3> <p>Instead of sending a credential, the client uses a shared secret to generate a <strong>cryptographic signature of the request itself</strong> — the method, URL, timestamp, and body. The server recomputes the signature and compares.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">hmac</span> <span class="kn">import</span> <span class="n">hashlib</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">base64</span> <span class="k">def</span> <span class="nf">sign_request</span><span class="p">(</span><span class="n">method</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">path</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">body</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">,</span> <span class="n">secret</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()))</span> <span class="n">message</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">method</span><span class="si">}</span><span class="se">\n</span><span class="si">{</span><span class="n">path</span><span class="si">}</span><span class="se">\n</span><span class="si">{</span><span class="n">timestamp</span><span class="si">}</span><span class="se">\n</span><span class="si">{</span><span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="n">body</span><span class="p">).</span><span class="nf">hexdigest</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span> <span class="n">signature</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">secret</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">message</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">sha256</span><span class="p">).</span><span class="nf">digest</span><span class="p">()</span> <span class="p">).</span><span class="nf">decode</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">X-Timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">timestamp</span><span class="p">,</span> <span class="sh">"</span><span class="s">X-Signature</span><span class="sh">"</span><span class="p">:</span> <span class="n">signature</span><span class="p">,</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">verify_request</span><span class="p">(</span><span class="n">method</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">path</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">body</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">,</span> <span class="n">secret</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">headers</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">X-Timestamp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="c1"># Reject requests older than 5 minutes — prevents replay attacks </span> <span class="k">if</span> <span class="nf">abs</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="nf">int</span><span class="p">(</span><span class="n">timestamp</span><span class="p">))</span> <span class="o">&gt;</span> <span class="mi">300</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="n">expected</span> <span class="o">=</span> <span class="nf">sign_request</span><span class="p">(</span><span class="n">method</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">body</span><span class="p">,</span> <span class="n">secret</span><span class="p">)</span> <span class="k">return</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">compare_digest</span><span class="p">(</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">X-Signature</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">),</span> <span class="n">expected</span><span class="p">[</span><span class="sh">"</span><span class="s">X-Signature</span><span class="sh">"</span><span class="p">])</span> </code></pre> </div> <h3> When to use it </h3> <p>HMAC signing is the right choice for <strong>webhooks</strong> (Stripe, GitHub, and Twilio all use it), high-integrity financial APIs, and scenarios where you need to prove that a request hasn't been tampered with in transit. AWS Signature Version 4 is HMAC under the hood.</p> <h3> Why it's stronger than API keys for sensitive operations </h3> <p>An API key proves identity but not integrity. If an attacker can intercept and modify a request, the key is still valid. HMAC signs the <em>entire request</em>, so any modification breaks the signature. It also includes a timestamp, preventing replay attacks.</p> <h2> 7. Mutual TLS (mTLS) </h2> <h3> How it works </h3> <p>In standard TLS, only the server presents a certificate to prove its identity. In mTLS, <strong>both the client and server present certificates</strong>. This means the server cryptographically verifies the client's identity at the transport layer — before any application code runs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">ssl</span> <span class="kn">import</span> <span class="n">httpx</span> <span class="c1"># Client presents its certificate on every request </span><span class="n">ssl_context</span> <span class="o">=</span> <span class="n">ssl</span><span class="p">.</span><span class="nf">create_default_context</span><span class="p">(</span><span class="n">ssl</span><span class="p">.</span><span class="n">Purpose</span><span class="p">.</span><span class="n">SERVER_AUTH</span><span class="p">)</span> <span class="n">ssl_context</span><span class="p">.</span><span class="nf">load_verify_locations</span><span class="p">(</span><span class="sh">"</span><span class="s">ca-cert.pem</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Trust this CA </span><span class="n">ssl_context</span><span class="p">.</span><span class="nf">load_cert_chain</span><span class="p">(</span><span class="sh">"</span><span class="s">client-cert.pem</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">client-key.pem</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Our identity </span> <span class="k">with</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">Client</span><span class="p">(</span><span class="n">verify</span><span class="o">=</span><span class="n">ssl_context</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">https://internal-service.example.com/api/data</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> </code></pre> </div> <p>On the server (nginx configuration example):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span><span class="p">;</span> <span class="kn">ssl_certificate</span> <span class="n">/etc/ssl/server-cert.pem</span><span class="p">;</span> <span class="kn">ssl_certificate_key</span> <span class="n">/etc/ssl/server-key.pem</span><span class="p">;</span> <span class="kn">ssl_client_certificate</span> <span class="n">/etc/ssl/ca-cert.pem</span><span class="p">;</span> <span class="kn">ssl_verify_client</span> <span class="no">on</span><span class="p">;</span> <span class="c1"># Reject any request without a valid client cert</span> <span class="kn">location</span> <span class="n">/api/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://app:8000</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Client-Cert</span> <span class="nv">$ssl_client_cert</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> When to use it </h3> <p>mTLS is the standard for <strong>zero-trust architectures</strong>, service meshes (Istio, Linkerd), and any microservice communication where you need hardware-level proof of identity. If you're running services in Kubernetes and want no implicit trust between pods, mTLS is the foundation. It is operationally complex (certificate rotation, PKI management) but offers the strongest guarantees.</p> <h2> Decision Matrix </h2> <p>Use this table to match your scenario to the right method:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Recommended Method</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td>Public API — third-party developers</td> <td>API Keys</td> <td>Simple to issue, rotate, and rate-limit per client</td> </tr> <tr> <td>User logs in, gets access to their data</td> <td>JWT + OAuth 2.0</td> <td>Stateless identity + delegated access</td> </tr> <tr> <td>"Sign in with Google/GitHub"</td> <td>OpenID Connect</td> <td>Federated identity; no password management</td> </tr> <tr> <td>Mobile / SPA accessing your API</td> <td>OAuth 2.0 (PKCE)</td> <td>PKCE protects public clients; never Client Credentials here</td> </tr> <tr> <td>Service A calls Service B internally</td> <td>OAuth 2.0 (Client Credentials) or mTLS</td> <td>No user involved; machine-to-machine trust</td> </tr> <tr> <td>Webhook endpoint receiving events</td> <td>HMAC signature verification</td> <td>Verify payload integrity and origin</td> </tr> <tr> <td>Zero-trust / service mesh</td> <td>mTLS</td> <td>Transport-layer mutual identity, before any app code</td> </tr> <tr> <td>Internal admin tool / script</td> <td>Basic Auth over HTTPS</td> <td>Simple, acceptable for low-risk internal use only</td> </tr> <tr> <td>High-integrity financial / audit API</td> <td>HMAC + JWT combined</td> <td>Identity (JWT) + tamper-evidence (HMAC)</td> </tr> </tbody> </table></div> <h2> Common Mistakes Across All Methods </h2> <p><strong>1. Mixing up 401 and 403</strong><br> Return <code>401 Unauthorized</code> when the request has no valid credentials. Return <code>403 Forbidden</code> when credentials are valid but the user lacks permission. Many APIs return 403 for everything — this breaks standard OAuth client libraries and confuses consumers.</p> <p><strong>2. Not validating token audience (<code>aud</code>)</strong><br> A JWT from your auth server for Service A should not be accepted by Service B. Always validate the <code>aud</code> claim. An attacker who obtains a valid token for one service shouldn't be able to reuse it elsewhere.</p> <p><strong>3. Logging sensitive headers</strong><br> It's shockingly common to log the full <code>Authorization</code> header in debug mode. One log aggregation misconfiguration and those tokens are in your SIEM or your cloud provider's log storage. Scrub auth headers before logging.</p> <p><strong>4. No token rotation</strong><br> Access tokens expire (they should). Refresh tokens don't have to, but they need to be rotatable. Implement <strong>refresh token rotation</strong> — when a refresh token is used, issue a new one and invalidate the old one. If you detect reuse of an already-rotated token, revoke the entire family.</p> <p><strong>5. Trusting client-provided claims</strong><br> Your API should verify tokens, not trust whatever claims a client sends in a custom header. Never do <code>user_id = request.headers.get("X-User-Id")</code> as your authorization check.</p> <h2> Conclusion </h2> <p>There's no single "best" authentication method — there's only the right method for the trust model, client type, and sensitivity level of your specific API. The biggest mistake isn't choosing the wrong method; it's treating auth as an afterthought and never revisiting the decision as your system evolves.</p> <p>To recap:</p> <ul> <li> <strong>API Keys</strong> for known clients and developer APIs.</li> <li> <strong>Basic Auth</strong> only for internal tooling over HTTPS.</li> <li> <strong>JWT</strong> for stateless, distributed systems.</li> <li> <strong>OAuth 2.0</strong> for delegated access and third-party integrations.</li> <li> <strong>OIDC</strong> whenever you need verified user identity.</li> <li> <strong>HMAC</strong> for webhooks and tamper-evident request signing.</li> <li> <strong>mTLS</strong> for zero-trust service-to-service communication.</li> </ul> <p>Start with the decision matrix. Then read the spec for whichever method you choose — the RFCs and official documentation are far shorter than you'd expect, and reading them directly will save you from the edge cases that bite teams in production.</p> backend security api