Auth microservice
Drop-in JWT+refresh rotation auth: <150ms login, 0 breaches, 8 services, SOC 2 ready.

Project Overview
Express API with JWT + refresh rotation + rate limiting.
Technology Stack
Key Features
- JWT generation
- Refresh rotation
- Rate limiting
- MFA support
Design Patterns & Architecture
- Token-based auth
- Rotation strategy
- Rate limit middleware
Performance
Minimal auth latency
<150ms login
<80ms refresh
Technical Challenges
- Security vs usability
- Token expiration
- Attack prevention
Key Lessons & Insights
- Security fundamentals matter
- Rotation prevents attacks
- Rate limiting essential
The Problem
Pain Point
Teams rebuilt auth repeatedly with bugs: localStorage tokens (XSS), no refresh (re-login), no rate limiting (brute force). Lost 2-3 weeks per team, repeated mistakes.
Industry Context
Auth 'solved' (OAuth 2.0, JWT exist) but gaps common. Teams want: drop-in, no Auth0/Okta (privacy+cost), internal+user-facing.
User Impact
Teams deployed in 2 days (vs 2 weeks build+debug). Zero auth breaches in prod.
Constraints
- <200ms login
- 10k concurrent
- JWT-based
- Rate limiting
- Refresh rotation
- MFA optional
Our Approach
Solution
Express API: POST /login validates (bcrypt). Issues JWT (15min) + refresh token (7 days, Redis). Client: JWT in memory, refresh in httpOnly cookie. Refresh endpoint rotates tokens.
Key Decisions
- JWT memory + httpOnly: safer than localStorage (XSS risk)
- Refresh rotation: invalidates old token
- Redis: <1ms lookup, TTL auto-expire
- Rate limiting: 5 attempts/15min per IP
Trade-offs
- Stateless JWT: can't revoke immediately (short TTL mitigates)
- HTTPOnly: not accessible to JS (security trade-off)
- Rotation breaks offline (30-day window mitigates)
- IP-based rate limiting (hybrid IP+username planned v2)
Why Built This Way
Auth security-critical. JWT memory = no leak. HTTPOnly = no theft. Rotation = leaks time-limited. Rate limit = brute force impractical. Simplicity = fewer bugs.
Results & Impact
Measurable Outcomes
Product Thinking
Reusable auth = velocity. No bugs = confidence. MFA = compliance orgs adopt.
Value Proposition
5min: 'drop-in auth, secure default, JWT, no lock-in.' Docs: threat models, attacks, mitigations.
Public Metrics
- 8 services adopted
- 50k logins/day peak
- 99.99% uptime, 0 breaches 9mo
- 147 commits
Case Study
Dashboard team: custom auth 2 weeks, bug: localStorage tokens. Old sessions accessible (XSS). Security forced rebuild. Adopted service: 2 days. Zero bugs (9mo).
Architecture Explained
POST {email, password} → bcrypt vs hash → match → JWT (15min TTL) + refresh token → Redis TTL 7 days. Client: JWT in memory, refresh in httpOnly cookie. Expiry → send refresh → validate → new JWT + new refresh (old invalid). Rate limit: track IP in Redis; block if >5 in 15min.
Purpose & Vision
Prove secure auth can be simple and reusable.
Clarity & Proof
8 services, 50k logins, 99.99% uptime, 0 breaches 9mo. Clarity: 'JWT+rotation+rate limiting+MFA; <200ms; drop-in; battle-tested.' Open-source, threat models.
Future Improvements
- Social login (OAuth 2.0)
- Passwordless (magic links)
- Advanced MFA (TOTP, SMS)
- Cross-region sync (Redis Cluster)
Interested in working together?
Let's create something amazing. Get in touch to discuss your next project.
Go back to all projectsGo to all blog postsContact