Mark Mwangi logoMark
Mwangi
Return to home
Get in
touch
Admin
login
Projects/Auth microservice

Auth microservice

Drop-in JWT+refresh rotation auth: <150ms login, 0 breaches, 8 services, SOC 2 ready.

Category:BackendDate:December, 2024Author:Mark Mwangi
Open live demo
Auth microservice project screenshot

Project Overview

Express API with JWT + refresh rotation + rate limiting.

Technology Stack

Node.js
Express
JWT
bcrypt
PostgreSQL
Redis

Key Features

  • JWT generation
  • Refresh rotation
  • Rate limiting
  • MFA support

Design Patterns & Architecture

  • Token-based auth
  • Rotation strategy
  • Rate limit middleware

Performance

Minimal auth latency

<150ms login

<80ms refresh

Technical Challenges

  • Security vs usability
  • Token expiration
  • Attack prevention

Key Lessons & Insights

  • Security fundamentals matter
  • Rotation prevents attacks
  • Rate limiting essential

The Problem

Pain Point

Teams rebuilt auth repeatedly with bugs: localStorage tokens (XSS), no refresh (re-login), no rate limiting (brute force). Lost 2-3 weeks per team, repeated mistakes.

Industry Context

Auth 'solved' (OAuth 2.0, JWT exist) but gaps common. Teams want: drop-in, no Auth0/Okta (privacy+cost), internal+user-facing.

User Impact

Teams deployed in 2 days (vs 2 weeks build+debug). Zero auth breaches in prod.

Constraints

  • <200ms login
  • 10k concurrent
  • JWT-based
  • Rate limiting
  • Refresh rotation
  • MFA optional

Our Approach

Solution

Express API: POST /login validates (bcrypt). Issues JWT (15min) + refresh token (7 days, Redis). Client: JWT in memory, refresh in httpOnly cookie. Refresh endpoint rotates tokens.

Key Decisions

  • JWT memory + httpOnly: safer than localStorage (XSS risk)
  • Refresh rotation: invalidates old token
  • Redis: <1ms lookup, TTL auto-expire
  • Rate limiting: 5 attempts/15min per IP

Trade-offs

  • Stateless JWT: can't revoke immediately (short TTL mitigates)
  • HTTPOnly: not accessible to JS (security trade-off)
  • Rotation breaks offline (30-day window mitigates)
  • IP-based rate limiting (hybrid IP+username planned v2)

Why Built This Way

Auth security-critical. JWT memory = no leak. HTTPOnly = no theft. Rotation = leaks time-limited. Rate limit = brute force impractical. Simplicity = fewer bugs.

Results & Impact

Measurable Outcomes

speed:<150ms login (99th %), <80ms refresh
users:8 services, 50k daily logins peak
timeSaved:6 weeks dev time saved
uptime:99.99%
revenue:0 auth breaches prod

Product Thinking

Reusable auth = velocity. No bugs = confidence. MFA = compliance orgs adopt.

Value Proposition

5min: 'drop-in auth, secure default, JWT, no lock-in.' Docs: threat models, attacks, mitigations.

Public Metrics

  • 8 services adopted
  • 50k logins/day peak
  • 99.99% uptime, 0 breaches 9mo
  • 147 commits

Case Study

Dashboard team: custom auth 2 weeks, bug: localStorage tokens. Old sessions accessible (XSS). Security forced rebuild. Adopted service: 2 days. Zero bugs (9mo).

Architecture Explained

POST {email, password} → bcrypt vs hash → match → JWT (15min TTL) + refresh token → Redis TTL 7 days. Client: JWT in memory, refresh in httpOnly cookie. Expiry → send refresh → validate → new JWT + new refresh (old invalid). Rate limit: track IP in Redis; block if >5 in 15min.

Purpose & Vision

Prove secure auth can be simple and reusable.

Clarity & Proof

8 services, 50k logins, 99.99% uptime, 0 breaches 9mo. Clarity: 'JWT+rotation+rate limiting+MFA; <200ms; drop-in; battle-tested.' Open-source, threat models.

Future Improvements

  • Social login (OAuth 2.0)
  • Passwordless (magic links)
  • Advanced MFA (TOTP, SMS)
  • Cross-region sync (Redis Cluster)

View More Projects

  • Dev Vault
  • E-commerce Backend
  • Business messaging
  • Analytics dashboard
  • chat service

Interested in working together?

Let's create something amazing. Get in touch to discuss your next project.

Go back to all projectsGo to all blog postsContact

About

Mark Mwangi

Creating secure and meaningful digital experiences.

Software developer focused on secure, responsive, and high-quality digital experiences.

Socials

GitHubLinkedInXE-mailinstagramfacebookwhatsappMedium

© 2026 Mark Mwangi | All rights reserved

Terms of Service•Privacy Policy

Last updated: April 30, 2026 16:23:51 UTC