Auth book

This is my personal auth book. It is a collection of guides, recommendations, and examples for implementing auth in web applications based on my personal opinion. It is completely free with zero ads. I hope this is useful for anyone looking to learn more about auth, security, and the web in general.

As the name implies, this book focuses heavily on the authentication and login system for your application. For more general security topics, see the OWASP Cheat Sheet Series.

If you have any questions, feel free to ask them on the Discord server or on GitHub Discussions.

Please also consider supporting my work on GitHub Sponsors.

Written and maintained by Pilcrow. Source code available on GitHub.

Topics

• Authentication methods
• Sessions
• Auth sessions
• Email addresses
• Passwords
• Browser client-side storage
• Cross-site request forgery (CSRF)
• Argon2
• Bcrypt
• Email address verification codes
• Email code authentication
• Passkeys
• Web Authentication API (WebAuthn)
• WebAuthn authenticator data
• WebAuthn CBOR encoding
• WebAuthn client data
• Passkey registration
• Passkey authentication
• Elliptic Curve Digitial Signature Algorithm (ECDSA)
• RSA signature scheme
• Edwards Curve Digital Signature Algorithm (EdDSA)

Examples

Complete, fully open-source example websites written in Go based on the contents of the book.

• Basic auth example: Password example with email address verification and password reset (source code).
• Passwordless auth example: Passkey and email code sign-in example with email address verification (source code).