Blog

Guides

Jun 10, 2026

How to manage API keys, tokens, and secrets for AI agents

A practical guide to encrypted storage, OAuth connection management, and session-scoped access for autonomous agents

Delegated access for AI agents: The intersection rule explained

How to scope what an AI agent can do on a user's behalf, and why the answer is never the user's full permission set.

The 2026 AI agent auth checklist: 9 things to audit before you ship

A practical security audit for backend engineers building or inheriting agentic systems, covering identity, token design, delegation, and the patterns that fail in production

Directory sync beyond SCIM: Why "we support SCIM" isn't enough

What you're actually signing up for when a customer's IdP doesn't speak SCIM.

How to handle JWT in .NET

Everything you need to know to implement and validate JWTs securely in .NET: from token creation and JWKS verification to ASP.NET Core middleware integration, with code examples and best practices throughout.

Memory and context poisoning: Don't let attackers rewrite your AI agent's memory

Prompt injection ends when the session closes. Memory poisoning persists across sessions, activates weeks later, and is nearly invisible to detect.

Clearing up (my own) OAuth misunderstandings

Why OAuth works the way it does: authorization codes, token expiry, and PKCE explained from first principles.

Migrating identity providers without a flag day: A zero-downtime playbook

A four-phase playbook for moving off Auth0, Cognito, Clerk, or Firebase without a 2 AM incident.

Jun 3, 2026

Tutorials

Jun 3, 2026

How to implement RBAC authorization in Python APIs with WorkOS

Set up roles and permissions, verify session JWTs, and protect your FastAPI routes with dependency injection.

Why AI agent audit logs are different from application logs

Your existing logging infrastructure is necessary but not sufficient. Here's what's missing and why it matters.

The security risks specific to MCP servers, and how to address them

MCP servers have a different attack surface than traditional APIs. Here are the five risks that matter most, grounded in OWASP's agentic AI guidelines, with concrete mitigations for each.

TanStack Start authorization and RBAC: A developer's guide for 2026

Your route guard does not protect your server functions. A complete guide to authorization in TanStack Start, from roles and permissions to enterprise RBAC and fine-grained access control.

The building blocks of an AI agent

Tools, MCP servers, skills, orchestrators, and why auth runs through all of them.

Key takeaways from Boris Cherny on building Claude Code

Key insights from Boris Cherny's Acquired Unplugged interview on building Claude Code, the death of traditional roles, and why the golden age of the generalist is here.