This guide covers the most common authentication strategies used in modern web applications.
Traditional form‑based login using a hashed password stored in the database.
async function login(email, password) {
const res = await fetch('/api/login', {
method: 'POST',
headers: {'Content-Type':'application/json'},
body: JSON.stringify({email, password})
});
const data = await res.json();
if (res.ok) localStorage.setItem('token', data.token);
else throw new Error(data.message);
}Stateless authentication using signed tokens.
{
"alg": "HS256",
"typ": "JWT"
}
.
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516242622
}Delegated authentication with third‑party providers.
| Grant Type | Use Case |
|---|---|
| Authorization Code | Web server apps |
| Implicit | Single‑page apps (legacy) |
| Client Credentials | Machine‑to‑machine |
| Resource Owner Password | Trusted apps only |
Add an extra verification step, such as OTP or push notification.
function verifyMFA(token, code) {
return fetch('/api/mfa/verify', {
method: 'POST',
headers: {'Authorization':`Bearer ${token}`, 'Content-Type':'application/json'},
body: JSON.stringify({code})
});
}