hectoday
DocsCoursesChangelog GitHub
DocsCoursesChangelog GitHub

Access Required

Enter your access code to view courses.

Invalid code

← All courses Production Auth Patterns with @hectoday/http

Before They Start

  • Why Production Auth Is Different
  • Project Setup

Email Verification

  • Why Verify Emails
  • Building Email Verification
  • Restricting Unverified Accounts

Session Management

  • Tracking Sessions Across Devices
  • Listing and Revoking Sessions
  • Session Security

Step-Up Authentication

  • What Is Step-Up Auth
  • Building Step-Up Auth
  • Applying Step-Up to Sensitive Routes

Account Deletion

  • The Right to Be Forgotten
  • Building Account Deletion
  • Data Cleanup

SAML and Enterprise SSO

  • What Is SAML
  • Building a SAML Service Provider
  • Just-in-Time Provisioning

Putting It All Together

  • Production Auth Checklist
  • Capstone: Production-Ready Auth

Why Production Auth Is Different

The tutorial ends, production begins

The previous courses built authentication (passwords, sessions, JWTs, OAuth, 2FA, passkeys), authorization (roles, permissions, multi-tenancy), and security hardening (rate limiting, CSRF, token rotation). Login works. Protected routes are protected.

But production apps need more. Users expect to verify their email, see where they are logged in, re-authenticate before dangerous actions, and delete their account. Enterprise customers expect SAML/SSO. Regulators expect data deletion.

These features are not technically difficult — they follow the same patterns you already know (tokens, hashing, database queries, session management). The challenge is knowing what to build, in what order, and what edge cases to handle.

What we build

Email verification (Section 2): Confirm the user owns the email they signed up with. Prevent fake signups, catch typos, and block abuse. Same token pattern as password reset, triggered at signup.

Session management (Section 3): Track active sessions across devices. Show the user where they are logged in (device, IP, last active). Let them revoke individual sessions or sign out everywhere.

Step-up authentication (Section 4): Require re-authentication before sensitive actions — even when the user is already logged in. Changing your email, disabling 2FA, or deleting your account should require proving your identity again, not just having an active session.

Account deletion (Section 5): Let users delete their account and data. Soft delete with a grace period, hard delete with data cleanup, cascading through all related tables. Handle GDPR “right to be forgotten” requirements.

SAML/SSO (Section 6): Enterprise customers expect single sign-on. Their employees log in through their company’s identity provider (Okta, Azure AD, Google Workspace). Your app is the service provider. Build the integration.

The lifecycle

These features map to the user’s lifecycle:

Signup → Verify email → Use the app → Manage sessions → Step-up for sensitive actions → Delete account
                                                    ↑
                                          Enterprise SSO (alternative entry point)

Each section adds a piece of this lifecycle.

Why is email verification needed even though the login flow already works?
Project Setup →

© 2026 hectoday. All rights reserved.