auth architecture checklist: what a production system needs

Production Auth Architecture Checklist

A production auth system is more than working code. Here is the complete checklist.

Secrets management: JWT secrets ≥ 256 bits, stored in a secrets manager (AWS Secrets Manager, Vault, Railway secrets). Separate secrets for access and refresh tokens. Document your secret rotation procedure before you need it.

Token strategy: Access tokens: 15 minutes. Refresh tokens: 7–30 days with rotation. Blocklist critical revocations in Redis. Never log full tokens.

Transport security: HTTPS everywhere. HSTS enabled with a one-year maxAge. helmet.js on all routes. Secure + HttpOnly + SameSite on all auth cookies.

Brute force protection: Rate limit login (10 attempts / 15 min per IP). Per-account lockout after 5 failures. Uniform error messages (no username enumeration). Captcha on repeated failures.

Input handling: Whitelist all fields on write operations. Never trust client-supplied roles or IDs for authorization. Validate email format before database lookup. Sanitize before logging.

Session hygiene: Regenerate session ID on login. Destroy server-side session and clear cookie on logout. Set session TTL. Use Redis in production.

Testing: Automated tests for each auth path (success, expired token, wrong role, missing token). Manual walkthrough of OWASP Auth Testing Guide before launch. Dependency audit (npm audit) in CI pipeline.