Solutions Engineer at Okta. I write about identity, access management, and security. This site archives my published articles, talks, and presentations.
Auth0 gives you a lot of knobs to turn when it comes to sessions and tokens — enough that the choices start to blur together. This post maps out every option, what it does, when you'd reach for it, and how they work together for different application types.
Every Vendor Security and Customer Requirement Questionnaire asks the same questions — the SIG words them one way, CAIQ another, HECVAT a third. The standard approach is to re-derive answers from scratch each time. The better approach is to treat this as a retrieval problem: build a canonical corpus of approved answers once, and match new questions to it.
The original analytics implementation stored one tiny file in Vercel Blob for every page view. Vercel Blob charges per operation, not per byte, so this burned through the free tier faster than expected. In this post I will detail the migration to Firestore daily summary documents — one write per page view, one read per day of stats — and the Firestore gotcha that wasted an afternoon.
Most analytics tools require a JavaScript snippet in every page — which means your readers' browsers are doing the tracking work, and adding a dependency you cannot fully control. In this post I will detail how I added page view tracking to this blog using Next.js 16's proxy layer and Vercel Blob, with no client-side JavaScript and no third-party analytics service.
Identity systems are very good at answering one question: who are you? What they are less good at is the follow-up: and who are you acting for? In this post I will look at why separating the authenticated user from the account or person they are acting within is important, what it enables across a range of industries, and how Auth0 and Auth0 FGA address the two complementary sides of the problem.