Hacker News new | past | comments | ask | show | jobs | submit login

Tptacek shits on them every time it comes up. Unfortunately I can never quite comprehend what he says to do instead.



He suggests KISS: you can probably get away with plain old server-side auth, and if you really need client-side tokens, use something simple that just encrypts and signs them: https://news.ycombinator.com/item?id=13612941#13615634


> Something simple that just encrypts and signs them

Like JWT?

I feel like that argument goes around in circles.


tptacek's point is that JWT is not simple at all:

https://news.ycombinator.com/item?id=13866983

https://news.ycombinator.com/item?id=14292223


> I feel like that argument goes around in circles.

I feel that the problem is that some users are talking about stuff they know nothing about, but still feel compelled to be very vocal and opinionated.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: