
---

# 🔐 OAuth2 — Password (Bearer) + JWT

> **Intent** → Authenticate users, issue short-lived **access tokens**, and protect routes using the **Bearer** scheme with **JWTs**.

---

## 🧭 Flow (High Level)

* **Login**: user submits credentials → verify
* **Issue**: create **JWT access token** (short TTL) ± **refresh token** (longer TTL)
* **Use**: client sends `Authorization: Bearer <access_token>` on each request
* **Protect**: server validates token → authorizes by **scopes/roles**
* **Refresh**: exchange refresh token for a new access token when expired

---

## 🧱 Token Contents (JWT Claims)

* **Subject** (`sub`): user id
* **Issued/Expiry** (`iat`, `exp`): clock-bound validity
* **Scopes/Roles**: permissions for RBAC
* **JTI**: token id for revocation/auditing (optional)

---

## 🔒 Token Lifetimes

* **Access**: short (e.g., 5–15 min) → limits blast radius
* **Refresh**: longer (e.g., days) → rotate on use; store securely

---

## 🛡️ Validation & Security

* **Signature**: verify with shared secret or asymmetric keys
* **Expiration**: reject expired tokens; consider clock skew
* **Revocation**: track JTI/refresh IDs (deny-list) for compromise
* **Scopes**: enforce least privilege per route
* **Transport**: always over **HTTPS**

---

## 🧪 Where to Enforce

* **Auth dependency**: parse + validate token → inject user context
* **Route guards**: check **required scopes/roles**
* **Global middleware** (optional): correlation IDs, rate limits

---

## 🧯 Error Handling

* **401 Unauthorized**: missing/invalid token
* **403 Forbidden**: valid token, insufficient scope/role
* Return clear error shapes (code, message, missing scopes)

---

## 🍪 Browser vs Native Clients

* **SPAs/Mobile**: store tokens in memory/secure storage; avoid localStorage if possible
* **Web apps**: prefer **HTTP-only, Secure** cookies for session-style flows; add **CSRF** for state-changing requests

---

## 🔭 Observability

* Log **auth failures** (without secrets)
* Emit **metrics**: failed vs successful auth, scope denials
* Trace auth dependency to measure overhead

---

## 🧩 When to Add MFA / Device Trust

* High-risk actions (payouts, key rotations)
* New device or unusual geolocation
* Elevate session with **step-up** auth

---

## 🏁 Outcome

A **predictable, secure** authentication layer with **short-lived access tokens**, **enforced scopes**, and a **safe refresh flow**, ready for production APIs.
