This is a nice set of tools. Very useful. I hope they will also develop a self-hosted standalone s...

socketcluster • yesterday at 5:12 AM • 1 reply • view on HN

This is a nice set of tools. Very useful.

I hope they will also develop a self-hosted standalone service/node which hosts accounts and can support JWTs which I could verify on my own servers so the BetterAuth node would issue JWTs signed with a secret key I provided as an ENV var, then I could verify the JWTs on my own servers. This would be a neat decoupling. Could be offered as a SaaS service as well.

I'm also keeping tabs on https://github.com/stack-auth/stack-auth

Replies

mooreds • yesterday at 4:03 PM

I'm in the auth space.

It's usually best to verify JWTs using an asymmetric keypair, that way the BetterAuth node can sign the JWT, and your servers can use something like JWKS to get the public key.

Lessens where the secret key needs to be.

The exception is if:

* you control all the nodes and are confident in the security of all of them now and going forward AND * speed is critical (using HMAC to sign JWTs is faster) AND * you've benchmarked and signing speed is a significant portion of response time

➕ show 1 reply

alt Hacker News

Replies