Security practices

Authly protects user data by default. Follow these practices to keep your own integration safe.

Keep your secret secret

Authly shows the API secret once. Store it in a secret manager or an environment variable. Never commit it. Never ship it to a browser. A single page app uses PKCE instead of a secret.

Always check state

Send a random state on every authorize call. Check it on the callback. This stops cross site request forgery on the login flow.

Verify every token

Never trust a token because it arrived. Check the signature, the issuer, the audience, and the expiry. Read Verify tokens. Reject anything that fails.

Use short access tokens

Access tokens live about fifteen minutes on purpose. Do not extend them. Use the refresh token to get a new one. A short window limits the damage from a leak.

Handle refresh reuse

Authly rotates refresh tokens. Store only the newest one. If your refresh call fails with invalid_grant, treat the session as gone and send the user to sign in again. A repeated old token means someone copied it.

Set your CORS origins

Open your application settings. List the exact origins that call the Authly API from a browser. Authly rejects every other origin. Keep the list tight.

Enforce MFA where it matters

Turn on multifactor authentication for applications that hold sensitive data. Open your application settings and enable it. Authly then requires a second factor before it authorizes your application.

Watch your event log

Your developer dashboard shows an event log for each application. Authly emails you when it detects token reuse. Review failed logins and reuse events. They are the first sign of an attack.

Serve over https

Run your application over https in production. Authly requires https redirect URIs outside localhost. Tokens and cookies must never travel in the clear.