Loading video...

Video Failed to Load

Go Home

JWT in 60 Seconds 👇 What is JWT ? JWT = JSON Web Token A compact, URL-safe token used for: - Authentication - Authorization - Secure API communication - Identity sharing between services It is digitally signed, so it can be verified and trusted. 🟢 Why JWT exists Typical...

27,790 views • 4 months ago •via X (Twitter)

0 Comments

No comments available

Comments from the original post will appear here

Related Videos

We’re excited to introduce AgentAuth—the comprehensive auth solution designed for AI agents! We understand the pain every developer experiences regarding authentication—managing OAuth flows for Gmail, handling API keys for Linear, or setting up permissions across multiple services. It's complex enough with traditional apps. However, AI agents add an extra layer of complexity. Traditional auth solutions were not designed with this agent-specific requirement in mind. Think about it—say you're building an agent to pull data from Salesforce, send updates through Slack, and log issues in GitHub. Each service requires different authentication—OAuth2, API keys, you name it—and your agent needs to work seamlessly on your users' behalf. Building and managing all that is a massive headache, right? That’s precisely where AgentAuth by comes in. • It supports 250+ apps across categories such as CRMs, ticketing, productivity, etc. • Compatible with 15+ Agentic Frameworks, including , LlamaIndex 🦙, CrewAI etc • Offers self-hosting and white-labeling options. • Provides a unified dashboard to monitor user accounts. It takes care of all the complex authentication flows—OAuth, API Key, Basic, JWT, token refresh, and more—in the backend, so you can focus on building what truly matters for your users. This is ideal for AI developers building real-world AI automation involving multiple application interactions. Check out AgentAuth now -

Karan Vaidya

110,979 views • 1 year ago

ZKForge V1 is now live and the source code is public on GitHub: Visit: Users can sign up, log in, and chat privately using zero-knowledge authentication (ZK-STARK) with full end-to-end encryption and non-custodial wallet integration. No passwords, no stored private keys, all encryption and identity verification happen locally on the user’s device. Core Features • Zero-Knowledge Authentication (ZKAuth) Users sign up and log in using a locally generated Ed25519 keypair. Authentication uses zero-knowledge proofs (ZK-STARK-compatible), proving identity ownership without revealing the secret key. The backend never sees or stores private keys , only the derived public key and Solana address. • End-to-End Chat Encryption Every conversation is encrypted with per-room symmetric keys (nacl.secretbox AES-grade security). Keys are sealed and exchanged using ephemeral Curve25519 boxes derived from each user’s Ed25519 keypair. Messages are signed for sender authenticity. The server cannot decrypt messages; all encryption happens client-side. • Global Lounge (Public Encrypted Room) Encrypted public discussion room using a temporary shared key. Messages self-destruct after a defined time window. Rate-limit and anti-spam protections are enforced through Supabase RLS policies. • Wallet Integration (Non-Custodial) Each user derives a Solana wallet from their zero-knowledge secret. Private keys are generated and stored locally, never sent to the backend. Supports in-app USDC transactions signed locally. • WebSocket-Based Real-Time Updates Secure WebSocket channel for live message delivery, typing indicators, and presence tracking. Each message includes cryptographic nonce, ciphertext, and signature validation before render. Architecture Overview Frontend (React + Tailwind): Encryption, proof generation, local key storage, message rendering. Backend (Express + Supabase): Stateless API for sessions, rate limits, and metadata. Crypto Layer (tweetnacl, ed2curve, bs58): Signing, sealing, encryption primitives. Database (Supabase PostgreSQL): Stores ciphertext and public keys only. Realtime (WebSocket): Delivers encrypted payloads instantly. Key Design Principles Zero Storage of Private Keys All signing keys exist only in the user’s local storage. Provable Authentication Login requests include cryptographic proofs verified without revealing secrets. Encrypted-At-Rest and In-Transit All messages are encrypted before leaving the device. Verifiable Sender Identity Each message includes a detached Ed25519 signature verifying authorship. Tech Stack Frontend: React, TailwindCSS, TypeScript, Vite Backend: Node.js (Express), Supabase, MongoDB Cryptography: TweetNaCl, ed2curve, bs58, genSTARK Blockchain: Solana Web3.js Realtime: WebSockets Security: Row-Level Security, JWT Sessions, Proof Verification What’s next x402 protocol implementation

ZKForge

24,207 views • 7 months ago

This is a standard practice for almost all Tier-1 banking applications in Nigeria, and for some fintech applications I’ve previously performed pentests on. Client-side encryption isn’t a total waste, or a waste of compute, as some people have claimed, but rather a measure to protect against API tampering or API request/response manipulation between the client and the server when implemented properly. Even with HTTPS, attackers can capture a decrypted version of web or mobile API data in transit because the browser and the server establish a level of trust during the TLS handshake. Attackers can leverage this trust to capture & proxy already-decrypted traffic, tamper with it, and then forward it to the server. This allows them to override what the user interface or client is originally supposed to send and replace it with data of their choosing. That is why validation needs to be performed on both the client and the server side. To wrap up, encrypting API requests and responses makes it significantly harder for attackers to tamper with data, even if they capture the traffic, unless they have access to the encryption details (algorithm, encryption mode, key size, secret key, and initialization vector), assuming asymmetric encryption is used. In the demo below, you can see how I discovered additional parameters (balance, is_admin) in the API response, captured the registration API request, despite it being sent over HTTPS from the interface, added the discovered parameters, and successfully inflated my balance to 50 billion and also escalated my privileges to admin, and ultimately deleted the accounts of two live users/customers. In the second slide, I captured an API traffic of a bank app, and you can see how difficult the payloads are to read.

Ghost St Badmus

217,051 views • 6 months ago