Authentication & Authorization implementation checklist

Verify that production API keys, client secrets, and database URIs are stored in environment variables and are not present in the codebase or version control.

Ensure that only production-specific callback URLs are configured in the auth provider dashboard (e.g., Clerk, Auth0, or Supabase) and that wildcards are disabled.

Confirm that all authentication endpoints and callback routes are served strictly over HTTPS and that the HSTS header is active.

Implement signature verification for incoming webhooks from auth providers to prevent spoofed user-creation or deletion events.

Confirm that the production environment uses a separate project/tenant in the auth provider dashboard from the staging or development environments.

Set session cookies with HttpOnly, Secure, and SameSite=Lax (or Strict) flags to mitigate XSS and CSRF risks.

Verify that the backend validates 'exp' (expiration), 'iss' (issuer), and 'aud' (audience) claims for every incoming JWT.

Enable refresh token rotation in the auth provider settings to invalidate old refresh tokens whenever a new access token is issued.

Configure access token TTL (Time-To-Live) to 1 hour or less to minimize the window of opportunity for intercepted tokens.

Ensure the logout function clears the client-side cookie and triggers a server-side revocation of the session or refresh token.

Verify that every database query for user data includes a 'tenant_id' filter derived from the authenticated session context, not from client-side parameters.

Implement server-side middleware that checks user roles (e.g., 'admin', 'editor') before executing business logic or returning sensitive data.

Manually test that a valid user from Tenant A cannot access resources belonging to Tenant B by modifying resource IDs in API requests.

Include user roles or permissions within the signed JWT payload to avoid frequent database lookups for every permission check.

Configure the authorization layer to deny access by default if no explicit matching role or permission is found for the requested route.

Confirm the use of a unique, non-guessable 'state' parameter in OAuth requests to prevent Cross-Site Request Forgery during the callback flow.

Audit requested OAuth scopes (e.g., 'email', 'profile') and remove any that are not strictly required for application functionality.

Verify that the system securely handles cases where a user signs in with different providers (e.g., Google and GitHub) using the same email address.

Implement error boundaries for 'access_denied' or user-cancelled OAuth flows to prevent application crashes or infinite redirect loops.

Ensure social login buttons meet the brand guidelines of the providers (e.g., Apple, Google) to prevent rejection during app store reviews.

Apply strict rate limits to /login, /signup, and /forgot-password endpoints based on both IP address and user identifier.

Audit application logs to ensure passwords, tokens, and PII (Personally Identifiable Information) are masked or excluded from log outputs.

Require Multi-Factor Authentication for any user account with administrative or billing-related permissions.

Implement a tamper-evident audit log that records login timestamps, IP addresses, and any changes to user permissions.

Verify that AI/LLM endpoints are protected by per-user rate limits and usage quotas to prevent billing exhaustion from compromised accounts.