a:["$","main",null,{"className":"min-h-screen px-6 pb-20 pt-28 text-foreground","children":["$","section",null,{"className":"mx-auto flex max-w-6xl flex-col gap-10","children":[["$","div",null,{"className":"flex items-center justify-between","children":["$","$L13",null,{"href":"/blog","className":"inline-flex items-center gap-2 rounded-full bg-card/20 px-4 py-2 text-sm font-semibold text-foreground shadow-sm transition hover:bg-card/30","children":[["$","span",null,{"aria-hidden":"true","children":"←"}],["$","span",null,{"children":"Back to blog"}]]}]}],["$","div",null,{"className":"rounded-3xl border border-white/10 bg-white/10 p-10 shadow-[0_18px_42px_rgba(0,0,0,0.25)] backdrop-blur-xl dark:border-white/10 dark:bg-slate-950/30","children":[["$","header",null,{"className":"space-y-4","children":[["$","h1",null,{"className":"text-4xl font-extrabold sm:text-5xl","children":"Building secure APIs with OAuth2"}],["$","div",null,{"className":"flex flex-wrap items-center gap-3","children":[["$","p",null,{"className":"text-sm font-semibold text-foreground/60","children":"March 2026"}],["$","div",null,{"className":"flex flex-wrap gap-2","children":[["$","span","Security",{"className":"rounded-full bg-card/20 px-3 py-1 text-[11px] font-semibold text-foreground/70","children":"Security"}],["$","span","Web",{"className":"rounded-full bg-card/20 px-3 py-1 text-[11px] font-semibold text-foreground/70","children":"Web"}]]}]]}]]}],["$","article",null,{"className":"prose max-w-4xl text-foreground/70 dark:prose-invert","dangerouslySetInnerHTML":{"__html":"

OAuth2 for modern APIs

OAuth2 is the industry standard for delegated authorization. In this post, we cover the most common grant flows, best practices for token storage, and how to protect APIs from common attacks such as token replay and CSRF.

Key takeaways

Use the authorization code flow with PKCE for public clients.
Store refresh tokens securely and rotate them frequently.
Validate access tokens on every request and implement scopes.

\n"}}]]}]]}]}]