Authentication

The perfect web app authentication would be close to the end-user, it would be isolated from the rest of the system, it would be implemented and maintained by security professionals, and easy to integrate. Fastly's powerful features allow you to do just that.

Fastly features

Moving authentication to the edge improves performance, and can simplify your application architecture.

We have many features to help securely authenticate users at the edge – from a variety of VCL functions, to the endless possibilities of Compute, where you can use dynamic backends to integrate with your favourite identity provider, and SubtleCrypto to generate and verify digital signatures.

Ideas and typical use cases

Here are some common ways our customers use Fastly for authentication:

  • Cookie management: Set, delete, and manipulate cookies at the edge.
  • Token management: Issue and decode tokens at the edge, like JSON Web Tokens (JWT).
  • Authentication flows: Implement complex end-to-end authentication flows at the edge, including OAuth 2.0.
  • User management: Manage users at the edge, including user registration, login, and logout.
  • User data: Store user data at the edge, including user profiles, preferences, and session data.
  • Passwordless login: Improve the user experience, and reduce the risk of a data breach.

Solutions

The following demos, tutorials, starter kits, and code examples are relevant to this use case. Try them out!

Demos

Sites running on Fastly you can browse. See the principles working for an end user.

CAPTCHA at the edgePresent the user with a CAPTCHA challenge to verify that they are not a bot, generated, served and verified at the edge.
Check for compromised passwordsPerform low-latency checks for leaked passwords, using a highly compressed copy of the HaveIBeenPwned dataset, stored at the edge.
Passwordless authenticationLog in to sites and services without having to enter a password – a proof-of-concept Passkeys + WebAuthn implementation for Compute.
Private Access TokensImplementation of a Private Access Token issuer on Fastly Compute.

Tutorials

Step by step instructions. Build and learn.

Decoding JSON Web Tokens (VCL)The popular JSON Web Token format is a useful way to maintain authentication state and synchronize it between client and server. You are using JWTs as part of your authentication process and you want to decode and validate the tokens at the edge, so that content can be cached efficiently for all authentication states.
Decoding JWT (Compute)The popular JSON Web Token format is a useful way to maintain authentication state and synchronize it between client and server. You are using JWTs as part of your authentication process and you want to decode and validate the tokens at the edge, so that content can be cached efficiently for all authentication states.

Starter kits

Template Compute applications you can use to bootstrap your project.

Auth at edge with OAuth 2.0Connect to an identity provider such as Google using OAuth 2.0 and validate authentication status at the Edge, to authorize access to your edge or origin hosted applications.
OAuth 2.0 implementation for JavaScriptConnect to an identity provider such as Google using OAuth 2.0 and validate authentication status at the Edge, to authorize access to your edge or origin hosted applications.

Code examples

Snippets of code ready to copy and paste.

Apply CAPTCHA to high risk requestsIntercept suspicious traffic and display a CAPTCHA challenge. If the user passes, allow the request to go to the origin server.
Authenticate JSON Web Tokens at the edgeDecode the popular JWT format to verify user session tokens before forwarding trusted authentication data to your origin.
CenturyLink-compatible token validationValidate your CenturyLink tokens for access to video stream playlists.
Detect leaked passwordsDetect requests that contain submitted passwords and use a service to determine whether the password has leaked before allowing the request to proceed to origin (data from haveibeenpwned).
Enforce a paywall using an origin APIUse a custom Paywall header to trigger preflight requests to authenticate every article view with a backend paywall service.
Send HTTP Basic Auth in request to originConvert a password sent by the client in the querystring into a Authorization header to your origin server.