UniAuth Blog

Engineering, security, and product updates

Deep dives into how we build a security-first identity provider. Post-quantum crypto, privacy engineering, and hard-won lessons from production.

All Security Product Engineering Guides

Featured

Security8 min read

Introducing Post-Quantum Session Signatures

Every session token issued by UniAuth is now signed with ML-DSA-44, a FIPS 204 post-quantum digital signature algorithm. We explain why we moved early, how the performance budget stays under 2ms, and what this means for your users when large-scale quantum computers arrive.

UniAuth EngineeringMarch 28, 2026

Read article

Latest posts

Product6 min

Why We Made 2FA Mandatory for Social Sign-In

Social OAuth providers verify email ownership, but they cannot tell us about device compromise or credential stuffing upstream. Starting this month, every social-linked account is prompted for a second factor within 24 hours of first login. Here is the data that drove the decision.

UniAuth EngineeringMarch 12, 2026

Security10 min

How Pairwise Privacy Protects Your Users

UniAuth never exposes real user IDs to OAuth clients. Instead, each app receives a deterministic, app-specific HMAC identifier that prevents cross-service correlation. We walk through the cryptographic construction, the privacy guarantees, and why even we cannot reverse the mapping without the HMAC key.

UniAuth EngineeringFebruary 20, 2026

Engineering12 min

Building a DNS-Rebinding-Safe HTTP Client

Webhook delivery and SCIM provisioning both require outbound HTTP requests to user-supplied URLs. We built an SSRF-resistant HTTP client that validates resolved IPs after DNS lookup but before connection. This post covers the pitfalls of naive URL parsing and the dual-stack IPv4/IPv6 edge cases we caught.

UniAuth EngineeringFebruary 5, 2026

Engineering9 min

SCIM 2.0 Multi-Tenant Isolation: Design Decisions

When multiple organizations share a UniAuth deployment, their SCIM group memberships must be strictly isolated. We discuss the schema design that gives each tenant its own namespace, the bearer-token-per-client auth model, and how bulk operations respect tenant boundaries without sacrificing throughput.

UniAuth EngineeringJanuary 18, 2026

Guides7 min

From 0 to 8,900 Tests: Our Testing Philosophy

An identity provider cannot afford flaky tests or blind spots. We share the mock-db pattern that lets us run thousands of tests in seconds, the boundary between unit and integration tests for API routes, and why every security fix starts with a failing test before the patch lands.

UniAuth EngineeringJanuary 3, 2026

Stay in the loop

Get notified when we publish new posts about security, engineering, and product updates. No spam, unsubscribe any time.

We respect your privacy. Read our Privacy Policy.