Background
Tobias had been building developer security tooling for four years. His background meant he approached any auth implementation with skepticism. He'd seen too many 'batteries included' boilerplates with JWTs signed with weak secrets, session invalidation that didn't work correctly, or protected routes that could be bypassed with header manipulation. When evaluating ShipAI, he spent a full day auditing the auth layer before deciding whether to build on it.
The challenge
The auth requirements for VaultPass were strict: JWT session management that correctly invalidated tokens on logout and account changes, OAuth that properly validated state parameters and redirect URIs, magic link tokens with short TTLs and single-use enforcement, protected routes that couldn't be bypassed by removing or modifying session tokens, and team invitation flows that didn't leak account information to unverified users.
How they built it
One-day auth audit before committing
Tobias read the entire Better Auth integration, traced the session lifecycle from login to logout to invalidation, tested OAuth state parameter handling manually, and checked magic link token generation and expiry. He noted two configuration defaults he'd strengthen for his use case (JWT expiry window and cookie security flags) and confirmed there were no structural issues. The audit took one day and his conclusion was that the foundation was solid.
JWT and session hardening
Tobias tightened the JWT expiry to 1 hour for VaultPass and enabled cookie `SameSite=Strict` and `Secure` flags in production. The Better Auth session model made these changes straightforward — the configuration surface was explicit and the code behavior was traceable. He didn't need to rewrite the session layer, only configure it to his standards.
Team invitation flow review
VaultPass uses team workspaces with invitation-based membership. Tobias reviewed the invitation flow for token predictability and information leakage. The existing patterns were sound — invitations used cryptographically random tokens, expired after a configurable window, and the acceptance flow validated the token before revealing any account information.
External security review preparation
Before the first enterprise client, VaultPass underwent a penetration test by an external security firm. Tobias prepared the review report by documenting the auth layer implementation — the Better Auth spec made this straightforward because the session management was documented in the code itself. The review identified no critical or high-severity findings.
Outcomes
External security review: zero critical findings
A formal penetration test by an external security firm identified no critical or high-severity vulnerabilities in the auth layer.
Auth audit completed in one day
Tobias audited the entire auth layer — session lifecycle, OAuth flow, magic link handling, protected routes — in one working day. The code's readability made the audit tractable.
Zero auth regressions in 4 months
In four months of production operation, VaultPass has had zero auth-related incidents, session leaks, or broken login flows.
Enterprise client contract signed
The clean security review result was a direct factor in an enterprise client's decision to sign a contract, per their procurement documentation.
In their own words
I was prepared to find problems in the auth layer. I audit everything by default in this space. I found two configuration defaults I'd change, made the changes in about twenty minutes, and that was it. The underlying session model and token handling are solid. Passing the penetration test wasn't a surprise — the code earns it.
“I specifically stress-tested the auth layer before committing. Magic links, Google OAuth, and team invites all worked first try. The session handling is solid and the protected routes follow a pattern I can explain to a junior developer in five minutes. We passed our first external security review with no critical findings.”
— Tobias Wolf
Frequently asked questions
Which auth methods does Better Auth support?
Magic links, phone OTP, OAuth (Google, GitHub, Discord pre-configured), guest users, and session-based authentication. Better Auth is designed for extensibility — additional providers can be added following the existing OAuth integration pattern.
How are JWTs managed in ShipAI?
JWTs are signed with jose (the Web Crypto API-based JWT library) using a secret configured in environment variables. Sessions are stored server-side and JWTs are validated on every protected request. Logout properly invalidates the session server-side, not just clears the cookie.
What does Tobias recommend for security-sensitive deployments?
Shorten the JWT expiry window from the default for sensitive applications, ensure all auth cookies have Secure and SameSite=Strict flags in production, and review the invitation token TTL settings. All three are configuration changes, not code changes.