Background
Tobias had been building developer security tooling for four years, first at a security company and then on his own. He'd seen enough broken auth implementations to know that 'batteries included' was often a polite way of saying 'plausibly works in happy path scenarios.' JWTs signed with the string 'secret'. Session invalidation that cleared the cookie but not the server-side record. OAuth flows that didn't validate the state parameter. He'd found all of these in production codebases. Before adopting ShipAI for VaultPass, he decided to audit the auth layer properly.
The challenge
VaultPass stores developer credentials. An auth vulnerability isn't an embarrassment — it's a breach, and a breach ends the company. Tobias needed auth that was genuinely correct: server-side session invalidation on logout, OAuth state parameter validation, magic link tokens with appropriate TTLs and single-use enforcement, cookie security flags set correctly for production, and team invitation flows that didn't leak account information before acceptance. He also needed to be able to explain all of this to an enterprise security team during procurement.
How they built it
The audit
Tobias spent one full day reading the auth implementation before writing a line of product code. He traced the session lifecycle from login to logout, manually tested the OAuth flow including the state parameter handling, read the magic link token generation and expiry logic, and checked the cookie configuration. He found two settings he'd tighten for his use case — the JWT expiry window and the SameSite cookie attribute — and confirmed there were no structural issues. The audit took one day. He'd expected it to take two and expected to find problems.
Configuration hardening
The two changes Tobias made took about twenty minutes: shortened JWT expiry to one hour and set SameSite=Strict on auth cookies in production. Both were configuration changes, not code changes. He documented them in the project README for the benefit of his co-founder. The underlying session model didn't need to be touched.
The enterprise sales process
VaultPass's first enterprise prospect asked for a security questionnaire and then a penetration test as part of their procurement process. Tobias had expected this. He filled out the questionnaire from the codebase — the auth behavior was documented in the code itself, so the answers were straightforward. The pentest came back clean: no critical findings, no high-severity issues. The contract was signed the following week.
A year in production
VaultPass has been in production for over a year. In that time: zero auth incidents, zero session leaks, zero reports of unauthorized account access. Tobias's co-founder onboarded to the codebase six months in and says the session management is the clearest auth implementation he's read in a production system.
Outcomes
External penetration test: zero critical or high-severity findings
A formal security review by an external firm identified no critical or high-severity vulnerabilities in the auth or session management layer.
Enterprise contract signed
The security review result was the final requirement in the enterprise procurement process. The contract was signed the week after the clean pentest report.
Audit completed in one day
Tobias audited the entire auth layer — session lifecycle, OAuth flow, magic link handling, protected routes — in one working day. He expected it to take two.
Zero auth incidents in 12 months of production
No session leaks, no unauthorized access, no broken login flows in a year of operating a security-sensitive product.
In their own words
I was looking for problems. That's my default with any auth implementation I inherit. I found two configuration settings I'd adjust, changed them in twenty minutes, and that was it. The session model is correct. The OAuth flow validates what it should validate. The cookie handling is right. I'm not worried about it, which for something I'm responsible for in a security product is saying something.
“Our first enterprise prospect asked for a security review before signing. I thought that would take weeks to prepare for. We passed in a week with no critical findings. That contract was the difference between a side project and a real company.”
— Tobias Wolf
Frequently asked questions
What specifically did Tobias audit?
Session creation and invalidation (particularly on logout and password change), OAuth state parameter handling, magic link token generation entropy and TTL, cookie security attributes, and the team invitation flow for information leakage before acceptance. He also reviewed the protected route middleware for bypass patterns.
What were the two configuration changes he made?
He shortened the JWT expiry from the default to one hour, and he ensured SameSite=Strict was set on auth cookies in production. Both are configuration values — no code changes were required.
How did Tobias prepare for the enterprise security questionnaire?
He answered it from the codebase. The auth implementation is explicit and documented — he could point to specific code sections in his answers. The questionnaire took about two hours rather than the half-day he'd anticipated.