Stormpath Laravel

One of the questions I am asked all the time about the Stormpath Laravel package is, “Why do I need to use a package for authentication in Laravel when it is built in?” I will be the first to admit that the Laravel authentication is well built and a great addition to the framework. It saves a lot of time during your development. However, it still requires you to understand the security aspects around storing user data.

There are also many different areas inside of the Laravel framework that requires you to do a lot of custom configuration of your users table. Things like gates to see if the user is allowed to perform actions, and the ability to have one database for authentication to be able to share across multiple applications. At Stormpath, we also have secure and current hashing methods for our passwords to keep your users safe. (You can check out the Stormpath Laravel integration on Github right here!)
Read more »


adam-wu-headshotSan Mateo, CA – Stormpath, the complete Identity API for software teams, today announced that Adam Wu has joined the company as Vice President of Engineering. Wu, a Silicon Valley veteran, brings nearly two decades of engineering leadership experience to the San Mateo-based company.

Wu joins Stormpath from his most recent position as Vice President of Cloud Engineering at Centrify, the leading provider of unified identity infrastructure for IT teams. While at Centrify, Wu built and managed a high-scale engineering and operations team, and drove Centrify’s expansion from legacy software into cloud and mobile services, a cornerstone for the company’s growth.

Read more »


Last week, we updated the core Stormpath product – our REST API – to Spring Boot. This is a major architectural upgrade for our codebase and it simplified application development and deployment for our whole team, for both software engineering and operations.

And it was shockingly easy.

Stormpath Spring Boot Migration

This blog post will cover the entire migration, from our initial decision-making process to configuration, architecture, ecosystem specifics, and even how Spring Boot simplified our deployment. We hope this will allow other Java teams to benefit from what we learned.

Why Migrate from Spring to Spring Boot?

Our application was a traditional Spring app secured by Apache Shiro and configured with both XML and Java Config. When we added Spring Boot, it didn’t replace Spring of course (since Spring Boot is built on top of Spring), but it simplified much of our architecture by adding a layer that helps automate configuration and deployment while making it easier to implement features, as well as prime our architecture for modular microservices (more on that later).

Because we have thousands of customers in production and are constantly developing new features, we did extensive testing to make sure everything still worked as expected. We also built some custom Spring Boot Starters, including a nifty one for real-time stream messaging with Apache Samza. And even though our software stack is a few years old and involves a lot of business edge cases and intricate code paths, we were able to make the transition in just three weeks.

Read more »


At Stormpath, we’re in the business of authentication and authorization, which means we have lots of conversations with developers about user management, sessions, and scalability in web and mobile applications. We think token authentication (or token-based authentication) is one of the core elements of scalable identity and authorization management. Token authentication is stateless, secure, mobile-ready, and designed to grow with your user base without adding additional strain on your servers.

token-authentication-guide

How Does Token Authentication Work?

Authentication is the process by which an application confirms user identity. Applications have traditionally persisted identity through session cookies, relying on session IDs stored server-side. This forces developers to create session storage that is either unique to each server, or implemented as a totally separate session storage layer.

Token authentication is a more modern approach and is designed solve problems session IDs stored server-side can’t. Using tokens in place of session IDs can lower your server load, streamline permission management, and provide better tools for supporting a distributed or cloud-based infrastructure.

Read more »


Stormpath Notes Mobile App

Behind every great mobile app is a great backend, but building an API for your app can be a bit daunting if you haven’t done so before. Fear not! This tutorial will show you how to build your first REST API using Node.js, and connect it to an iOS or Android app!

Node.js is a great way to build a mobile API for several reasons. As a mobile developer, I love it because:

  • It’s easy to work with JSON in JavaScript, because JSON stands for JavaScript Object Notation!
  • Node.js is lightweight and easy to get started with.
  • Node.js gives you fine-grained control over your request and responses.

However, when building an API, figuring out how to handle authentication is always a huge challenge. Authentication refers to the practice of understanding exactly who is accessing your data, and securely doing so is not easy. We built Stormpath to help developers easily add secure authentication to their apps, and we’ll also show you how to include this in your REST API.

Read more »


zork oauth oauth2 securityOn a recent vacation, I did a personal hackathon with the goal of demystifying OAuth2 in a fun way. (My boss called this a vacation fail, but in between visiting dormant volcanoes and whale watching, this was the perfect downtime activity for me!)

The result is OZorkAuth. Zork was an early interactive fiction game that first appeared on a DEC PDP-10 in the late ’70s. I first played it on my Commodore 64 in 1983. Zork has been ported to dozens of platforms including the Sony PlayStation and even iPhone. If you can’t tell, I’m a little nostalgic about this game and this genre of games in general.

I’ve been noodling around for a while on the idea of playing these interactive fiction games via an API. The challenge is that these games are played synchronously. That is, in your terminal, you interact with the game and maybe you save the game along the way so you can come back to it.

Read more »


The healthcare application market is one of the most rapidly growing sectors, expected to be a $60 billion market by 2020. For developers in this surging healthcare application development space, HIPAA-compliant user management, including authentication and authorization, is mission critical.

What is HIPAA?hipaa-compliant-application-development

The Health Insurance Portability and Accountability Act (HIPAA), set forth in 1996, was designed to allow the public to more easily change medical practitioners or insurance providers. Baked in with these portability structures was a set of privacy restrictions to protect that data in motion, in a limited fashion.

In 2013, the Final Omnibus Rule Update amended HIPAA, taking into account the digital revolution and bringing under its umbrella additional organizations beyond doctors, hospitals, and insurance companies.

Read more »


Stormpath recently added support for SAML (Security Assertion Markup Language) user management including both Service Provider (SP) initiated and Identity Provider (IdP) initiated authentication. (SAML is an XML-based standard for securely exchanging authentication and authorization information between entities.)

Instead of working with XML or even directly with SAML itself (which none of us wants to do), Stormpath allows you to support SAML login by just adding some configuration to our SDK and the Stormpath console. From there, your applications can consume SAML assertions from any SAML IdP.

Read more »


og-lumen-700x250

I am happy to announce that we have now added Lumen to Stormpath’s PHP integrations. This integration requires minimal setup and about five minutes to get a PHP backend up and running for your mobile applications – exciting! With our Lumen integration, you can quickly set up user registration and user authentication using OAuth tokens.

This tutorial will teach you how to set up a new Lumen project and configure it for use in your mobile application. I will teach you how to install Lumen in a couple of different ways and guide you through the configuration and setup of your Lumen project.

For this tutorial, I am going to teach you how to create a new lumen project all the way to your first call with one of our mobile SDKs. I will take you through your first call to authenticate a user using the /oauth/token endpoint to return OAuth tokens for all future requests against your application. We have also provided middleware for you to use to check for authenticated users on a route.

Let’s get started! You can sign up for a free Stormpath account here.

Read more »


og-aspnet-700x250

We’re thrilled to announce our open-source ASP.NET Core authentication library is now available! What’s the deal with ASP.NET Core, you ask?

ASP.NET Core 1.0 (formerly ASP.NET 5 or “vNext”) is the latest version of ASP.NET. Instead of building incrementally on ASP.NET 4, Microsoft opted to do a full rewrite of the ASP.NET stack. The end result is a leaner and more modular framework than ever before.

What’s changed? For starters, MVC and Web API have been unified into a single pipeline. Dependency injection is provided out of the box. And, most exciting of all, ASP.NET is now cross-platform!

Not only does this mean native hosting on Linux (woot!), but the modular design of the framework gives you more flexibility to use exactly the components that you want. Like Entity Framework but don’t want to use SQL Server? Not a problem! Not a fan of IIS? Kestrel is blazingly fast and works great with nginx.

How about an application with full-fledged user authentication, no database required? In this tutorial, you’ll learn how to scaffold a basic ASP.NET Core MVC application and plug in Stormpath user authentication with two lines of code.

Read more »