I love how Java keeps reinventing itself to stay current and relevant (I can hear all my Node.js and Ruby friends groaning). The ecosystem that supports Java is keeping pace with new developments as well. Today, it’s as easy today to build, test and deploy a rich Java web app as quickly as in Python or Node.js (more groans).

One piece of that is Spring Boot, which makes building and launching a Java webapp in minutes a reality. Heroku’s focus on Java support also speeds things along.

Finally, Stormpath means developers don’t have to build authentication and authorization workflows. Stormpath’s identity API and single sign-on functionality (via IDSite) provide out-of-the-box account registration, login, email workflows and single sign-on across applications. These flows include default forms and views, all of which are customizable.

In this post, we will put all that together and get the added bonus of Single Signon across your applications – all within 20 minutes.

Read on – tick tock!

Read more »

In my last post, we covered a lot of ground, including how we traditionally go about securing websites, some of the pitfalls of using cookies and sessions, and how to address those pitfalls by traditional means.

In this post we’ll go beyond the traditional and take a deep dive into how token authentication with JWTs (JSON Web Tokens) not only addresses these concerns, but also gives us the benefit of inspectable meta-data and strong cryptographic signatures.

Token Authentication to the Rescue!

Let’s first examine what we mean by authentication and token in this context.

Authentication is proving that a user is who they say they are.

A token is a self-contained singular chunk of information. It could have intrinsic value or not. We are going to look at a particular type of token that does have intrinsic value and addresses a number of the concerns with session IDs.

Read more »

We talk a lot about Token Authentication, but before diving into the details of how to use tokens, it’s critical for developers to understand the underlying security issues. Why do tokens matter and what types of vulnerabilities they protect an application from?

“Problem” is such a negative word. Let’s say that Single Page Applications (SPAs) and mobile webapps present new security “challenges”. We call these types of applications “untrusted clients” since our server-side code has no control over the environment they run in. Even regular web applications have these issues. People can easily alter or inject javascript code on a page through the developer console. Mobile apps, such as those on Android and iOS, can be decompiled and inspected. As such, you would not want to embed sensitive information like secret keys or passwords in these types of clients.

In this post, I will cover some of the best techniques to secure webapps and how to handle the pitfalls with those approaches. This post applies to all modern programming languages.

Buckle up – we’ve got a lot of ground to cover. Lets get started!

Read more »

PHP 5.3 End of Life Support

Programming languages always progress and change. Bugs are found and patched, and so are security holes in the language. PHP Group and the PHP Community has always prided itself in making sure developers have the best and most secure code available. Because of this, PHP – like many languages – will End Of Life (EOL) an older version, no longer maintaining them for bug and security updates for that version.

Read more »


My name is Nate, and last week I joined Stormpath as a Developer Evangelist, focusing on C# and the .NET stack.

I’ve used Stormpath in some small .NET projects before, but in the absence of a native C# library for use in ASP.NET, .NET and C# users like me have had to connect straight to the API. It’s a pain point I’m looking forward to solving. I’m excited to jump in!

About Nate

I’ve always had a huge passion for computers and technology. When I was six I asked my mom to read me technical software manuals; she admitted a decade later that she had no idea what she was reading, but I ate them up! To me, technology represented endless possibilities. If I didn’t know how to do something, I could get a book at the library or look it up on AltaVista and learn it. That thrill has never gone away.

Read more »


Hello, I’m Brian, the new PHP Developer Evangelist for Stormpath! I’m currently based at home in Dayton, Ohio with my wonderful wife, Heather, and our purebred mutt, Sophie.

My background is not what you would expect: I have a BFA in Communications Arts with a concentration in International Theatre Production (specifically sound design and engineering) from Ohio Northern University. My post-college path started with six months on a cruise ship (doing sound engineering), then writing code for a start-up educational website, then working as a PHP developer and a system administrator and, now, a PHP Developer Evangelist! This job will combine all of the skills I have learned over the years, making it a perfect fit!

Read more »

Stormpath provides authentication tools for APIs, so we we work closely with devs building new REST services. We also hear a lot about the challenges that come with building an API. Billing is often high on that list of pitfalls. While charging users has long been a complicated issue, it can also be surprisingly painless for many use cases. We’ll show you how!

In this tutorial, I’ll run through how to:

  • Prop up a simple web console where your API users can register, login, get a Key for your REST API, and update their Account to a paid plan
  • Setup a monthly subscription plan and Email users with monthly invoices
  • Securely collect credit card data and charge a recurring fee
  • Store unique billing info on your user records
  • Expose a simple REST endpoint, secured with HTTP basic authentication
  • Limit access to that endpoint to paying users only
  • Revoke API access when a user unsubscribes or fails to pay an invoice
Read more »

Occassionally here at Stormpath, we find time for open-source projects in the authentication and user security space. One such project, which is taking off in the Java community, is JJWT – a self-contained Java library providing end-to-end JSON Web Tokens creation and verification.

JJWT aims to be the easiest library for creating and verifying JSON Web Tokens (JWTs) on the JVM, and started as a side-project of our CTO, Les Hazlewood.

Read more »

Stormpath Java Support

The Stormpath Java SDK is now speedier and more extensible than ever. If you’re running a version lower than 1.0RC4.4, consider updating.

It’s no secret that an application needs fast access to its user data to keep those users happy. Whether it’s registration or authorizing access to a resource, slow speeds and good user experience don’t mix.

Which is why we recently revamped much of our core Java SDK to improve performance and extensibility. Here’s a rundown of what we did and how it impacted request times in a real project:

Read more »


I’m Micah and this week I joined Stormpath as a Developer Evangelist, supporting Java and the JVM.

In this new role, I get to do some of my most favorite activities as my job: coding, pairing with other developers and writing. I am part of a growing team of software engineers who not only write code, but get to express all that nerdy goodness through interactions in the developer community.

About me

I developed an interest in computers right at the beginning of the personal computer revolution when I was in 6th grade. I first played with CBM PETs in school (pop quiz: What does PET stand for? No googling! Answer below). My first home computer was a Commodore Vic-20. Then a Commodore 64 and even the rare SX-64 (LOAD"*",8,1 – anyone?).


After learning what I was doing with my 300 baud modem and phreaking tools, my parents sought a less felonious outlet for my interest. My father, a dentist, purchased an Osbourne 1 (CP/M for the win!) and had me help him automate his office.

Since then, my love affair with technology has continued to develop and evolve.

Read more »

Full User Management API - No Credit Card Required

Try It For Free