Stormpath Hosted Login Screen

When we first started Stormpath, most people rejected our product vision:

“I would never outsource my user data and functionality – the most important part of my application – to a third-party service.”

In 2011, the objections to a Customer Identity API were many, and they were valid. Cloud adoption was nascent. API services were primarily used to replace non-core functionality. Everyone was skittish about the rise in large-scale user data breaches. Developer service companies had spotty records when it came to revenue. A slew of investors turned down our seed round, and developers were generally skeptical.

Read more »

Today, we released version 0.1.0 of our .NET SDK! After almost two months of heavy development work, I’m excited to get this code into the hands of the community. In this article, I’ll cover the basics of how to install and use the SDK from a C# project, as well as talk about some of the design behind the code.

This is a very early release, so please share your questions and feedback in the comments below, email me at, or issue a pull request.

Easy Authentication In .NET?

The authentication story in .NET has long been a complicated one. In the past, we had big, heavy identity solutions like ASP.NET Membership. Often, these solutions meant being locked into using SQL Server. The situation has improved with ASP.NET Identity, which adopts a modular architecture.

Even still, there’s a good chance you’ll need to descend into the trenches if you’re not planning on using Entity Framework or SQL Server as your data store.

What if you want multiple web applications to share a user store? Or you’re building an API and need token authentication for untrusted clients? Or you want to supports social login providers? What if you’re on a non-IIS environment, like Nancy? Or on completely different platform with Xamarin? We want to make your life easier!

Read more »

Until Now!

PHP has progressed a long way in the past year. We now have a package manager with many tools to help in project development, but there is still a lack of good API authentication tools out there. Sure, people try to roll their own API authentication setup for their PHP application, but we have a saying in the office.

“Friends don’t let friends build authentication.”

The Stormpath PHP SDK is here to help with all of your API Authentication requirements.

We have shown you before what goes into making a great RESTful API. Now we can help you protect that API with PHP API authentication!

Read more »

I love how Java keeps reinventing itself to stay current and relevant (I can hear all my Node.js and Ruby friends groaning). The ecosystem that supports Java is keeping pace with new developments as well. Today, it’s as easy today to build, test and deploy a rich Java web app as quickly as in Python or Node.js (more groans).

One piece of that is Spring Boot, which makes building and launching a Java webapp in minutes a reality. Heroku’s focus on Java support also speeds things along.

Finally, Stormpath means developers don’t have to build authentication and authorization workflows. Stormpath’s identity API and single sign-on functionality (via IDSite) provide out-of-the-box account registration, login, email workflows and single sign-on across applications. These flows include default forms and views, all of which are customizable.

In this post, we will put all that together and get the added bonus of Single Signon across your applications – all within 20 minutes.

Read on – tick tock!

Read more »

In my last post, we covered a lot of ground, including how we traditionally go about securing websites, some of the pitfalls of using cookies and sessions, and how to address those pitfalls by traditional means.

In this post we’ll go beyond the traditional and take a deep dive into how token authentication with JWTs (JSON Web Tokens) not only addresses these concerns, but also gives us the benefit of inspectable meta-data and strong cryptographic signatures.

Token Authentication to the Rescue!

Let’s first examine what we mean by authentication and token in this context.

Authentication is proving that a user is who they say they are.

A token is a self-contained singular chunk of information. It could have intrinsic value or not. We are going to look at a particular type of token that does have intrinsic value and addresses a number of the concerns with session IDs.

Read more »

We talk a lot about Token Authentication, but before diving into the details of how to use tokens, it’s critical for developers to understand the underlying security issues. Why do tokens matter and what types of vulnerabilities they protect an application from?

“Problem” is such a negative word. Let’s say that Single Page Applications (SPAs) and mobile webapps present new security “challenges”. We call these types of applications “untrusted clients” since our server-side code has no control over the environment they run in. Even regular web applications have these issues. People can easily alter or inject javascript code on a page through the developer console. Mobile apps, such as those on Android and iOS, can be decompiled and inspected. As such, you would not want to embed sensitive information like secret keys or passwords in these types of clients.

In this post, I will cover some of the best techniques to secure webapps and how to handle the pitfalls with those approaches. This post applies to all modern programming languages.

Buckle up – we’ve got a lot of ground to cover. Lets get started!

Read more »

PHP 5.3 End of Life Support

Programming languages always progress and change. Bugs are found and patched, and so are security holes in the language. PHP Group and the PHP Community has always prided itself in making sure developers have the best and most secure code available. Because of this, PHP – like many languages – will End Of Life (EOL) an older version, no longer maintaining them for bug and security updates for that version.

Read more »


My name is Nate, and last week I joined Stormpath as a Developer Evangelist, focusing on C# and the .NET stack.

I’ve used Stormpath in some small .NET projects before, but in the absence of a native C# library for use in ASP.NET, .NET and C# users like me have had to connect straight to the API. It’s a pain point I’m looking forward to solving. I’m excited to jump in!

About Nate

I’ve always had a huge passion for computers and technology. When I was six I asked my mom to read me technical software manuals; she admitted a decade later that she had no idea what she was reading, but I ate them up! To me, technology represented endless possibilities. If I didn’t know how to do something, I could get a book at the library or look it up on AltaVista and learn it. That thrill has never gone away.

Read more »


Hello, I’m Brian, the new PHP Developer Evangelist for Stormpath! I’m currently based at home in Dayton, Ohio with my wonderful wife, Heather, and our purebred mutt, Sophie.

My background is not what you would expect: I have a BFA in Communications Arts with a concentration in International Theatre Production (specifically sound design and engineering) from Ohio Northern University. My post-college path started with six months on a cruise ship (doing sound engineering), then writing code for a start-up educational website, then working as a PHP developer and a system administrator and, now, a PHP Developer Evangelist! This job will combine all of the skills I have learned over the years, making it a perfect fit!

Read more »

Stormpath provides authentication tools for APIs, so we we work closely with devs building new REST services. We also hear a lot about the challenges that come with building an API. Billing is often high on that list of pitfalls. While charging users has long been a complicated issue, it can also be surprisingly painless for many use cases. We’ll show you how!

In this tutorial, I’ll run through how to:

  • Prop up a simple web console where your API users can register, login, get a Key for your REST API, and update their Account to a paid plan
  • Setup a monthly subscription plan and Email users with monthly invoices
  • Securely collect credit card data and charge a recurring fee
  • Store unique billing info on your user records
  • Expose a simple REST endpoint, secured with HTTP basic authentication
  • Limit access to that endpoint to paying users only
  • Revoke API access when a user unsubscribes or fails to pay an invoice
Read more »