Stormpath provides authentication tools for APIs, so we we work closely with devs building new REST services. We also hear a lot about the challenges that come with building an API. Billing is often high on that list of pitfalls. While charging users has long been a complicated issue, it can also be surprisingly painless for many use cases. We’ll show you how!

In this tutorial, I’ll run through how to:

  • Prop up a simple web console where your API users can register, login, get a Key for your REST API, and update their Account to a paid plan
  • Setup a monthly subscription plan and Email users with monthly invoices
  • Securely collect credit card data and charge a recurring fee
  • Store unique billing info on your user records
  • Expose a simple REST endpoint, secured with HTTP basic authentication
  • Limit access to that endpoint to paying users only
  • Revoke API access when a user unsubscribes or fails to pay an invoice
Read more »

Occassionally here at Stormpath, we find time for open-source projects in the authentication and user security space. One such project, which is taking off in the Java community, is JJWT – a self-contained Java library providing end-to-end JSON Web Tokens creation and verification.

JJWT aims to be the easiest library for creating and verifying JSON Web Tokens (JWTs) on the JVM, and started as a side-project of our CTO, Les Hazlewood.

Read more »

Stormpath Java Support

The Stormpath Java SDK is now speedier and more extensible than ever. If you’re running a version lower than 1.0RC4.4, consider updating.

It’s no secret that an application needs fast access to its user data to keep those users happy. Whether it’s registration or authorizing access to a resource, slow speeds and good user experience don’t mix.

Which is why we recently revamped much of our core Java SDK to improve performance and extensibility. Here’s a rundown of what we did and how it impacted request times in a real project:

Read more »

micah_hair

I’m Micah and this week I joined Stormpath as a Developer Evangelist, supporting Java and the JVM.

In this new role, I get to do some of my most favorite activities as my job: coding, pairing with other developers and writing. I am part of a growing team of software engineers who not only write code, but get to express all that nerdy goodness through interactions in the developer community.

About me

I developed an interest in computers right at the beginning of the personal computer revolution when I was in 6th grade. I first played with CBM PETs in school (pop quiz: What does PET stand for? No googling! Answer below). My first home computer was a Commodore Vic-20. Then a Commodore 64 and even the rare SX-64 (LOAD"*",8,1 – anyone?).

computers

After learning what I was doing with my 300 baud modem and phreaking tools, my parents sought a less felonious outlet for my interest. My father, a dentist, purchased an Osbourne 1 (CP/M for the win!) and had me help him automate his office.

Since then, my love affair with technology has continued to develop and evolve.

Read more »

BTC SMS Intro

Building a full-fledged API service isn’t as hard as you may think. By taking advantage of some really useful API services and open source libraries, you can rapidly develop an API service in an incredibly short amount of time!

In this article, I’m going to walk you through the process of building an API service that uses SMS to keep you up-to-date with current value of Bitcoin: Bitcoin SMS!

This API service:

  • Lets users sign up and register for your site.
  • Verifies new user accounts by sending them an email and making them click a link.
  • Generates API keys for developers automatically.
  • Bills developers on a per-API call basis.
  • Handles credit card billing with Stripe.
  • Sends SMS messages via Twilio.
  • Finds Bitcoin exchange rates via Bitcoin Charts.
  • Stores user account data securely with Stormpath.

If you’re at all interested in building API services, or API companies — this article is meant specifically for you!

Read more »

JWT, access token, token, OAuth token.. what does it all mean??

Properly known as “JSON Web Tokens”, JWTs are a fairly new player in the authentication space. Being the cool new thing, everyone is hip to start using them. But are you doing it securely? In this article we’ll discuss best practices for JWTs, while showing you how to use the nJwt library for creating and verifying JWTs in your Node.js application.

Read more »

We’ve been on a conference blitz over the last few months at Stormpath, and standing in the booth, we get asked a lot of questions about authentication and authorization: protocols, systems, services and security.

Two areas where the misinformation – and therefore misunderstanding – tends to hang out, are Oauth and Single Sign-On. And where they intersect.

To Start, OAuth is not the same thing as Single Sign On (SSO). While they have some similarities — they are very different.

OAuth is an authorization protocol. SSO is a high-level term used to describe a scenario in which a user uses the same credentials to access multiple domains.

Read more »

Stormpath JWTs

JSON Web Tokens (JWTs) are being prescribed as a panacea for webapp security, but you need to know your security basics before you can implement them with peace of mind. JWTs are a great mechanism for persisting authentication information in a verifiable and stateless way, but that token still needs to be stored somewhere.

This article will explain the security loopholes in web browsers, and what you can do about them – keeping your JWTs safe and secure.

Know Thy Web Application Vulnerabilities

If you’re writing a UI that runs inside of a browser environment, you need to know the potential security issues. We’ll cover these primary areas of security in our article:

  1. Securing user credentials (i.e. passwords)
  2. Preventing malicious code from running in your webapp
  3. Using cookies, securely!
Read more »

Stormpath + Lumen

We’re pretty excited by the rapid growth of new, lightweight frameworks for building microservices and APIs. First, they rapidly speed the development time for simple web applications, and they also support a flexible, developer-friendly architectural approach.

Lumen, a new project from the creator of Laravel, is one of these great new microframeworks. A leaner version of Laravel that uses some of the same components, it simplifies tasks common to web projects: routing, databases, queueing, and caching.

One of the challenges of micro-frameworks like Lumen, however, is that they often come with very little support for authentication and user management. Because they are designed for services and APIs, support for front-end packages like Bootstrap and functionality like sessions aren’t enabled by default, and authentication functionality can be limited. This can be a hitch for PHP developers who need, but don’t want to spend a lot of time building, user login and registration screens.

Wouldn’t it be nice if you could add authentication to your Lumen application in under 5 minutes? Well, with the new integration of Stormpath’s ID Site feature into our PHP SDK, it is now very simple. This post will show you exactly how to do it.

Read more »

The world of user data security is vast, complicated, and for many teams, difficult to navigate. When working with a legacy application, it can be difficult to determine the first, easy steps to ensure your user and customer data is more secure. But a few quick tips can dramatically improve user data security in most environments. At Stormpath, user data security is our top priority, so we want to share a few ideas to help you upgrade quickly.

Step 1: Separate The User Store from Application Data

One of the first – and easiest – steps to increase customer data security in the cloud is to separate user credentials and personally identifiable information (PII) from application data. Separating the user store ensures that any data collected by or provided to your application is not easily matched to its owner. What you separate depends on the application’s use case, but typically separated user data includes usernames, email, passwords and PII such as addresses or geolocational data.

This separation of user data provides several benefits:

Read more »

Full User Management API - No Credit Card Required

Try It For Free