Authentication verifies a user's identity to provide access to your application. When adding authentication to your serverless application, you'll likely use one of two different methods: stateless sessions or JSON Web Tokens (JWTs).
After authenticating with your provider, the client receives session data to be stored as a browser cookie. This cookie is commonly signed and encrypted for maximum security. This sealed cookie contains all session data – preventing making an additional call to the server.
JSON Web Tokens (JWTs)
JWTs allow you to store user information directly in the token, not just the access credentials. This can prevent an extra database lookup to fetch information like user names.
To check for access inside of your Serverless Functions, you can inspect the JWT or session content. This gives you complete control over the authentication flow. In the "providers" section below, we've included some examples that will quickstart setting up authentication in your application.
Authorization is difficult to implement securely. We strongly recommend using a provider if possible.