Update: Authentication Cheat Sheet – API-based authentication flow reference #2013
Description
What is missing or needs to be updated?
The Authentication Cheat Sheet provides detailed guidance on individual mechanisms (sessions, reauthentication, MFA, token handling), but it does not clearly describe where authentication and authorization decisions should occur in a modern API-based architecture.
For developers building API-first systems (e.g., REST APIs, FastAPI/Django APIs, microservices), it is often unclear which responsibilities belong to:
- login endpoints,
- middleware,
- token refresh endpoints,
- or mid-session risk escalation logic.
This lack of architectural context can lead to inconsistent or insecure implementations, even when individual recommendations are followed.
How should this be resolved?
Add a short, diagram-style documentation subsection to the Authentication Cheat Sheet titled:
“Where authentication decisions should occur in an API-based system”
The subsection would:
- Describe the request lifecycle in an API-driven architecture
- Explain the responsibilities of:
- Login endpoints
- Authentication/authorization middleware
- Token refresh endpoints
- Mid-session reauthentication or risk escalation
- Be framework-agnostic and text-based (no images required)
- Reference existing sections such as Session Management and Reauthentication After Risk Events
This addition would connect existing guidance into a practical architectural model without changing any existing recommendations.