Authentication in Cortado

Understanding Cortado's Auth Model

Cortado doesn’t force you into a specific authentication system — instead, it provides the building blocks to implement the one that fits your needs. Whether you’re using JWT, session tokens, or third-party services like FramerAuth or Firebase, Cortado helps you handle auth cleanly at both the route and middleware level.

You’re in control of how tokens are issued, verified, and decoded. This flexibility ensures compatibility with both simple apps and complex role-based systems.

Using Middleware for Authentication

The most common way to protect routes in Cortado is by applying custom middleware. Middleware can intercept every incoming request, check for an Authorization header, decode a token, and either continue the request or block it.

Typical flow:

• Validate token format

• Decode payload (e.g., user ID, role)

• Attach user data to the request context

• Throw an error if verification fails

This approach keeps auth logic centralized and reusable across routes.

External Auth Integrations

Cortado works well with third-party identity providers. If you’re using a system like FramerAuth, Auth0, or Clerk, you can verify provider-issued tokens using your own validation logic.

Example: FramerAuth tokens can be verified using their public key, and then used to load user profiles from your database or enrich the session.

This decouples identity from business logic, giving you flexibility without lock-in.

Protecting Specific Routes

Not all endpoints need protection. Cortado lets you apply middleware per route or route group, so you can mark public vs. private endpoints clearly. For admin routes, you might check not just for a token, but also for a role or permission level.

Best practices include:

• Securing all write operations (POST, PUT, DELETE)

• Limiting access to admin panels and settings

• Validating tokens even for read operations that return sensitive data

Refresh Tokens and Expiry

For systems using short-lived tokens, Cortado allows you to implement token refresh flows. You can build endpoints that issue new tokens if a refresh token is valid, and update expiry windows accordingly. Although Cortado doesn't include token generation logic out of the box, you can plug in any library (like jsonwebtoken) to manage it.

This pattern improves both security and UX, keeping sessions valid without constant re-authentication.

Building Auth Into the Stack

Authentication in Cortado isn’t just a plugin — it’s something you design into your app’s flow. Whether it’s a protected WebSocket connection, an upload route, or a user profile update, auth is a first-class concern. The framework gives you the primitives, but you shape the policy.

As your project scales, you can easily extend your auth layer:

• Add scopes and permissions

• Track sessions in a database

• Log access patterns and security events

This ensures that your authentication layer grows with your product — securely and maintainably.