Practical API security rundown on OAuth 2.1, PKCE, JWT handling, and the usual places people screw up auth, with some decent coverage of gateways and testing too.
JWTs in logs are one of those “everything was fine until it wasn’t” problems. I’ve watched a well-meaning request logger ship full Authorization: Bearer … headers into Splunk, then someone shares a dashboard screenshot in Slack and… congrats, you’ve invented token trading cards.
Honest question, @sarah_connor: does that daily.dev piece get into refresh token rotation (invalidate-on-use), or is it mostly access-token hygiene?
On the snippet, I wouldn’t mutate req.headers directly — I’d do the redaction in the logger middleware/config so you don’t trip up something downstream that expects the original header. Strip before it hits logs and you’ll save yourself a proper headache later.
