References
Authentication · References
It is important to read the sections Why this shape and Reference example and production readiness on Authentication before relying on this page. They explain why the default BFF-centred pattern exists, how you can extend or replace it, and what the reference implementation does and does not promise for production.
Use the in-repo guides first: Authentication hub, Tokens, CSRF protection, Security measures (auth), Content Security Policy (CSP). The links below are third-party technical references outside this documentation—use them to understand standards, products, and practices. If your deployment must meet legal or regulatory requirements, do not rely on these external pages alone; get review from people qualified to advise on law and compliance for your situation.
Commercetools
- Commercetools OAuth 2.0 documentation (commercetools.com)
- API client and token lifetime configuration (Merchant Center / Management API)
JOSE / JWT
- Auth0 – Demystifying JOSE (JWT family) — JWS/JWE background relevant to cookie token packaging
CSRF and CSP
- MDN: Content Security Policy (CSP)
- OWASP: Content Security Policy Cheat Sheet
- W3C: Content Security Policy Level 3
Rate limiting and abuse
- OWASP: Denial of Service Cheat Sheet — general DoS awareness; read together with Rate limiting for BFF behaviour
Summary
| Topic | Primary internal doc |
|---|---|
| Tokens / cookies | Tokens |
| CSRF | CSRF protection |
| Hardening overview | Security measures (auth) |
| CSP | CSP |