Auth method chooser

← All tools

Sessions, JWT, OAuth, passkeys, or magic links? Six questions about your clients, revocation needs, and threat model — plus what not to do.

~~~

Answer every question before seeing a recommendation.

Primary fit

~~~

Security checklist

Anti-recommendations

~~~

About this tool

There is no single best auth method. Sessions excel at revocation; JWTs excel at stateless APIs; OAuth outsources passwords; passkeys resist phishing; magic links reduce friction. Most production apps combine two (OAuth → session, passkey → session).

Shareable URLs encode quiz answers only — never tokens or passwords.

~~~

Read more