- Published on
A Session Can Have Only One Source of Truth: Why External Login Must Not Store a Token on the Device
When wiring up an external identity provider, storing the id_token on the device tears open three channels at once: revocation, cold start, and audit. Starting from "single source of truth," a breakdown of the cookie-session contract and the JWT hardening checklist.