Frontend security,
simplified.
AuthGate BFF (Backend-for-Frontend) acts as a secure intermediary for your web apps. It handles complex OAuth2 flows and stores tokens securely, issuing only HttpOnly cookies to your browser. Your frontend stays lightweight, and your tokens stay out of reach from malicious scripts.
HttpOnly
cookies
Server-side
oauth flows
Zero-token
browser memory
Why BFF?
Protecting Single Page Applications.
Storing JWTs in localStorage is a major security risk for XSS attacks. The BFF pattern solves this by moving token management to a secure server.
HttpOnly Cookies
Instead of raw tokens, the BFF sets an encrypted HttpOnly cookie. JavaScript running in the browser cannot read this cookie, making XSS token theft impossible.
Server-side Redirects
The BFF handles the messy OAuth2 authorization code flow entirely on the server. The browser just follows simple redirects and gets a session cookie at the end.
Seamless Proxying
When your React or Vue app makes an API request, the BFF intercepts it, attaches the real JWT from its secure vault, and proxies it to the API Gateway.
The Architecture
How the proxy flow works.
Login Request
The frontend redirects the user to the BFF's login endpoint. The BFF starts the OAuth2 flow with the IAM server.
Cookie Issued
After successful login, the BFF stores the tokens securely and issues an HttpOnly, SameSite session cookie to the browser.
API Call
The frontend sends a request to the BFF (e.g., /api/data). The browser automatically includes the secure cookie.
Token Attached
The BFF retrieves the stored JWT, attaches it to the Authorization header, and forwards the request to the API Gateway.