Networking & Protocols
DNS, TCP, TLS in sequence: where the milliseconds go
Crux Seven concrete phases from cold DNS to first encrypted byte, with timing numbers and the optimisation levers (TLS resumption, 0-RTT, connection coalescing) that eliminate round-trips instead of shortening them.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at middle altitude — in the skyA colleague reports the site “feels slow on first visit.” You pull a Lighthouse trace and see 320 ms before the first byte arrives. Understanding exactly which of DNS, TCP, and TLS ate that time — and which optimisation eliminates round-trips rather than just shortening them — is the difference between shipping a real fix and guessing.
Phase-by-phase timing budget
Assuming a warm CDN-fronted site (London user, London edge PoP, ~25 ms RTT to edge):
| Phase | Cold (first visit) | Warm (repeat visit) | Elimination lever |
|---|---|---|---|
| DNS | 30–100 ms (resolver walk) | <1 ms (OS cache) | dns-prefetch / long TTL |
| TCP handshake | ~25 ms (1 RTT regional) | 0 ms (connection pooled) | connection keep-alive / preconnect |
| TLS 1.3 new | ~25 ms (1 RTT) | 0 ms (0-RTT resumption) | session ticket / PSK |
| HTTP request | ~25 ms (1 RTT) | ~25 ms | CDN edge cache hit |
| Total to TTFB | 105–175 ms | 25–30 ms | — |
The key insight: DNS and TCP are eliminated by caching and connection pooling on repeat visits. TLS is eliminated by session resumption (PSK). On a warm return visit, TTFB can drop from 175 ms to under 30 ms — not because the network got faster but because round-trips were removed entirely.
Phase 1: DNS (~30 ms cold, <1 ms warm)
The browser asks Rex: “What is the IP for example.com?” Rex checks its cache. Cache warm → replies in microseconds. Cache cold → Rex walks the hierarchy: root nameserver → .com TLD nameserver → example.com authoritative nameserver. Each hop is one network round-trip. A cold DNS lookup in North America or Europe takes 30–100 ms.
The TTL trap. If a CDN operator sets TTL=60 s to enable rapid failover, most users pay the cold DNS cost far more often than necessary. TTL=300 s is a better default for most cases — five minutes of resolver caching, still failover in under five minutes.
Optimisation: dns-prefetch. Adding <link rel="dns-prefetch" href="//cdn.example.com"> to your HTML asks the browser to resolve anticipated hostnames during page parse, before the main parser reaches the actual resource URLs. Cost: a few milliseconds of DNS time moved off the critical path.
Phase 2: TCP handshake (1 RTT, 10–100 ms by geography)
Bea sends SYN → Sven responds SYN-ACK → Bea sends ACK. Three packets, one round-trip. The time is bounded by geography:
- London to Frankfurt: ~10–15 ms.
- London to New York: ~56 ms (per High Performance Browser Networking, speed of light through fiber).
- London to California: ~100 ms.
After the handshake, TCP’s initial congestion window (IW=10, per RFC 6928) allows up to 10 packets (~14.6 KB) in flight without waiting for ACKs. The first response must fit in the IW or Bea must wait for an ACK before receiving more — one hidden reason why keeping HTML under 14 KB matters.
Optimisation: preconnect. <link rel="preconnect" href="//fonts.googleapis.com" crossorigin> tells the browser to open TCP + TLS to anticipated origins before the main parser reaches them. Right pattern: apply to two or three critical origins (CDN, fonts, API), not all origins.
Phase 3: TLS 1.3 handshake (1 RTT new, 0 RTT resumed)
Bea sends ClientHello (key share, cipher suites). Sven responds ServerHello (chosen cipher, certificate, server key share). Bea validates the certificate against Cara’s signature. Both derive shared keys. Cost: one round-trip (~25 ms regional). If Bea has seen Sven before, she sends a pre-shared key (PSK) from the session ticket cached on her last visit. Sven accepts without sending the certificate again. Cost: zero additional round-trips — the TLS handshake piggybacks onto the existing QUIC or TCP connection.
0-RTT data. On TLS 1.3 with 0-RTT resumption over QUIC (HTTP/3), Bea can send her HTTP request inside the same initial QUIC packet as the TLS ClientHello — before the server has responded. This saves one RTT on warm connections. 0-RTT is only safe for idempotent methods (GET, HEAD, OPTIONS). For POST or PUT, 0-RTT exposes replay risk (an attacker who captures the encrypted packet can re-send it). Servers must reject 0-RTT for state-changing methods with 425 Too Early.
Edge cases
Connection coalescing: if two origins share the same IP and certificate (e.g., api.example.com and cdn.example.com served behind the same Cloudflare edge), a browser may reuse one HTTP/2 or /3 connection for both. This eliminates the TCP + TLS handshake for the second origin entirely. Coalescing happens silently; you benefit from it if you host multiple subdomains behind one CDN.
Trace it
1/5 Trace a complete first-visit page load from cold cache to TTFB.
1
Step 1 of 5
User types URL. What happens in the browser first?
Browser parses the URL, checks its own HSTS/SVCB cache, then issues a DNS query via the OS resolver or its own DoH stack.
2
Locked
DNS returns the IP. What happens next?
Browser opens a TCP socket to that IP and begins the 3-way handshake (SYN → SYN-ACK → ACK). If HTTP/3 is supported, it may attempt a QUIC initial packet instead, which merges TCP-equivalent transport with TLS.
3
Locked
TCP done. TLS begins. What does Bea send first?
ClientHello: lists supported cipher suites, key shares (for TLS 1.3 ECDHE), and supported extensions (SNI, ALPN, session ticket for resumption if available).
4
Locked
Sven responds with ServerHello + Certificate. What does Bea check?
Bea verifies Sven's certificate chain up to a trusted root CA (Cara). Checks: certificate not expired, domain matches SNI, signature valid, not on a CRL/OCSP revocation list.
5
Locked
TLS done. Bea sends the HTTP request. Server processes and returns first byte. Total TTFB?
DNS (~50 ms cold) + TCP (~25 ms regional) + TLS (~25 ms new) + HTTP RTT (~25 ms) = ~125 ms TTFB. Warm repeat: DNS <1 ms + TCP 0 ms (pooled) + TLS 0 ms (0-RTT) + HTTP ~25 ms = ~25 ms.
✓ Traced.
Trace it
1/5 Trace the same site 30 minutes later — warm cache.
1
Step 1 of 5
DNS cached at OS resolver. How long does DNS take?
<1 ms. Browser may also have its own DNS cache (Chrome has a 60-second DNS cache), also sub-millisecond.
2
Locked
TCP — what changes for the warm connection?
If HTTP keep-alive or HTTP/2+/3 connection pooling is active, TCP is already established. Browser sends the HTTP request on the existing connection — zero TCP setup cost.
3
Locked
TLS — what changes?
TLS 1.3 session resumption (PSK from cached session ticket) skips certificate verification. If HTTP/3, 0-RTT may send the request before the server's first TLS response — eliminating that round-trip.
4
Locked
Static assets. What does the browser do for cached resources?
Reads from browser disk cache (~10 ms each, parallelised). For resources with max-age still valid: no network traffic. For resources with no-cache: sends conditional GET with If-None-Match. CDN returns 304 Not Modified (empty body, headers only).
5
Locked
Total time to LCP on a warm load?
Often under 100 ms. DNS <1 + TCP 0 (pooled) + TLS 0 (0-RTT) + HTML CDN hit ~25 ms + render ~60 ms. The limiting factor becomes JavaScript parsing and layout, not network.
✓ Traced.
Quiz
Completed
0-RTT resumption saves a round-trip but is unsafe for POST requests. Why?
Heads-up Size limits do apply, but the real risk is idempotency, not size.
Heads-up The HTTP spec does not require this; the risk is replay, not a spec rule.
Heads-up 0-RTT encrypts everything; the problem is replay, not encryption.
Order the steps
Completed
Order these optimisations by the number of round-trips they eliminate (most to fewest):
- 1 CDN edge cache hit (eliminates DNS + TCP + TLS + origin round-trip)
- 2 TLS 0-RTT resumption (eliminates 1 TLS RTT)
- 3 Connection keep-alive (eliminates TCP handshake for subsequent requests)
- 4 dns-prefetch (moves DNS off the critical path, does not eliminate a round-trip)
- 01Explain why TLS 1.3 0-RTT saves a round-trip but is dangerous for non-idempotent requests.
- 02What is the TCP initial congestion window (IW=10) and why does it matter for page load?
- 03Why does `<link rel=preconnect>` to ten origins harm more than it helps?
Recap
The first three phases — DNS, TCP, TLS — are strictly sequential and together account for 100–175 ms on a first visit. Each can be reduced by geography (CDN edge) or eliminated by caching (DNS TTL, connection keep-alive, TLS session resumption). On a warm return visit, all three can collapse to under 1 ms total by reusing the OS DNS cache, a pooled connection, and a TLS PSK. HTTP/3 0-RTT goes further, piggybacking the HTTP request onto the TLS ClientHello — but only safely for idempotent methods. The TCP initial congestion window of 10 packets (~14.6 KB) is a hidden threshold: responses exceeding it pay an extra round-trip before the server can send more data.
Connected lessons
unlocks
appears again in258
- Why GraphQL gets N+1junior
- DataLoader mechanics: tick-boundary batchingmiddle
- Batch function contracts: ordering, shapes, errorsmiddle
- Federation and lookahead: batching beyond DataLoadermiddle
- Query complexity defences: depth, cost, persisted queriesmiddle
- Senior GraphQL API: scheduling contract, tenant isolation, observabilitysenior
- The journey of a request: seven stops from socket to responsejunior
- Accept and parse: from kernel queue to a typed requestmiddle
- Routing and middleware: choosing what runs, and in what ordermiddle
- Handler and response: from business logic to bytes on the wiremiddle
- Streaming and backpressure: when the client reads slower than you writesenior
- Timeouts and tail latency: budgets, deadlines, and the fan-out trapsenior
- Middleware and DI: the two patterns that shape every backendjunior
- Writing middleware: signatures, next(), and the three framework modelsmiddle
- Inversion of control: how dependencies reach a classmiddle
- DI scopes and lifecycles: singleton, request, transientmiddle
- DI as a testing seam: fakes, mocks, and the boundary that matterssenior
- DI containers in production: resolution graphs, circular deps, and when not tosenior
- Blocking vs non-blocking I/O: two ways to waitjunior
- The event loop: one thread, ordered phasesmiddle
- What blocks the loop: CPU work and sync callsmiddle
- Offloading CPU work: worker threads and the libuv poolmiddle
- Backpressure and bounded concurrencysenior
- Throughput under load: tail latency and saturationsenior
- Why pool: the cost of creating a connectionjunior
- Pool sizing: why bigger is not fastermiddle
- Acquisition and timeouts: the wait queue is the real latency dialmiddle
- Why idempotency: making retries safejunior
- Server-side state machine: four states of an idempotency keymiddle
- Retry strategies: backoff, jitter, and thundering herdmiddle
- Outbox and inbox: effectively-once across the dual-write boundarymiddle
- Concurrency and cache architecture for idempotency at scalesenior
- Observability, production failures, and global-scale designsenior
- The event loop: one thread, three queuesjunior
- Tasks, microtasks, and scheduler.yield()middle
- Timer accuracy, throttling, and idle workmiddle
- Microtask starvation, Long Tasks, and LoAFsenior
- Node.js event loop: phases, nextTick, and loop lagsenior
- React, Vue, and INP observability in productionsenior
- The render pipeline: six stages from bytes to pixelsjunior
- Stage costs and the renderer process modelmiddle
- Invalidation, dirty bits, and containmiddle
- Compositor layers: promotion, overlap, and GPU memorymiddle
- DevTools flame strip and the frame lifecyclemiddle
- Layout thrash: forced synchronous layoutsenior
- BeginMainFrame, compositor-driven animations, and GPU memorysenior
- Production observability: LoAF, INP, and the full attack surfacesenior
- What V8 is and why performance varies 100×junior
- V8''''s four-tier JIT pipeline and profile-guided tieringmiddle
- Hidden classes, transition trees, and memory layoutmiddle
- Inline caches, IC states, and deoptimizationmiddle
- Orinoco GC: parallel scavenger, concurrent marking, and write barriersmiddle
- TurboFan''''s speculative engine and the deopt-loop trapsenior
- V8 in production: isolates, pointer compression, and real failuressenior
- Service worker lifecycle and cache strategiesmiddle
- Service worker edge cases: version skew, durability, and navigation trapssenior
- What the reconciler does: render vs commitjunior
- The fiber object and the double-buffer treemiddle
- Render phase purity and commit phase sub-stepsmiddle
- Reconciliation: diffing heuristics and the key trapmiddle
- Priority lanes, time-slicing, and useTransitionmiddle
- Bailout, memoisation, and tearingsenior
- React Profiler, the Compiler, and production observabilitysenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Hydration mismatch: causes, detection, and the determinism rulesenior
- RSC, per-route strategy, and production observabilitysenior
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- LCP: four phases, one dominant costmiddle
- INP: input delay, processing, presentationmiddle
- CLS: why layout shifts happen and how to stop themmiddle
- Lab vs field: why the two disagree and how to use eachmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What is a cache stampede and why it makes things worsejunior
- Lock and single-flight: bounding concurrent rebuildsmiddle
- XFetch: coordination-free probabilistic early expirationmiddle
- Stale-while-revalidate and CDN request coalescingmiddle
- Detecting stampedes and designing TTL for productionmiddle
- Metastable failure, fencing tokens, and production postmortemssenior
- What a relation is: tables, rows, keys, and constraintsjunior
- Constraints, keys, and Postgres data typesmiddle
- Normal forms, denormalization, and why schemas stickmiddle
- JSONB, arrays, and when a side table winsmiddle
- Heap storage, TOAST, and column alignmentsenior
- Schema integrity: deferral, versioning, and production failure modessenior
- Relational vs document, wide-column, graph, and key-valuesenior
- What an index is and how it speeds up queriesjunior
- The leading-column rule and composite index designmiddle
- Partial, expression, and covering indexesmiddle
- Index types: GIN, GiST, BRIN, Hash, Bloom, and HOT updatesmiddle
- Index-only scans, the Visibility Map, and INCLUDEsenior
- Production failure modes and the index audit playbooksenior
- Index design exercise: full-text search strategysenior
- EXPLAIN and execution plans: what the planner decides and whyjunior
- Scan types: Seq, Index, Bitmap, Index-Onlymiddle
- Join algorithms and the row-estimate cascademiddle
- pg_statistic, ANALYZE, and production observabilitymiddle
- Extended statistics: fixing correlated-column estimate failuressenior
- Plan cache, cost-constant tuning, and planner internalssenior
- Production failure modes and plan stabilitysenior
- MVCC: why readers and writers never wait for each otherjunior
- Row versions and snapshots: the on-disk mechanicsmiddle
- HOT updates and isolation levels: what you gain and what you paymiddle
- Vacuum and bloat: keeping the storage tax boundedmiddle
- CLOG, XID wraparound, and MultiXact: deep visibility internalssenior
- SSI internals and production autovacuum tuningsenior
- Real-world MVCC failures, deployment patterns, and distributed snapshotssenior
- Connection pools: amortising the cost of a Postgres backendjunior
- PgBouncer session, transaction, and statement modesmiddle
- Pool sizing: the (cores × 2) + spindles formula and the two-layer stackmiddle
- Pool exhaustion and idle-in-transaction: the 3 AM failure modemiddle
- Migrating to transaction mode: rollout playbook and PgBouncer 1.21 prepared statementsmiddle
- The Postgres process model and why raising max_connections degrades throughputsenior
- Pooler landscape 2026, serverless connection storms, and the full failure-mode taxonomysenior
- What a schema migration is and why it replaces ad-hoc DDLjunior
- ADD COLUMN: instant in PG 11+ vs rewrite in older Postgresjunior
- The lock-queue failure mode: why instant DDL can freeze the databasemiddle
- Safe DDL patterns: NOT VALID, CONCURRENTLY, and unsafe-op fixesmiddle
- Expand-contract: zero-downtime for breaking schema changesmiddle
- Advisory locks, migration tools, and deploy coordinationsenior
- Migration failure taxonomy and production disciplinesenior
- Why sharding exists: the single-Postgres ceilingjunior
- Shard-key selection: hash, range, list, and directory strategiesmiddle
- Partitioning vs sharding: same word, two different thingsmiddle
- Co-location and Citus: the invariant that makes sharding usablemiddle
- The hot-shard failure mode: detection, isolation, and durable policymiddle
- Schema-based sharding and multi-tenancy alternativessenior
- Online resharding, 2PC, and the operational cost of shardingsenior
- The seven acts: from CREATE TABLE to Citusjunior
- Acts 1–3 in depth: schema, indexes, and planner statisticsmiddle
- Acts 4–6 in depth: MVCC bloat, connection pooling, and safe migrationsmiddle
- Act 7 in depth: sharding, co-location, and the seven-tier tradeoff cascademiddle
- Observability, anti-patterns, and production triagesenior
- Raft roles, terms, and why majority quorums prevent split brainjunior
- How Raft replicates a log entry and decides it is safe to commitmiddle
- Raft leader election: timeouts, voting rules, and the four safety propertiesmiddle
- Raft in the real world: partitions, slow disks, and client routingmiddle
- Raft extensions: pre-vote, learners, snapshots, and linearizable readssenior
- Raft in production: membership changes, Multi-Raft, and observabilitysenior
- Where data fetching happens — and why it decides LCPjunior
- Fetch waterfalls — diagnosis and the Promise.all curemiddle
- React Server Components and Suspense streamingmiddle
- Client-side cache: TanStack Query, SWR, and stale-while-revalidatemiddle
- LCP, prefetch, and race conditions in interactive fetchingmiddle
- Senior internals: RSC payload, caching layers, and production failure modessenior
- What the three signals are: logs, metrics, and tracesjunior
- Metrics and cardinality: the cost model of a time-series databasemiddle
- Logs and volume: the cost model of structured loggingmiddle
- Traces and sampling: the cost model of distributed tracingmiddle
- Join keys and exemplars: making the three signals composemiddle
- Observability 2.0: wide events and the cost shiftsenior
- Failure modes and engineering practice: cardinality budgets, PII, and samplingsenior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- Log levels and alert routingmiddle
- Sampling strategies and log costmiddle
- PII redaction and log injectionsenior
- Trace context propagation in logssenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- OTel signals, Semantic Conventions, and the OTLP wire formatmiddle
- Auto-instrumentation and manual spans: the 80/20 of OTelmiddle
- The OTel Collector: receivers, processors, exporters, and deployment patternsmiddle
- Sampling strategies: head, tail, and parent-basedmiddle
- Vendor neutrality, eBPF instrumentation, the Operator, and browser/serverless OTelsenior
- Operating the OTel Collector: reliability, version skew, failure modes, and governancesenior
- RED and USE: two checklists, one triage disciplinejunior
- Instrumenting RED in Prometheus: counters, histograms, and cardinality disciplinemiddle
- USE on Linux: CPU, memory, disk, network, and PSImiddle
- Golden signals, dashboard layout, and service mesh auto-REDmiddle
- Cardinality as a cost driver: labels, PII, exemplars, and samplingmiddle
- Native histograms, SLO tie-in, and production failure patternsmiddle
- SLI, SLO, and the error budget: reliability by the numbersjunior
- Choosing SLIs and SLO targets: ratios, not feelingsmiddle
- Multi-window multi-burn-rate alerting: why AND beats ORmiddle
- Error budget policy, latency SLOs, and composite journeysmiddle
- Iceberg SLIs, composite SLO math, and SLA vs SLOsenior
- Production SLO failures, self-observability, security, and the big picturesenior
- Flame graphs: reading the picture that shows where time goesjunior
- Sampling vs instrumentation profiling: why 99 Hz wins in productionmiddle
- Profile types: CPU, memory, off-CPU, mutex — which one to reach formiddle
- Continuous profiling: always-on flame graphs with eBPF and trace-id correlationmiddle
- How flame graphs are built from samples, and the production workflows that use themmiddle
- Linux perf, eBPF internals, PGO, and the limits of samplingsenior
- Profiling in production: security, war stories, OTel profiles, and the infrastructure designsenior
- The debugging funnel: SLO → RED → trace → profilejunior
- OTel architecture: one SDK, four signals, one wire formatmiddle
- Cost discipline: keeping observability under 5% of infra spendmiddle
- The incident loop: from pager to postmortem to preventionmiddle
- Scale, security, and the ROI of observable systemssenior
- Why profile first: measure where time actually goesjunior
- Amdahl''''s law and self-time: the ceiling on every speedup you can shipmiddle
- The measurement loop: microbench, macrobench, prod profile, observer effectmiddle
- Reading flame graphs: shapes, per-language profilers, and the 60-second scanmiddle
- Statistical baselines: why one run is not a measurementmiddle
- Profiler history and microbenchmark pitfalls: Knuth to GWPsenior
- Hardware counters, cold-start profiles, and profile securitysenior
- Continuous profiling at scale: costs, CI gates, trace correlation, and anti-patternssenior
- What makes a hot path: symptom vs causejunior
- Five shapes of hotspot: CPU, alloc, cache, lock, syscallmiddle
- Reading parent and child chains: where to apply the fixmiddle
- JIT deopt, the fix-and-verify loop, and PR-time profilingmiddle
- Hardware counters and Intel TMA: sub-category diagnosissenior
- False sharing and native-bridge hot pathssenior
- Hot paths in production: security, tail latency, and tooling lineagesenior
- Memory hierarchy: why the same O(N) loop can be 17x slowerjunior
- Row-major vs column-major: access order and the 9x gapjunior
- Cache lines, struct layout, and false sharingmiddle
- Branch prediction and branchless codemiddle
- SIMD, SoA vs AoS, and memory bandwidthmiddle
- Hardware prefetcher, TLB, and memory-level parallelismsenior
- Cache-oblivious algorithms, PGO, and production failuressenior
- GC basics: what the runtime taxes you forjunior
- GC algorithms: generational, concurrent, and per-runtimemiddle
- GC tradeoffs: pause, throughput, heap — and object poolingmiddle
- GC tuning: pacing, heap shape, and allocation observabilitymiddle
- GC internals: tri-color invariant, write barriers, and per-runtime deep-divessenior
- GC in production: observability, security, edge cases, and fleet governancesenior
- N+1: one logical operation, many round-tripsjunior
- Fix families: JOIN, IN, preload, and DataLoadermiddle
- Detecting N+1: query logs, APM traces, and CI gatesmiddle
- DataLoader: batching across resolver treesmiddle
- Cross-protocol N+1: HTTP fan-out and Redis MGETmiddle
- N+1 at scale: pool exhaustion, plan changes, and denormalisationsenior
- Batching: amortize fixed cost per operationjunior
- The batching window: size and wait timemiddle
- Batching in Kafka and Postgresmiddle
- io_uring and observability of batchingmiddle
- From Nagle to io_uring: evolution of batchingmiddle
- Backpressure, failure isolation, and batch security in productionsenior
- What a bundle actually costs: download, parse, compile, executejunior
- Core Web Vitals: LCP, INP, and CLSmiddle
- Code splitting: route-level, component-level, vendor splittingmiddle
- Tree shaking and compression: removing what you don''''t usemiddle
- Third-party scripts: the silent budget killermiddle
- CI enforcement and RUM: making budgets stickmiddle
- V8 JIT pipeline, HTTP priorities, and bundle securitysenior
- The performance loop: discipline, not a projectjunior
- Classify and fix: matching bottleneck families to remediesmiddle
- Observability stack and CI gates: catching regressions before they shipmiddle
- Incident to enforcement: SLO burn to verified fix in 35 minutesmiddle
- Culture, economics, and org-scale performancesenior
- At-most-once, at-least-once, exactly-once: the three delivery contractsjunior
- The three failure legs — where duplicates and losses actually happenmiddle
- Consumer-side dedup: the cheapest path to exactly-once processingmiddle
- Kafka exactly-once semantics: idempotent producer and transactionsmiddle
- SQS visibility timeout, DLQ, and the outbox patternmiddle
- Exactly-once in production: impossibility proof, hybrid patterns, and real incidentssenior
- What OAuth is and why passwords are not the answerjunior
- Authorization code flow with PKCEmiddle
- ID token validation and JWKS cache managementmiddle
- Refresh token rotation and scope-based least privilegemiddle
- Sender-constrained tokens: DPoP and mTLSsenior
- OAuth in production: audience attacks, observability, and real failuressenior