OAuth2

Secure Auth for SPAs: SSO, MFA, and Token Refresh
The browser is a hostile environment. That one sentence explains more about why SPA authentication goes wrong than any whitepaper ever has. You’re shipping your entire application — including your auth logic — to a machine you don’t control, in a runtime where malicious scripts, rogue browser extensions, and network-level attackers are all operating in the same sandpit. Get the design wrong and you’re not just leaking a JWT. You’re handing over session persistence, user identity, and trust — all at once.