<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>SPA on cloudmato.com</title><link>https://cloudmato.com/tags/spa/</link><description>Recent content in SPA on cloudmato.com</description><generator>Hugo -- gohugo.io</generator><language>en</language><managingEditor>cloudmato.com</managingEditor><webMaster>cloudmato.com</webMaster><lastBuildDate>Tue, 23 Jun 2026 17:08:57 +0530</lastBuildDate><atom:link href="https://cloudmato.com/tags/spa/index.xml" rel="self" type="application/rss+xml"/><item><title>Secure Auth for SPAs: SSO, MFA, and Token Refresh</title><link>https://cloudmato.com/posts/spa-secure-authentication-sso-mfa/</link><pubDate>Tue, 23 Jun 2026 17:08:57 +0530</pubDate><author>cloudmato.com</author><guid>https://cloudmato.com/posts/spa-secure-authentication-sso-mfa/</guid><description>&lt;p&gt;The browser is a hostile environment. That one sentence explains more about why SPA authentication goes wrong than any whitepaper ever has. You&amp;rsquo;re shipping your entire application — including your auth logic — to a machine you don&amp;rsquo;t control, in a runtime where malicious scripts, rogue browser extensions, and network-level attackers are all operating in the same sandpit. Get the design wrong and you&amp;rsquo;re not just leaking a JWT. You&amp;rsquo;re handing over session persistence, user identity, and trust — all at once.&lt;/p&gt;</description></item></channel></rss>