Authentication typically happens in one of two places: the frontend checks if a user is logged in before showing protected UI, and the backend validates tokens before processing requests. There's a third option—verifying JWTs at the edge, in a Cloudflare Worker, before requests reach your backend infrastructure.
API keys for backend authentication create a fundamental challenge in web applications: the credentials need to authenticate requests but cannot be exposed to clients. Hardcoding keys in frontend bundles or environment variables leaves them visible in browser developer tools. Anyone who opens the network tab can extract the key and
When building a React SPA with Cloudflare as the CDN it is possible to use S3 for static asset storage. If you have all of your resources typically on AWS, but want some of the advantages of Cloudflare, you can build a system that is very similar to the traditional