Curity Articles

Design AI for Enterprises

Tue, 10 Mar 2026 00:00:00 GMT

Many enterprises are considering ways to design AI initiatives and gain a business advantage. Usually, people start with basic AI and then want to upgrade to enterprise AI. This article summarizes the approaches that Curity recommends, to plan your future enterprise AI direction…
Read the full article on curity.io

OAuth Client ID Metadata Document

Mon, 02 Mar 2026 00:00:00 GMT

What is the Client ID Metadata Document? refers to a draft specification that defines the client ID as an HTTPS URL that points to a JSON document, the client metadata document. This semantic definition of the client ID implies that each…
Read the full article on curity.io

Browserless OAuth

Tue, 17 Feb 2026 00:00:00 GMT

Browserless OAuth is a way for applications to avoid having to open the browser for an OAuth flow. It describes API-driven approaches for applications to interact directly with the user and forward information to the authorization server. It enables applications to own the user…
Read the full article on curity.io

Dynamic Trust for AI Agents

Thu, 12 Feb 2026 00:00:00 GMT

Dynamic trust establishment means that clients like AI agents (or AI agent developers) don't have to have a prior relationship with a server to securely integrate. Instead, clients can establish trust programmatically when needed. Dynamic trust establishment allows AI agents to…
Read the full article on curity.io

API Access Across Trust Domains

Wed, 04 Feb 2026 00:00:00 GMT

Trust domains are a way to segment a zero trust architecture. They allow for controlling who can talk to who based on a trust anchor. API access across trust domains implies that an OAuth client needs to communicate with multiple authorization servers to get the appropriate…
Read the full article on curity.io

SSO for AI Agents with OpenID Connect

Thu, 29 Jan 2026 00:00:00 GMT

Single Sign-On for AI agents means that users can use an active session with a common identity provider to authenticate to an AI agent and via an AI agent to other systems (APIs). In other words, SSO for AI agents has two aspects: SSO when the user logs in to an AI agent. SSO…
Read the full article on curity.io

OpenID Authorization Exchange (AuthZEN)

Wed, 28 Jan 2026 00:00:00 GMT

There are many approaches to implement fine-grained authorization and many different types of in the market. For the most part they all strive to bring the ability to perform fine-grained authorization of access to data beyond what is possible with…
Read the full article on curity.io

An Introduction to Authorization

Tue, 02 Dec 2025 00:00:00 GMT

is the process of granting access to resources. It is tightly coupled to that verifies the subjects that are requesting access. While the focus for authentication and authorization often lies on human users, they are becoming equally important for…
Read the full article on curity.io

API Security Best Practices for AI Agents

Thu, 13 Nov 2025 00:00:00 GMT

AI technology can produce pretty impressive results. As a consequence, AI agents are a popular way for users to consume data and, internally, to call APIs. The questions are, what exactly are AI agents and — more importantly — if you have an API, how do you properly secure API…
Read the full article on curity.io

Design MCP Authorization for APIs

Mon, 10 Nov 2025 00:00:00 GMT

AI Agents and API Access AI agents provide goal-oriented experiences for users, where a human sets an objective using natural language and the agent can choose actions to fulfill that objective. An AI agent uses a large language model (LLM) to process user input and determine…
Read the full article on curity.io

MCP Authorization Lifecycle

Mon, 10 Nov 2025 00:00:00 GMT

is currently the most popular standard for building AI agents. It allows large language model-powered applications to, essentially, call APIs. While organizations already protect their APIs, the nature of AI agents might require adjustments to the…
Read the full article on curity.io

OAuth With Unsolicited SAML Responses

Tue, 23 Sep 2025 00:00:00 GMT

The SAML protocol allows identity providers (IdP) to redirect an already authenticated user to an application — a service provider, or SP, in SAML terms — without initiating the flow on the service provider's part. This approach is called an unsolicited SAML response, or an IdP…
Read the full article on curity.io

An Overview of WebAuthn

Tue, 09 Sep 2025 00:00:00 GMT

What is Webauthn? WebAuthn, or Web Authentication API, is a specification of a JavaScript API that allows applications to perform secure authentication for both multi-factor and single-factor scenarios. The API, exposed by a compliant browser, enables applications to talk to…
Read the full article on curity.io

Client Initiated Backchannel Authentication (CIBA) Flow

Tue, 09 Sep 2025 00:00:00 GMT

Overview of the CIBA Flow The defines a protocol to support initiating authentication without user interaction from a consumption device. Authentication is performed via an authentication device by the user who also consents (if…
Read the full article on curity.io

What is an Entitlement Management System?

Wed, 06 Aug 2025 00:00:00 GMT

An Entitlement Management System (EMS) is a core component of the Neo-Security Architecture that centrally manages, distributes, and enforces authorization policies across systems. It improves agility, audibility and compliance by allowing authorization logic to be maintained…
Read the full article on curity.io

User Provisioning With SCIM

Fri, 01 Aug 2025 00:00:00 GMT

System for Cross-domain Identity Management (SCIM) is a REST-based protocol that provides a straightforward approach to resource management using the JSON data format. While SCIM is technically flexible enough to represent various types of resources, its most common application…
Read the full article on curity.io

What is PSD2, and How Does it Work?

Tue, 15 Jul 2025 00:00:00 GMT

PSD2 Explained The Revised Payment Services Directive (PSD2), introduced by the European Commission in 2015, helped to modernize the financial ecosystem across the European Union and European Economic Area. The main goals of the directive are to improve customer protection…
Read the full article on curity.io

Authentication vs. Authorization, What's the Difference?

Fri, 11 Jul 2025 00:00:00 GMT

The terms "authentication" and "authorization" are often mistakenly used interchangeably. However, they refer to two distinct security processes: authentication is the act of verifying a user's identity, while authorization determines what resources or actions the authenticated…
Read the full article on curity.io

What Is OpenID Connect, and How Does It Work?

Mon, 07 Jul 2025 00:00:00 GMT

What is OpenID Connect? OpenID Connect (OIDC) is an identity layer on top of the protocol. While OAuth provides ways to authorize resource access, OIDC allows applications to authenticate users, thus you will often hear about OIDC authentication. The OpenID Connect…
Read the full article on curity.io

What is Partner Identity and Access Management (PIAM), and How Does it Relate to B2B?

Thu, 26 Jun 2025 00:00:00 GMT

What is Partner Identity and Access Management (PIAM)? Partner Identity and Access Management (PIAM) is a type of that incorporates the processes and tools to onboard, grant and govern access for business partners. Business partners are…
Read the full article on curity.io

Best Practices - OAuth and XSS Prevention

Fri, 20 Jun 2025 00:00:00 GMT

When you run an OAuth architecture, APIs manage access control and the authorization server implements user authentication. On the web side of the architecture, injection is the main security concern. In particular, you must protect against the threat of malicious JavaScript…
Read the full article on curity.io

Mutual TLS Sender Constrained Access Tokens

Tue, 17 Jun 2025 00:00:00 GMT

Mutual TLS Sender Constrained Access Tokens provide a robust method for enhancing the security of OAuth 2.0-based authorization by binding the access token to the client's TLS certificate. This prevents unauthorized use of access tokens even if they are leaked or intercepted. In…
Read the full article on curity.io

Mutual TLS Client Authentication

Tue, 17 Jun 2025 00:00:00 GMT

What is Mutual TLS? The Transport Layer Security (TLS) is a protocol designed to provide secure communication over the Internet and includes authentication, confidentiality and integrity. When a TLS connection is established the server provides a certificate that the client…
Read the full article on curity.io

The Split Token Approach

Wed, 11 Jun 2025 00:00:00 GMT

You might have read before about the , which is a privacy-preserving token usage pattern for securing APIs and microservices that combines the security of opaque tokens with the convenience of JWTs. The Phantom Token approach takes the burden of token…
Read the full article on curity.io

The API Security Maturity Model

Tue, 10 Jun 2025 00:00:00 GMT

API security has become a forefront issue for modern enterprises. As API attacks grow in frequency and sophistication, organizations need a structured way to evaluate and improve their security posture. Too often, APIs only adopt HTTP basic authentication, API keys, or token…
Read the full article on curity.io