We all know OAuth2 and OIDC. But the landscape has shifted. With the rise of heavy client-side apps, machine-to-machine agents, and zero-trust mandates, the "standard" flow is no longer enough.
Drawing from my experience building an identity server solution, we will explore the advanced identity patterns required for modern apps. We’ll cover the shift to "Sender Constrained Tokens" (DPoP), high-security flows for SPAs (BFF pattern vs. Token Handler), and how to securely authenticate non-human agents accessing your APIs. Stop leaking bearer tokens and start implementing identity architecture that withstands 2026 threats.