Auth method chooser
Sessions, JWT, OAuth, passkeys, or magic links? Six questions about your clients, revocation needs, and threat model — plus what not to do.
~~~
Answer every question before seeing a recommendation.
Primary fit
Sweet spot
When not to use it
Tradeoffs
Also scored well
~~~
Security checklist
Anti-recommendations
~~~
About this tool
There is no single best auth method. Sessions excel at revocation; JWTs excel at stateless APIs; OAuth outsources passwords; passkeys resist phishing; magic links reduce friction. Most production apps combine two (OAuth → session, passkey → session).
Shareable URLs encode quiz answers only — never tokens or passwords.
~~~