Case Study 10 · HMAC token auth · seamless SSO

Cross-Domain Authentication Consultant — HMAC SSO Implementation

HMAC-SHA256 · JWT · Next.js · Supabase Auth

The Problem

A membership platform ran its marketing site on one platform and its member dashboard on another. When members clicked 'go to your dashboard,' they landed on a login screen — even though they were already logged in. There was no connection between the two systems, and the broken handoff was eroding trust in the product.

The Build

We engineered a secure signed identity handoff using HMAC-SHA256 tokens. When an authenticated member clicks through from the marketing site, the platform generates a time-limited signed token containing the user's identity and passes it as a URL parameter. The dashboard verifies the signature server-side before granting session access — so no credentials are exposed and the token can't be replayed or forged. The implementation is stateless, requires no shared session store, and works across any two systems that can share a secret key.

The Outcomes

— Zero re-authentication prompts for logged-in members crossing domains

— Token-based handoff is replay-proof and time-limited

— No cookies, no shared sessions, no browser-specific assumptions

— Architecture is reusable across any future platforms added to the ecosystem

— Passes unchanged into a future mobile app — no backend changes required

The Stack

HMAC-SHA256 JWT Next.js Supabase Auth Node.js Vercel

Have a similar problem?

We start every engagement by understanding what's actually broken before we touch a tool.

Tell us about it →