Your serverless apphas a security blindspot.Pubflow fixes it.
JWT exposure, no session revocation, cold-start vulnerabilities, vibe-coded auth — serverless apps carry unique security risks that most developers never address.
Pubflow IS the Trust Layer Standard: the portable, language-agnostic architecture that defines how authentication, sessions, and trust flow through modern serverless systems.
Serverless amplifies every auth mistake
Traditional auth patterns break down in serverless environments. Each cold start, each stateless function, each ephemeral container is a new attack surface.
JWT tokens in localStorage
JWTs exposed in the browser can't be revoked. If stolen, the attacker has full access until expiry — which could be hours or days.
Cold start session loss
Stateless serverless functions can't hold in-memory session state. Every cold start means a full DB roundtrip to re-validate sessions — slow and error-prone.
Secrets in environment bleed
Serverless functions often share environment variable scopes, leaking signing keys, DB credentials, and API tokens across unrelated endpoints.
No instant revocation
JWTs and long-lived tokens have no built-in revocation. Compromised accounts stay compromised until token expiry — a window of up to 24 hours.
Vibe-coded auth vulnerabilities
AI tools generate plausible-looking auth code that is actually insecure — weak hashing, alg:none JWTs, missing CORS, exposed secrets. Nobody reviews it.
No session context at scale
IP binding, device fingerprinting, and user-agent validation don't exist in most serverless auth setups — leaving session hijacking trivially easy.
AI generates your code. It cannot architect your trust.
Copilot, Claude, Cursor, and v0 write features and UI at incredible speed. But they can't solve the architectural trust problem: who is the user, can they do this, how do we revoke access instantly, and how do we port this to any language? Nobody has standardized this — until now.
The Trust Layer Standard for serverless
Pubflow defines how trust flows through systems. One portable architecture that works in any language, any serverless provider, any database.
Trust Layer Architecture
Your App
Holds opaque session_id only
session_id only
Flowfull
Your backend logic + authorization
bridge_secret
Flowless
Identity + sessions + tokens
The session payload never leaves the server. The client only ever holds an opaque ID. Instant revocation. Zero JWT exposure.
Trust Session Tokens
Opaque session_id to the client. Full payload server-side only.
Unlike JWTs, Trust Session Tokens never expose the session payload to the client. The cryptographically validated payload travels Flowless → Flowfull server-to-server only. Instant revocation. No alg-confusion attacks.
Bridge Validation
Server-to-server trust protocol — no credentials exposed.
Flowfull asks Flowless: 'is this session valid?' using a shared bridge_secret. The protocol that makes the standard work. Works across any serverless provider, any language.
Argon2id Password Hashing
Resistant to GPU/ASIC brute-force attacks.
All passwords are hashed with Argon2id — not bcrypt, not MD5. Automatically handled by Flowless. You never touch raw passwords or hashing logic.
PASETO Trust Tokens
Single-use Ed25519-signed tokens for sensitive actions.
Email verification, password reset, magic links, invitations — all use PASETO v4 / Ed25519. Single-use, time-limited, consumed on use. No JWT alg-confusion vulnerability class.
HybridCache Sessions
97% cache hit rate. Session validation in <1ms.
3-tier cache: LRU in-memory (<0.1ms) → Redis distributed (<1ms) → Database (truth, ~50ms). Cold starts are not cold anymore — sessions are pre-warmed in cache.
Validation Modes
STANDARD · ADVANCED · STRICT — per route.
Apply different security profiles to different routes. STANDARD checks session + IP. ADVANCED adds device fingerprint. STRICT adds user-agent binding. Pick per endpoint.
7 serverless security best practices — built in by default
These aren't checklist items you add after the fact. With Pubflow, they're the default architecture.
Practice 01
Opaque session_id — never expose token payloads in the browser
// ❌ JWT in localStorage — full payload exposed, can't revoke
localStorage.setItem('token', jwtToken) // attacker gets userId, role, permissions
// ✓ Pubflow: opaque session_id in localStorage — safe, meaningless alone
localStorage.setItem('session_id', 'sess_8f3kQmZ...') // just a reference ID
// Full session payload stays in Flowless — server-side only, never in browserPractice 02
Validate sessions server-to-server only
// ✓ Bridge Validation — server-to-server only
// Flowfull asks Flowless: "is this session valid?"
// bridge_secret never leaves the server
const session = await flowless.validate(session_id, {
bridge_secret: process.env.BRIDGE_SECRET
})Practice 03
Use Argon2id — not bcrypt
// ✓ Argon2id — resistant to GPU/ASIC attacks
// Automatically used by Flowless on every password
// You never touch raw passwords or hashing logicPractice 04
Cache sessions — don't hit the DB on every request
// ✓ HybridCache: LRU → Redis → DB
// 97% cache hit rate — <1ms cold start sessions
// Session valid = pulled from LRU, not DBPractice 05
Single-use PASETO tokens for sensitive actions
// ✓ PASETO v4 (Ed25519) — no alg confusion
// Single-use, time-limited, consumed on use
// email_verify | password_reset | invite | magic_linkPractice 06
Apply per-route validation modes
// ✓ Validation Modes — per route
STANDARD → session_id + IP check
ADVANCED → + device fingerprint
STRICT → + user-agent bindingPractice 07
Zero-lock-in secrets and environment isolation
Serverless threat matrix
Common serverless security vulnerabilities and how Pubflow's Trust Layer addresses each one.
| Token theft (XSS) | JWT stolen from localStorage | Opaque session_id — payload never in browser |
| Session hijacking | No IP/device binding | ADVANCED mode: device fingerprint + IP binding |
| No revocation window | Wait for JWT expiry (hours) | Instant revocation — DB write propagates via cache |
| Brute-force passwords | Bcrypt or MD5 hashing | Argon2id — GPU/ASIC resistant |
| Replay attack (magic link) | Reusable JWT link — forwarded and replayed | PASETO single-use token — consumed on first use |
| Cold start latency attack | 50ms+ DB roundtrip per request | HybridCache: <1ms from LRU or Redis |
| Vibe-coded auth bypass | AI-generated token verification logic | Bridge Validation — standardized server-only protocol |
Security-first. Portable. No lock-in.
Every auth decision made with Pubflow is battle-tested, standards-based, and yours to keep.
Secure by default
Argon2id, PASETO v4, opaque session tokens, instant revocation. Security isn't a plugin — it's the architecture.
Stateless & blazing fast
HybridCache hits 97% of sessions in <1ms. Cold starts are warm starts. No DB bottleneck at scale.
Any language, any cloud
TypeScript, Go, Python, Elixir. AWS Lambda, Vercel, Cloudflare Workers, Fly.io. One standard. Zero lock-in.
From $5/mo
Transparent pricing with no usage surprises. Free tier with real features, not a trial. Scale without sticker shock.
| Feature | DIY / Roll your own | Auth0 / Clerk | Firebase / Supabase | Pubflow |
|---|---|---|---|---|
| Auth architecture | ❌ Manual | ⚠️ Auth only | ⚠️ Basic | ✅ Trust Layer Standard |
| Session tokens | ❌ JWT usually | ⚠️ JWT/opaque | ❌ JWT | ✅ Opaque session_id |
| Session revocation | ❌ Minutes/hours | ⚠️ Only on refresh | ❌ Wait for expiry | ✅ Instant |
| Password hashing | ❌ Manual | ⚠️ Partial | ⚠️ Partial | ✅ Argon2id built-in |
| Portability | ✅ Yes | ❌ SaaS lock-in | ❌ Google lock-in | ✅ Zero lock-in |
| Validation modes | ❌ None | ⚠️ One mode | ❌ None | ✅ Standard/Advanced/Strict |
Free
$0
Start building for free. No credit card required.
- ✓2 deployment slots + Flowless managed
- ✓Full Trust Layer — secure by default
- ✓1 cloud database · community support
A1 — Starter
$5/mo
The entry tier. Real features from day one.
- ✓3 slots · 100K req/mo · 8 BYOD databases
- ✓Custom domain + full Trust Layer
- ✓Email support
Enterprise
Custom
For regulated teams and large organizations.
- ✓Custom SLA + compliance
- ✓SSO, audit logs, custom contracts
- ✓Dedicated onboarding
Ship serverless appsthat are actually secure.
Stop bolting security on after the fact. Build on the Trust Layer Standard — the portable, language-agnostic architecture that makes every serverless app production-safe from day one.
AI writes your code. Pubflow IS the trust it can't write.
No credit card required. Real free tier. Deploy in minutes.