Writing

RSS

Every essay and deep dive I have published, aggregated here and from Dev.to.

Dev.toApril 30, 20264 min read

I rewrote my auth library to run on Cloudflare Workers. Here is what broke.

Most TypeScript auth libraries assume Node.js. They reach for crypto.randomBytes, Buffer, the Node fs...

cloudflaretypescriptwebdevserverless

Dev.toApril 29, 20265 min read

Adding OAuth 2.1 to your MCP server in TypeScript

If you're building an MCP server, sooner or later someone is going to ask: how does authentication...

tutorialoauthtypescriptai

Dev.toApril 29, 20266 min read

Prompt Caching With the Claude API: A Practical Guide

I noticed a pattern looking at three months of Anthropic invoices. The same 8 KB system prompt was...

aianthropicapiperformance

Dev.toApril 28, 20266 min read

An AI Tool Had OAuth to Their Whole Google Workspace. Then Vercel Got Breached.

A Vercel employee clicked Allow All on an AI app's OAuth consent screen. Three weeks later, customer environment variables were on a hacker's drive with a $2 million asking price. Here is the four-layer audit your org probably has not run.

securitywebdevdevtoolsai

Dev.toApril 28, 20266 min read

GitHub Copilot Switches to Usage-Based Billing on June 1. The Token Tab Came Due.

Microsoft announced Copilot Pro is still $10 per month, but $10 now buys $10 in AI credits, and a single Opus agent session can consume that. Here is what your real bill looks like.

aiwebdevdevtoolsproductivity

Dev.toApril 25, 20265 min read

The Quiet Sabotage: Why Most of My Dead Projects Died of Overthinking

Kevin Lynagh published a short essay this week about how he sabotages his own projects by...

productivityaiwebdevtutorial

Dev.toApril 23, 20265 min read

Claude Code Felt Off for a Month. Here Is What Broke.

For about four weeks in March and April, Claude Code felt noticeably worse. I was not imagining it....

aiproductivitywebdevtutorial

Dev.toApril 23, 20267 min read

The Token Tab: A Developer's Audit of the AI Hype Stack

A four-layer teardown of what you are actually buying when you follow an AI tutorial in 2026, with real numbers and a checklist you can run before you commit hardware or a subscription.

aidevtoolsproductivitycareer

On this siteApril 22, 20267 min read

Local-First Is Here, Loudly: Why Three of My Products Made the Switch

For years I dismissed local-first as a correctness-obsessed ideology. In the last twelve months three of my products adopted it, and the reasons were not what the manifestos said they would be.

Local-FirstArchitectureCRDTSync

On this siteApril 19, 20267 min read

The Pricing Tier I Deleted and What Happened Next

I had a $9 Starter tier on one of my tools for eighteen months. Deleting it was the best pricing decision I made last year. Here is the math, the customer impact, and the lesson I am now applying to every other product.

PricingProductGlinckerSolo Founder

Dev.toApril 18, 20267 min read

I replaced Auth0 with an open source library in 30 minutes. Here is what broke.

A real Auth0 migration to kavachOS, with the bill, the diff, the things that broke in prod, and the call I would make again.

authenticationopensourcejavascriptdevops

Dev.toApril 18, 20267 min read

How to build a secure password reset flow in Next.js (the short version)

Password reset is where most apps leak. Here is a working Next.js 15 implementation, the 3 security mistakes I keep finding in code reviews, and a 12 line version using kavachOS.

nextjsauthenticationwebdevtutorial

Dev.toApril 18, 202610 min read

How to build a login flow in Next.js 15 (sessions, cookies, CSRF, and the timing attack nobody talks about)

A working login flow in Next.js 15. The form, the session cookie, CSRF, remember me, and a look at the constant-time comparison that keeps attackers from enumerating accounts.

nextjsauthenticationwebdevtutorial

Dev.toApril 18, 20269 min read

How to build a register user flow in Next.js 15 (frontend, backend, database, email)

A working register user flow in Next.js 15. Frontend form with real validation, a server endpoint that does the right things, the database schema, and the email verification handoff.

nextjsauthenticationwebdevtutorial

Dev.toApril 18, 202610 min read

The 8 tables behind a real auth system (Postgres schema, explained column by column)

Day 2 of the auth from scratch series. The full Postgres schema for users, sessions, OAuth, reset tokens, magic links, verification, passkeys, and agent tokens. Every column, every index, every decision.

postgresauthenticationdatabasewebdev

Dev.toApril 18, 20265 min read

I've built auth six times. Here's the system I would build today

A 12 part series on building real authentication from scratch in Next.js and Postgres. Start here for the architecture, the tables you will need, and a diagram of the whole system

authenticationwebdevnextjstutorial

On this siteApril 18, 20267 min read

The Auth Tax: Why I Stopped Rebuilding Login Flows for Every Product

Every product I shipped in year one reimplemented auth. Year two I started extracting it. Year three I built my own service. Here is what that path actually cost, and when you should follow it.

AuthKavachosArchitectureSolo Founder

On this siteApril 16, 20266 min read

MCP Is the Actually Interesting AI Protocol of 2026

Everyone's chasing foundation models and agent frameworks. The quieter story is a protocol that's becoming the USB-C of AI tooling, and most devs are still sleeping on it.

MCPAIProtocolsAgents