SOLUTION

Zero‑Token SPAs

Eliminate token theft Policy on every call Audit‑ready proof

Open Quickstart

Visual representation of zero-token SPA architecture with BFF pattern

How it works

Edge calls BFF for ForwardAuth; SPA never sees tokens.
BFF validates session and requests PDP decision per route.
On allow, BFF brokers tokens and applies constraints (caps, egress, params).
Signed receipts capture policy snapshots and usage.

Standards

OIDC + OAuth 2.0 (Auth Code + PKCE)
OpenID AuthZEN decisions at the BFF
DPoP and RFC 8693 Token Exchange (optional)

Related reading

ARIA Shield Resources

Learn more

Technical docs

BFF Overview BFF Gateway

Marketing site

ARIA Shield Deep Dives

Related reading

BFF Overview PDP Reference