Modern Architecture & Identity Solutions for Web Applications
After attending the NDC London conference, Martin (senior developer) returned with a fresh perspective on modern web architecture. In his latest blog posts, he shares the key insights he gained there. Two themes stood out most for him: the Backend for Frontend (BFF) pattern and the use of verifiable credentials (VCs) in combination with decentralized identity (DID).
Backend for Frontend (BFF): What and Why?
The BFF pattern involves building a dedicated backend for each front-end (e.g., SPA, mobile app, or other client), tailored specifically to that front-end.
Why BFF?
Traditional large APIs often need to serve many different clients, which leads to complexity, security issues, and challenging version management.
With BFF, each client gets its own backend, simplifying and securing communication.
The BFF acts as a middle layer that handles requests, calls underlying services, and only provides the front-end with the data it actually needs.
Security and token management
Front-ends such as SPAs often use OAuth/OIDC with bearer tokens in the browser, which introduces risks (token theft via XSS, MITM attacks, browser extensions, etc.).
BFFs mitigate this by keeping tokens on the server and using HTTP-only cookies on the client side (not accessible via JavaScript).
BFF flow in brief
-
The front-end initiates an unauthenticated call to the BFF.
-
The BFF redirects the user to an identity provider for login.
-
After successful login, the BFF receives tokens and securely stores them in cookies.
-
Subsequent API calls only send cookies, no tokens are exposed on the client.
Verifiable Credentials (VCs) and Decentralized Identity (DID)
In the second part of this blog, we take a deep dive into VCs and DID.
What are verifiable Credentials?
Verifiable credentials are cryptographically signed digital pieces of information issued by an issuer and stored by a user (the holder) in a digital wallet. They are used to present reliable, verifiable information to a verifier without sharing unnecessary data.
This fits into the broader decentralized identity (DID) ecosystem:
-
Users control their identity in their wallet, not centrally through an identity provider.
-
Verifiers only need to trust the issuer’s cryptographic signature.
Key protocols
Two important OpenID-based protocols are:
-
OpenID4VCI: for issuing credentials (issuer → wallet).
-
OpenID4VP: for requesting/verifying credentials (verifier → wallet → verifier).
Example VC workflow
-
The issuer publishes a DID document online containing cryptographic keys.
-
The wallet receives a credential from the issuer via OpenID4VCI.
-
The verifier requests a presentation (e.g., using a QR code).
-
The wallet sends a verifiable presentation containing only the requested information.
-
The verifier checks the credential’s signature and revocation status.
This approach reduces privacy risks and makes identity more transparent, secure, and portable for both users and systems.
Both trends help developers build better, more modern, and secure applications—BFF provides a safer API pattern, while VCs open new possibilities for identity management beyond traditional IAM systems.
