Access control is a must in almost any application, yet most developers end up building and rebuilding it time and time again - forced to refactor with new customer, product, or security demands coming in. Why? Usually, they make one or more of four crucial mistakes, which we explore in this blog post.

Permit.io

Developers often overuse JWTs, sometimes going as far as storing all the routes that a user should access within them. Mixing the authentication and authorization layers messes up our code. The best way to avoid this is to have the JWT only include the claims and scopes for the user's identity and their relationship within the organization and keep all other authorization-related information.

The four mistakes you make building permissions