Best of OAuth — April 2026

1. 1
   Article

   Collections·6w

   Claude subscriptions dropping third-party tool coverage starting tomorrow

   Anthropic has ended Claude Pro and Max subscription access for third-party tools like OpenClaw starting April 4, 2026. Users who were routing agentic workloads through flat-rate subscriptions via OAuth must now switch to pay-as-you-go extra usage billing, pre-purchased usage bundles, or direct API key access. Anthropic is offering a one-time credit equal to one month's subscription fee as a transition incentive. The change reflects the unsustainable economics of users running thousands of dollars worth of agentic compute through $200/month subscriptions. Direct API key access remains unaffected. Cost-conscious users are exploring hybrid setups using Opus as an orchestrator with cheaper models for execution, or running local models as a hedge against future pricing changes.

   89

   15
2. 2
   Article

   Auth0·3w

   Things Developers Get Wrong About the Backend for Frontend Pattern

   Common misconceptions about the Backend for Frontend (BFF) pattern are addressed, focusing on security implications. Key points: PKCE and BFF solve different problems and are complementary, not alternatives — PKCE protects the authorization code in transit while BFF keeps tokens out of the browser entirely. A true BFF is a confidential OAuth client, not just a reverse proxy forwarding tokens. HttpOnly cookies are not less secure than localStorage tokens — they trade XSS-based token theft for a more constrained CSRF attack surface. BFF doesn't automatically handle CSRF protection, session invalidation, secure cookie configuration, or API authorization. Finally, teams don't need a full rewrite — BFF can be introduced incrementally as an authentication layer without changing existing backend APIs.

   21
3. 3
   Article

   Arcjet·2w

   Building a production MCP server in Go

   A detailed walkthrough of how Arcjet built a production MCP server in Go by integrating it directly into their existing API service rather than running it as a standalone sidecar. Key decisions covered include reusing session validation, middleware, and the data layer; designing tools around agent workflows (security briefings, anomaly detection, IP investigation, dry-run impact analysis) rather than simple API wrappers; serving OAuth discovery metadata (RFC 8414 + RFC 9728) while proxying to an external auth provider (WorkOS AuthKit); handling Dynamic Client Registration; writing effective tool descriptions with output shape, workflow hints, and annotations; and separating trusted guidance from untrusted attacker-controlled request data to prevent prompt injection.

   45

   1
4. 4
   Article

   GitLab·3w

   A guide to the breaking changes in GitLab 19.0

   GitLab 19.0 (releasing May 21, 2026 for self-managed) includes 15 breaking changes, down from 80 in 17.0. High-impact changes include: replacing NGINX Ingress with Gateway API/Envoy Gateway in the Helm chart, removing bundled PostgreSQL/Redis/MinIO from the Helm chart, dropping OAuth ROPC grant support, and requiring PostgreSQL 17 as the minimum version. Medium-impact changes cover dropping Ubuntu 20.04 and SUSE Linux package support, removing Redis 6 support, updating the Auto DevOps builder image, and removing bundled Mattermost. Lower-impact changes include removing Spamcheck, Slack slash commands, legacy container registry storage drivers, and deprecated GraphQL/REST API attributes. Migration guides and deployment windows for GitLab.com, Self-Managed, and Dedicated are provided for each change.

   12