The NamoID blog
Release notes, deep dives on the provider integrations, and the occasional “here’s the bug that taught us X.”
CIMD vs Dynamic Client Registration: Onboarding AI Agents to OAuth
How does an AI agent you've never seen become an OAuth client? Two answers — Dynamic Client Registration (RFC 7591) and Client ID Metadata Documents — and why MCP picked CIMD.
Read article
DPDP Rules 2025 Are Notified: The Engineering Timeline to May 2027
India's DPDP Rules were notified on 13 Nov 2025 with a phased 18-month rollout. Here's the real clock and the engineering to-do list for each phase — consent, breach reporting, rights, audit.
Identity for AI Agents: Short-Lived, Scoped, Audience-Bound Tokens
AI agents are a new identity class. The dangerous default is a long-lived API key. Here's what good agent identity looks like — and the OAuth mechanics that already give it to you.
Securing an MCP Server: Audience Validation, PRM, and the Confused Deputy
Building an MCP server? Harden it right: publish protected-resource metadata, validate audience-bound tokens, and shut the confused-deputy and token-passthrough doors — with the RFCs.
Account Aggregator Consent vs OAuth Consent, Explained
India's Account Aggregator uses a signed, purpose-bound, time-limited consent artefact — not an OAuth token and scopes. What's different, why it matters, and what OAuth builders can borrow.
Credential Stuffing Defense: Block Breached Passwords
How to defend against credential stuffing and account takeover — checking passwords against breach corpora with k-anonymity (never sending the password), plus MFA, rate limits, and anomaly signals.
DPDP for Engineers: What Changes in Your Code vs GDPR
If you've built for GDPR, here's what India's DPDP Act actually changes in your code — consent over legitimate interest, under-18 by default, all-breach notification, and the audit trail you'll need.
How to Validate a JWT Correctly (2026 Update)
The correct order to validate a JWT — pin the algorithm, resolve the key from JWKS, verify the signature, then the claims — plus the alg:none and RS256-to-HS256 traps and what the 2026 JWT BCP adds.
Is Firebase Auth DPDP-Compliant? A Residency Reality Check
Firebase Authentication processes identity data only in the US. Whether that's a DPDP problem depends on your sector — here's the honest, India-specific answer for builders.
How MCP Authorization Works: OAuth 2.1 for AI Agents
How the Model Context Protocol secures AI agents with an OAuth 2.1 profile — protected-resource metadata, PKCE, resource indicators, and audience-bound tokens, step by step.