On-demand recording | SAP IdM End of Life: Migration Without Disruption | With Deloitte · 60 min Watch recording

SOLUTION

Zero‑Token SPAs

Eliminate token theft Policy on every call Audit‑ready proof

Open Quickstart Watch 10‑min demo

Visual representation of zero-token SPA architecture with BFF pattern

How it works

Edge calls BFF for ForwardAuth; SPA never sees tokens.
BFF validates session and requests PDP decision per route.
On allow, BFF brokers tokens and applies constraints (caps, egress, params).
Signed receipts capture policy snapshots and usage.

Standards

OIDC + OAuth 2.0 (Auth Code + PKCE)
OpenID AuthZEN decisions at the BFF
DPoP and RFC 8693 Token Exchange (optional)

Related reading

Experience Platform ARIA Shield Resources

Learn more

Technical docs

BFF Overview BFF Gateway

Marketing site

ARIA Shield Resources

Related reading

BFF Overview PDP Reference