# Week 3

In this session we will focus on securing our existing Snippets API. We will explore different ways of authenticating users and protecting API endpoints, and compare their trade-offs so you can choose the right approach for different scenarios.

## Contents

* [Preparation](/course-content/backend/node/week3/preparation.md)
* [Session Plan](/course-content/backend/node/week3/session-plan.md) (for mentors)
* [Assignment](/course-content/backend/node/week3/assignment.md)

## Session Learning goals

By the end of this session, you will be able to:

* [ ] Explain why storing plaintext passwords is insecure and how hashing (e.g. with bcrypt) improves security.
* [ ] Implement a basic login flow for the Snippets API using securely stored passwords.
* [ ] Protect Snippets API endpoints using JWT-based stateless authentication.
* [ ] Protect Snippets API endpoints using session-based authentication with cookies.
* [ ] Describe when to use database-stored tokens and API keys, and understand their trade-offs.
* [ ] Compare the strengths and weaknesses of credentials-only, DB tokens, JWT, sessions, and API keys for different use cases.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://program.hackyourfuture.dk/course-content/backend/node/week3.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.