Introducing the next era of Duende IdentityServer.

Read our CEO’s announcement
Start for Free

No Tokens in the Browser!

Manage tokens on the server to simplify your front-end development and increase security for Angular, React, Vue, and Blazor WASM apps. Host anywhere.


View Documentation View Pricing & Tiers
digital hand graphic

Simplify Front-End Development, Increase App Security

The BFF Framework handles session management, token handling, and API proxying for browser-based applications. Your single page application (SPA) never sees a token, and your team doesn't have to build the plumbing from scratch.

Server-Side Sessions, Not Browser-Stored Tokens

Access and refresh tokens stay on the server. The browser holds a standard HTTP session cookie. Aligns with current OAuth 2.0 BCP guidance for browser-based apps.

API Proxying Built In

Call downstream APIs from your SPA through the BFF host. Token acquisition, refresh, and forwarding are handled for you.

Framework-Agnostic on the Client

Works with React, Angular, Vue, Blazor WebAssembly, or any JavaScript client. The BFF host is ASP.NET Core, the client is whatever you ship.

Versions

  • BFF v3.0 - Stable release. Supported for current IdentityServer deployments.
  • BFF v4.0 - Latest release, aligned with Duende IdentityServer v8.x. Recommended for new deployments.

Both versions are included as a capability of Duende IdentityServer on eligible tiers.


digital time capsule graphic digital time capsule graphic
digital time capsule graphic

How to Get It

The BFF Security Framework is included as a capability across all Duende IdentityServer tiers:

View Documentation View Pricing & Tiers

Tier

# of Front-Ends

Lite 2 BFF Front-Ends
Standard 10 BFF Front-Ends
Advanced 30 BFF Front-Ends
Custom Up To Unlimited BFF Front-Ends

See the IdentityServer pricing page for full tier details.

Start Building with Duende

Download Duende IdentityServer or explore our documentation

View Documentation Start for Free
CTA Background