In a world where security breaches are a constant threat and user trust is critical, building a secure authentication system is no longer optional. This is especially true for highly regulated industries like defense and energy, where a single vulnerability can lead to catastrophic consequences.

In addition, when it comes to designing access in highly regulated environments, you can waste weeks on compliance challenges and still not get it right.

That’s exactly why we built VIA’s Zero Trust Fabric (ZTF). ZTF came to life because VIA needed a trustworthy way to manage keys in situations where centralized technology just wouldn't work. The problem wasn't a lack of central key management solutions. Instead, it was the fragmented networks, continuous common vulnerability remediation, and licensing restrictions that made them unusable.

Today, I’m going to show you exactly how to implement VIA’s Zero Trust Fabric (ZTF) authentication system that eliminates passwords entirely and takes less than five minutes to set up.

And the best part? Your users will actually thank you for making their lives easier.

What is ZTF?

Zero Trust Fabric (ZTF) is VIA’s advanced security framework built on the key principle of Zero Trust: “never trust, always verify” (listen to Zero Trust creator John Kindervaag break down Zero Trust principles in 60 seconds). It provides a decentralized passwordless authentication infrastructure that moves beyond traditional perimeter-based security models to protect against modern cybersecurity threats.

You might be thinking, “implementing proper passwordless authentication requires months of development, complex infrastructure, and deep security expertise.” But with solutions like ZTF, this is no longer the case.

Pro-tip: Big players such as Microsoft eliminated 99.9% of their authentication attacks simply by going passwordless.

What you’re about to build

In the next few minutes, you'll create a production-ready React application with:

✅ Passwordless authentication using industry-standard OAuth 2.0 + PKCE

✅ Automatic token refresh, which means no more "session expired" errors

✅ Zero-trust security with JWT validation

✅ Docker containerization for instant deployment

✅ CORS configuration that actually works in production

Did you know: Major enterprises like BMW, Deutsche Bank, and Netflix use similar zero trust architectures.

Prerequisites (Don't skip this)

Before we start, make sure you have:

• ZTF Tutorial Github open

• Node.js 18+ installed

• Docker running on your machine

• 5 minutes of uninterrupted time

• A coffee ☕ (optional but recommended)

Ready? Let's build something amazing.

Step 1: Understand the architecture

Here's the beautiful simplicity of what we're building:

User → React App → Keycloak → JWT Token → Protected Resources

Why this works:

1. User Experience: One-click authentication, no passwords to remember.

2. Security: Public and private key cryptography avoiding centralized passwords.

3. Scalability: Handles high volumes of users thanks to the decentralization of credentials over mobile devices.

4. Developer Experience: Set it up once, forget about auth forever.

Step 2: The magic configuration (where most people mess up)

Here's a configuration that is a great starting point for many developers:

const keycloak = new Keycloak({
  url: "https://auth.solvewithvia.com/auth",
  realm: "ztf_demo", 
  clientId: "localhost-app"
});

// The secret sauce most tutorials don't mention
keycloak.init({ 
  onLoad: "login-required",
  redirectUri: window.location.origin + "/",
  checkLoginIframe: false,        // ← Critical for modern browsers
  responseMode: "query",
  pkceMethod: "S256",             // ← This helps prevent attacks
  enableLogging: true,
  scope: "openid profile email",
  flow: "standard",
  useNonce: true                 // ← Enabled for better security with nonce validation
})

Pro-tip: This configuration is a common, secure pattern used in production environments.

Step 3: Token management gamechanger

Most authentication tutorials teach you how to configure the log in experience. Few teach you how to ensure users stay logged in securely. Here’s an example of how you should handle refresh tokens and log outs for a seamless user experience that follows security best practices.

const setupTokenRefresh = () => {
  keycloak.updateToken(360).then((refreshed) => {
    if (refreshed) {
      console.log('Token refreshed seamlessly');
      // User never knows this happened
    }
    setCurrentToken(keycloak.token);
    setLastTokenUpdate(new Date());
  }).catch((error) => {
    // Graceful fallback - no jarring redirects
    keycloak.login();
  });
};

// Auto-refresh every 5 minutes
setInterval(setupTokenRefresh, 300000);

Pro-tip: Users hate being interrupted. This silent refresh means they can work for hours without thinking about authentication. Happy users = loyal users.

Step 4: Docker deployment

Get production-ready in seconds. Move your React app from development to production by switching from a local development server to a robust, dedicated web server like NGINX.

FROM node:18-alpine as build
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
RUN npm run build

FROM nginx:alpine
COPY --from=build /app/build /usr/share/nginx/html
COPY nginx.conf /etc/nginx/nginx.conf
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

One-command deployment:

docker-compose up -d --build

Pro-tip: Feel free to use this production-ready Docker configuration.

Want to take a deeper dive? Check out the full ZTF documentation.

Important: To avoid needing a domain we used HTTP in this tutorial, but don’t forget that your app will need to upgrade to HTTPS before releasing to your users!

Security best practices

Tips for enterprise-grade security:

1. Memory storage: Tokens in memory, never localStorage (prevents XSS attacks).

2. HTTPS everywhere: Non-negotiable in production.

3. Restrictive cross origin authorization between ZTF and the application: Only allow necessary origins.

4. Backend validation: Always validate tokens server-side.

These practices are mandated by security frameworks like NIST, OWASP, and used by financial institutions processing trillions of dollars.

Troubleshooting

Common issues that slow down developers.

1. “Invalid nonce” errors? → If you encounter nonce validation errors, ensure your keycloak-js version matches your Keycloak deployment version. Current configuration uses ‘useNonce: true’ with Keycloak 25.0.6

2. CORS nightmares? → Check Keycloak client's Web Origins

3. Redirect loops? → Verify valid redirect URIs match exactly

This troubleshooting section alone could save you hours of debugging. You’re welcome!

What you've just accomplished

Stop and appreciate what you've built.

✅ Enterprise-grade security that help you go passwordless like Fortune 500 companies

✅ Seamless user experience that removes friction

✅ Production-ready deployment with zero configuration hassle

✅ Automatic token management that works seamlessly

✅ Future-proof architecture that scales to millions of users

Implementation challenge

Here's my challenge for you.

1. Today: Clone this repository and get it running locally.

2. This week: Adapt the configuration for your own project.

3. Share: Tell me about your implementation on LinkedIn or X.

Why this matters: Every day you delay implementing proper authentication, you're exposing your users and your business to unnecessary risk.

Join the passwordless revolution

The facts are undeniable.

• Passwords are a primary factor in many data breaches.

• Users abandon apps with complex auth flows.

• Passwordless auth increases user engagement.

• Implementation takes less time than reading this article.

The question isn't whether you should implement passwordless authentication.

The question is: What's stopping you?

ZTF Authentication Resources

Want to go deeper? Here are the resources that shaped this tutorial.

• ZTF Documentation

• Keycloak JS Documentation

• OAuth 2.0 PKCE Specification

• OWASP Authentication Guidelines

• Zero Trust Architecture (NIST)

About the author

Jesus Cardenes, VIA's Senior Vice President, Product Architecture, is responsible for the technical roadmap and architectural design of all VIA products and its Web3 platform. He is known for his expertise in connecting technologies and platforms to create seamless user experiences. An interesting fact about Jesus is that he competed in the junior roller hockey national club finals in Spain!

Building software for the DoD shouldn't be a constant battle with access. We know, because we've been there. We built VIA's Zero Trust Fabric to fix all that.

Try it free