Why We Don't Trust the Database with Authentication

I explain why treating the database as the ultimate source of truth for API authentication is a critical vulnerability. At Sturdy Statistics, we use Defense in Depth by cryptographically binding keys to tenant contexts using a server-side pepper. This ensures that even if an attacker compromises the database via SQL injection, they cannot forge valid credentials or bypass tenant boundaries, keeping our system secure.
"The database no longer decides identity on its own; it stores verifiers that only the backend can validate."