Coding Stephan

Experts Live Denmark 2026

As a frequent speaker at Experts live Netherlands, I also submitted a talk for the Danish edition of Experts Live, which took place in Copenhagen on February 25th, 2026. I was very happy to be accepted to speak at this event, which is one of the biggest Microsoft conferences in Denmark.

Welcome to Experts Live Denmark 2026

Forged but valid: How to test API authentication and why you should care

Wednesday 10:00 to 11:00 in the Development track. An hour long session about testing API authentication and why it is important to do so. Here is the abstract:

You built this API for your new product and it is protected with tokens from Entra ID (or any other IDP). To truly test your API, you don’t want to disable the authentication part.

How do you actually run your (mandatory) integration tests without disabling authentication? Using a man-in-the-middle attack on your api, you can create tokens that, for the application, appear to be from Entra ID and actually get validated.

Do you want to run your integration tests on your api, without compromising the integrity of your API? Want to test if the role-based-access-control is working as expected?

Broken access control and Identification and Authentication failures are both in the OWASP top 10, let’s make sure you don’t make these mistakes.

And while we are at it, I’ll show you how you can protect your API against these forged tokens.

Meeting people

I had a great time at the conference, meeting new people and catching up with old friends. I finally met Merill Fernando in person, who I have known for a long time on Twitter and LinkedIn. We had some great conversations about security and the community.

Meeting Merill Fernando at Experts Live Denmark 2026

And I also had time to visit some of the other sessions, like the one by Thomas and Eric.

Thomas and Eric at Experts Live Denmark 2026

Physical security

Apart from digital security, I also have a strong interest in physical security, so I wanted to test the security of the speaker hotel. I used my flipper zero and was able to clone my hotel room key card within seconds. If I had the opportunity to bump against someone from housekeeping, I could have easily entered every other room in the hotel.

Conclusion

We all should do better on security, it is not just for the security team anymore. Developers should also care about security, and testing your API authentication is a great way to start.