Their claim that every request goes through the hot path of a central auth db is stretching the truth quite a bit. With Oauth2 you get a signed access token once from the Id Provider, then you reuse this token several times until it’s given expiry time has run out. It is up to the resource server to validate the token scope, signature and the expiry time. This can be done offline as long as the resource server has the public key of the IdP. Ssh certificates work the same way.

Obviously, now the resource server instead becomes your central guard of access, and is far from a local-first crypto based solution as they describe. Just that the way it’s pictured sounded overly dramatic.