Custom auth is the trap. You will lose a week, ship a security hole, and learn nothing your users care about. Use a managed service. Sign-up, log-in, password reset, email verification — all of it shows up in an afternoon when you stop trying to be clever.
The fastest founders ship "Sign in with Google" first. One button. No password to forget. Better conversion. If OAuth is off the table for your users, fall back to email and magic links.
Supabase Auth — drops in next to your database. Email, OAuth, magic links, all included.
Clerk — pre-built React components for sign-up and log-in. You glue, you ship.
Firebase Auth — Google-backed, generous free tier, OAuth in minutes.
Once it is wired, walk the full path yourself:
sign up → verify email → log out → log back in → forgot password → reset → log in
If any step breaks, fix it before you do anything else. Then hand it to a friend who has not seen the code. Watch where they pause. That pause is your bug.
A logged-in user must see something different than a logged-out one. A profile page, a dashboard, anything tied to their account. That difference is the proof that auth works.
Bad: a homemade login form that stores plaintext passwords in your own table.
Good: supabase.auth.signInWithOAuth({ provider: 'google' }) and a redirect.
Bad: making the user pick a username, profile photo, and bio before they see the app.
Good: collect email, send them straight to the dashboard, ask for the rest later.
A real user can create an account, log out, log back in, and reset a forgotten password. A logged-in session shows content that a logged-out visitor cannot see.
Custom auth is the trap. You will lose a week, ship a security hole, and learn nothing your users care about. Use a managed service. Sign-up, log-in, password reset, email verification — all of it shows up in an afternoon when you stop trying to be clever.
The fastest founders ship "Sign in with Google" first. One button. No password to forget. Better conversion. If OAuth is off the table for your users, fall back to email and magic links.
Supabase Auth — drops in next to your database. Email, OAuth, magic links, all included.
Clerk — pre-built React components for sign-up and log-in. You glue, you ship.
Firebase Auth — Google-backed, generous free tier, OAuth in minutes.
Once it is wired, walk the full path yourself:
sign up → verify email → log out → log back in → forgot password → reset → log in
If any step breaks, fix it before you do anything else. Then hand it to a friend who has not seen the code. Watch where they pause. That pause is your bug.
A logged-in user must see something different than a logged-out one. A profile page, a dashboard, anything tied to their account. That difference is the proof that auth works.
Bad: a homemade login form that stores plaintext passwords in your own table.
Good: supabase.auth.signInWithOAuth({ provider: 'google' }) and a redirect.
Bad: making the user pick a username, profile photo, and bio before they see the app.
Good: collect email, send them straight to the dashboard, ask for the rest later.
A real user can create an account, log out, log back in, and reset a forgotten password. A logged-in session shows content that a logged-out visitor cannot see.