Deceptively complex
Authentication is deceptively complex. On the surface, it's just login and signup. Underneath, it's password hashing, session management, token rotation, OAuth flows, multi-factor authentication, rate limiting, account recovery, email verification, and a dozen edge cases that each represent a potential security vulnerability. Building auth from scratch is a rite of passage for developers — and a liability for businesses.
Auth.js for flexibility
Auth.js (formerly NextAuth.js) is the go-to for Next.js projects that need flexibility without vendor lock-in. It supports 80+ OAuth providers, database sessions, JWT sessions, and custom credential providers. It's free, open-source, and runs on your infrastructure. The trade-off: you own the complexity. Email templates, user management UI, MFA, and organization features are all DIY. For solo developers and small teams building straightforward apps, it's the right choice.
Managed services for speed
Clerk and similar managed services (Stytch, WorkOS) handle everything: pre-built UI components, user management dashboards, MFA, organization management, and compliance features. The developer experience is exceptional — you can add authentication to a Next.js app in under 10 minutes. The trade-off: cost scales with users (Clerk charges per monthly active user after the free tier), and you're dependent on a third-party service for your most critical infrastructure. For B2B SaaS products that need organization management and SSO, the time savings are worth the cost.
The middle ground
Supabase Auth sits in the middle: managed but self-hostable, with built-in support for email/password, magic links, OAuth, and phone auth. It integrates tightly with Supabase's database and row-level security, making it ideal for projects already in the Supabase ecosystem. For projects that need full control, Keycloak and Ory are battle-tested open-source identity platforms — but they require significant DevOps investment. Our advice: never build auth from scratch unless you have a dedicated security team. Pick the solution that matches your team size, budget, and compliance requirements — and make the decision early, because migrating auth later is one of the most painful refactors in software.