I agree with the general principle. Fewer moving pieces make for more stable applications ("choose boring technology"[0]).

However, I was wondering what you do when you have more than one application that the same userbase wants to access. I can see 3 options:

1. make them register/have credentials for each application (not a great user experience)

2. use a standalone auth server and deal with the increased complexity

3. pick one of your applications to 'own auth' and have the other applications delegate to it. congrats, you've just invented a standalone auth server that is coupled to one of your apps

What am I missing?

0: https://boringtechnology.club/

I remember when they deprecated the library and instead made it a learning resource on implementing auth from scratch. Brilliant decision, much respect to the author.

Heya, Auth0 is still around! They got bought by Okta in 2021 but still have a free tier and we see them in a lot of bake-offs.

Of course, we're not talking about email/password with "remember me" checkbox kind of auth.

SSO, SAML, SCIM, OIDC, OAuth, 2FA, passwordless auth, verification tokens, etc etc, And, variations of each for wildly popular systems you’ll be expected to integrate with but don’t support the exact spec.

For a while at my company, half our support engineers time went to handling random SSO issues that came up in our home built auth system.

To expand a bit more: if a business is faced with a choice to save some money by increasing risk, having people who’s job it isn’t managing and supposedly securing that information, or to have a third-party who job is literally to handle and worry about those things, who carries independent insurance, and who is on the hook if they lose customer data, and in exchange the business is simply taking the risk of associating with business that could do a poor job — which of those options sounds more appealing from a business sense? It’s a lot easier to blame someone else than earn back trust for your own major mistakes because you tried to write your own software to save a little money.

That’s the SaaS value proposition.

That’s all it takes to not use their cloud at all.

Then when you really start thinking about it, the list of requirements grows.

Of course it’s still totally doable for an average developer, but takes time and mistakes can be catastrophic. And maybe the time is better spent developing stuff that differentiates you from others.

1. Don't roll your own crypto

2. Don't roll your own auth strategy

3. Don't Roll your own auth code

4. Don't host your own auth infrastructure.

For the last few years level 4 has been aggressively pushed with a lot of advertising spend to push people towards prohibitively expensive hosted providers. Donning a tinfoil hat for a moment, auth as a service companies have made everything seem substantially more difficult than it is too for simple needs.

Now we're seeing a correction back to 2 and 3 as people way up the risks of SaaS vs just using a easier to manage local library and discovering it's not as scary as it's been made out to be if you follow now fairly well established patterns.

the providers aren't going anywhere, people still need them for a variety of reasons but their time as the default is ending and whether this is good is to be determined.

I am with you on this.

Even if done for fun/learning, it can teach how the details of auth work to better appreciate and understand how other systems work and what to look out for.

I prefer to use existing things if possible, but if it was getting unreasonable to get it how it was needed, it wouldn't be off the table.

For starters, if I'm a "house builder" by trade, then yeah, I am going to build the house myself. Otherwise, why should the client pay me, and not the guy I'm subcontracting?

Secondly, there is no such thing as a "house builder" profession. It consists of a lot of different trades people, some of them having legal power to sign off your house build (for example an electrician). Now, we could try to push for something similar in software engineering, and say require you to have an "authentication engineering certificate" in order to handle code related to auth, and only a person holding the certificate can allow such code for production use. But I'm pretty sure all the vibe coders and tech bros will cry how unfair and bureaucratic the system is.

But of course the entire SWE profession is based on grifting, and extracting as much money as possible from the customers while cutting the costs. If you are so afraid to save passwords to a database, then at least don't call yourself a software engineer.

People not knowing what salt and pepper is... Vulnerabilities almost as if on purpose...

Perhaps it is actually not THAT hard but just like error handling, people don't want to do the unsexy parts and want to delegate those tasks to someone else perhaps. There must be a behavioral pattern there...

fwiw, we also have entire staff dealing with SSO issues among our employees and users, despite relying on external services to handle auth.

A problem domain as complex as authentication is bound to habe issues of some sort. But I am not sure if I would be so fond of „outsourcing“ something as integral to my services as the access to these services

All you need is Apple and Google Oauth.

Okay, so… what are those cases? I’m also curious.

I was at KubeCon EU this year (representing my employer, FusionAuth) and there were lots of folks who were running Keycloak who came and chatted with us.

It's a different set of tradeoffs than Auth0 or other SaaS services. More control, but more responsibility too.

0: https://events.linuxfoundation.org/kubecon-cloudnativecon-eu...

1: https://www.reddit.com/r/KeyCloak/

Edit: Meaning I would use it if you need to get up and running quickly, but it's a solid foundation to build on long-term.

Wrote an article about that here: https://fusionauth.io/articles/authentication/fedcm (hosted at my employer's website)

Maybe you can help me out: I still have no idea what val.town is. I guess it's an alternative to Cloudflare Workers?

Uhm, companies like Replit and several other large startups are actually adopting Clerk. I guess if your world mainly revolves around X (formerly Twitter), it can seem like everyone is moving away from Clerk.

Also, Better Auth’s X presence is pretty much centered around criticizing every auth provider out there, so the discourse there tends to skew heavily negative.

https://better-auth.com/docs/plugins/jwt

Clerk is an authentication provider for the most part, it concerns itself with telling you who the user is. Based on that your business logic should be able to determine what they are entitled to do.

They offer a Org/Role based RBAC but since you're doing something different I'd just scrap it entirely and roll your own authorization flow, they have a guide that'll help you get your own started here: https://clerk.com/docs/guides/secure/basic-rbac

thankfully i'm familiar with better auth from a side project, but migrating SSO/SCIM sounds like it might be a bit of a pain

Can you share your evaluation process? I'm always curious how folks evaluate auth providers.

Did you do a spike? Full POC across a couple of solutions? Rely on a recommendation from a friend? Run through a quickstart and decide it worked and you had bigger problems to solve? Something else?

> There must be a behavioral pattern there...

The pattern is that your comment is very far from reality.

And this someone's name begins with "Cla" and ends with "ude".

So we're going to have a lot more vulnerabilities in the auth code going forward.

If you are a B2C app, you are probably more concerned about:

- social providers (Apple and Google being the big ones, but others could play a role--FB or Tiktok for example)

- easy registration (but not too easy, you want to avoid bot spam)

- self-service account management (updating profile fields, consents [CCPA, GDPR, others], resetting passwords

- single sign-on between your apps (if you have multiple)

- language support (for your backend, and mobile/web front end)

- cost

- possibly MFA, possibly passkeys

We should be able to demand users remembering their passwords, I dont like to cater towards users who simply dont want to put in the work to use my product.

Will I lose potential users over this? Yes. Does it feel bad knowing I am in control and wont have to offload to 3rd party vendors? Hell no.

https://github.com/supabase/auth/blob/master/LICENSE

If you're willing to make a third party SaaS's uptime the ceiling for your own org, you can delegate auth. Github might not be a good choice for SSO.

If you're not threatened by per-user-per-month fees, you can delegate auth.

If your threat model is compatible with a third party having visibility into your user's network location and the frequency and duration of their activities across your org, you can delegate auth. (Okta will probably not inform your competitor that your main sales guy is in North Carolina this week and has logged in from the conference room wifi of your competitor's main client.)

If you can trust the third party to not allow an interloper to bypass your requirements, you can delegate auth.

Oh you still have to build the auth system yourself? Well maybe a realtor does sound good now.

And the cookies are not difficult on a technical level, you just have to spend time understanding the threat models and mapping those models correctly onto your own app.

It is hard for serious use-cases. That does not mean you should not do it, but know what tradeoff you are doing in the build-vs-buy equation. Know that this part of your system probably requires more testing, review and expertise than your core product.

So yes, like Cloudflare Workers in some ways. Or like CodePen but fullstack. Or Replit. The val town "founding poem" was:

> If GitHub Gists could run,

> And AWS Lambda were fun

This from an account created 2 hours ago, with a username that’s a negation of the BetterAuth founder…

If you’re Clerk stakeholder why not just come out as yourself and engage openly!

It's only when you start getting into the details that you begin to suffer. For example, there's _still_ no way to do offline auth on mobile. So that your application could be opened if there's no connectivity at the moment. But hey, you can do the Metamask Web3 blockchain thingie!

I have never used Twitter/X, and I don't even have an account there. I'm purely talking about my personal experience and the experience of other companies that I know personally.

> Also, Better Auth’s X presence is pretty much centered around criticizing every auth provider out there, so the discourse there tends to skew heavily negative.

They are actually not wrong. Auth is not such a hard task, it's just a lot of drudgery that detracts you from the actual goal of your company. But it's critical functionality that MUST ALWAYS WORK, before all else. And Clerk just fails this test.

I'm switching my company to Logto (it's lightweight and when something breaks, I know how to pick up the pieces), so I don't even have an opinion on Better Auth.

Their recommended guide is to pretty much have your own RBAC using key value pairs they offer, which is IMO relatively lazy and most teams come up with this on their own anyway. I wish they offered something that is not prone to someone editing a JSON input manually on their website. You can do basic stuff with it, build tooling around it, but again the fundamental model of only user having a role on the org level has its limitations.

Also design wise, the main logo item (vortex looking thingy) is a tad bit complex, maybe think about a redesign focused on making it more simple/recognizable. The rotating dashes on the landing page hero are a good motif though, so I'd lean into that.

Also noticed that on this page: https://fusionauth.io/tech-papers/winter-2026-g2-fusionauth-... the form under "To get this tech paper complete the form below." doesn't load on Firefox with Enhanced Tracking Protection enabled. Disabling it causes the form to load though.

https://laravel.com/docs/13.x/authentication

https://laravel.com/docs/13.x/socialite

https://laravel.com/docs/13.x/sanctum

[0]: https://laravel.com/docs/13.x/socialite

At least to me it sounded very much like they were talking about mobile.

Sometimes that's just an opportunity

Then customers come and ask for SSO, SAML, OIDC, their niche auth protocol, 2FA, Pass phrases, etc...

And now your auth is a mess and a dedicated job to maintain and evolve.

Whether it's painful to put in later or not is sadly nothing that the managers and executives concern themselves with.

Does Better Auth offer this? Or any other auth libraries or solutions? I haven't heard of any, but haven't done an intensive look either.

I suppose you could do something with a cached JWT or cached password hash (though sending a password hash to a mobile client spooks me).

I'm in the space and interested in learning more.

Technically true, because Google's core product is ads. Also fundamentally wrong, because Gmail serves as a massive source of ad targeting information, in addition to being a high-engagement canvas to display those ads.

This is supported by Better Auth out-of-the box. It doesn't hide these kinds of stuff from you.

Ad display I'll still grant you of course.

I wasn't able to find the Better Auth docs about this use case, can you share them here please?