How to Add Authentication to Your App (2026)
Auth is the one thing you cannot bolt on later without pain. Here is how to get it right the first time.
We evaluate every tool based on published features, real-world usage, community feedback, and independent testing where possible. Affiliate commissions never influence our rankings. How we research ยท Editorial policy
Auth is an architecture decision, not a feature
Authentication is not something you add to your app. It is something your app is built around. Every API route, every database query, every page render needs to know who is asking. Adding auth to a live app means touching everything.
This is why auth is on our launch checklist as "cannot retrofit without rebuilding." If you have an app with real users and no auth, adding it means migrating user data, rewriting session handling, building password reset flows for accounts that never had passwords, and checking every single route.
Pick your auth approach before your first API route. Not after.
Your options in 2026
The auth market has split into three tiers: drop-in services that handle everything, framework-level libraries you wire up yourself, and built-into-your-backend-platform solutions.
Drop-in auth services
Clerk is the polished option. Pre-built sign-in components, user management dashboard, social login, MFA - all out of the box. Free for up to 10,000 monthly active users. The UI looks professional from day one. The trade-off: it is a dependency. If Clerk changes pricing or gets acquired, you are deep in their system.
WorkOS AuthKit gives you 1 million monthly active users free - an order of magnitude more than Clerk. It is geared toward B2B apps with enterprise SSO needs. If you are building for businesses that need SAML and SCIM, this is the answer.
Auth0 (now Okta) is the enterprise standard. Powerful but complex. The free tier is limited (7,500 active users, 2 social providers). Pricing jumps quickly. For a solo founder, it is usually overkill.
Framework-level auth libraries
NextAuth (now Auth.js) is the standard for Next.js apps. Free, open source, self-hostable. You configure the providers (Google, GitHub, email/password), connect it to your database, and wire it into your routes. The learning curve is moderate but the documentation is good.
We use NextAuth across our projects. It does what we need and costs nothing. The setup took a few hours the first time, and now we know the pattern well enough to add it to a new project in under an hour.
The trade-off compared to Clerk: you are responsible for the UI (login forms, profile pages, password reset flows). NextAuth gives you the logic; you build the interface. For some founders that is a feature - you control exactly how it looks and works.
Lucia is a newer alternative - lighter weight, framework-agnostic. Good if you want even more control than NextAuth gives you.
Platform auth (Supabase, Firebase)
If you are already using Supabase for your database, Supabase Auth is the natural choice. It is built in - same dashboard, same project, same billing. Free for 50,000 monthly active users. Supports email/password, social login, phone OTP, and magic links.
Firebase Auth from Google is similar - generous free tier, easy to set up, good documentation. The catch is the same ecosystem trap we mentioned in the hosting article: once you are in Firebase, you are in Google Cloud.
Both work well. Both create a dependency on their platform. If you are already using the platform for other things, using their auth makes sense. If you want to stay portable, use NextAuth or Lucia.
If you use Supabase: enable Row Level Security immediately
This is the most common security mistake in new apps built with Supabase. Row Level Security (RLS) controls which database rows each user can access. Without it, any authenticated user can potentially read or modify any row in any table.
AI coding tools generate Supabase code without RLS policies by default. The app works, the developer ships it, and every user can see every other user's data by changing a URL parameter or API call.
Enable RLS on every table before your first query. Write policies that restrict access to owned data. This is not optional - it is the difference between a working app and a data breach waiting to happen.
RLS is not something you add later. It requires auditing every query against every table. Build it in from day one or accept that your users' data is not isolated.
Auth security decisions that matter
Store auth tokens in httpOnly cookies, not localStorage. localStorage is accessible to any JavaScript running on your page - one XSS vulnerability means full account takeover. httpOnly cookies cannot be read by JavaScript. Switching from localStorage to cookies after launch means rewriting every auth flow and every API call.
Always hash passwords with bcrypt or Argon2. Never store plaintext passwords. This sounds obvious, but AI-generated code does not always get it right.
Add rate limiting to your login endpoint from day one. Without it, an attacker can try thousands of passwords per minute. Upstash Redis makes this straightforward.
Use HTTPS for everything. Auth tokens sent over HTTP can be intercepted. This should be automatic if you set up SSL first (which is on the checklist).
The self-hosted option
NextAuth / Auth.js is the self-hosted answer. It runs in your own app, stores sessions in your own database, and has zero external dependencies. If you are already running a VPS, there is no additional cost.
Keycloak is the enterprise self-hosted option - full-featured identity management with admin UI, social login, SAML, LDAP. It is Java-based and heavy (needs 2GB+ RAM), so it is overkill for most solo founders. But if you are building something that will need enterprise SSO eventually, it is worth knowing it exists.
Authentik is the lighter self-hosted alternative to Keycloak. Python-based, lower resource requirements, good Docker setup. Worth considering if you need more than NextAuth but less than Keycloak.
What we actually use
NextAuth across all our projects. Free, self-hosted, full control. The first setup took a few hours. Every setup after that has been under an hour because we know the pattern.
If we were building a new project today and wanted the fastest possible path to "users can log in," we would use Clerk. If we wanted full control and zero cost, NextAuth. If we were already on Supabase, Supabase Auth.
The decision depends on what you value: speed (Clerk), control (NextAuth), or integration (Supabase Auth). All three work. None of them are wrong.
Auth is an architecture decision, not a feature you add later. Choose your approach, enable security basics (httpOnly cookies, rate limiting, RLS if using Supabase), and build everything on top of it.
Frequently Asked Questions
Technically yes, but it is painful. Every route needs checking, user data needs migrating, and you need to build password reset flows for accounts that never had passwords. It is significantly easier to build auth in from the start.
It depends on what your time is worth. Clerk gives you a polished login UI, user management dashboard, and social login in minutes. NextAuth gives you the same functionality but you build the UI yourself. If shipping fast matters more than saving $25, Clerk is worth it.
If your app is purely public content with no user-specific data, no. But the moment you need to distinguish between users - even for something as simple as saved preferences - you need auth. Build it in before you need it.
Magic links (email a login link instead of using a password) are excellent for reducing friction. NextAuth, Clerk, and Supabase Auth all support them. The trade-off: you depend on email deliverability. If your transactional email is not set up properly, users cannot log in.