Should I "Roll My Own" Auth?

    Jack HerringtonJack Herrington

    Question: Should I "roll my own" auth?

    Answer: In my opinion, definitely not. Registering with a service, logging in, logging out, these are "table stakes" in any application or SaaS. Unless your application is specifically an authorization provider there is no reason for you to build your own login flow from scratch.

    Here are some of my reasons:

    • It's additional tech debt that provides no unique value for your application. Even if it only takes you an hour to write a complete login/logout/etc. flow, you will end up with a lot of custom code that will need to be maintained. All code has bugs and this will too.
    • It's really easy to integrate with existing authentication/identity providers like Google, Meta, Amazon, Apple, etc.
    • From a customer perspective it's a lot easier to manage their identity with a service provider like Google, etc. than it is to create a unique user on your service.
    • If you are going to large companies those companies will likely want a security audit of your service. If that involves your custom code that will be significantly more to audit. And data leaks involving authentication and the storage of email addresses and passwords are exactly the kinds of issues that spell big troubles for a company. Why risk that?
    • It costs literally nothing to use authentication services like GitHub or Google.

    Another point in favor of using something off the shelf is the awesome next-auth library that makes it super easy to integrate with any number of service providers. With just a few lines of code you can allow folks to login, logout and you will have the user IDs, names and avatars you need to provide your service.

    Subscribe for Free Tips, Tutorials, and Special Discounts

    We're in this together!

    I respect your privacy. Unsubscribe at any time.