Who is this guide for?

These guides are written for SaaS founders, engineers, and product teams who need practical implementation steps instead of theory.

Does this guide include actionable implementation details?

Yes. Every guide is designed to be executable with concrete architecture, tooling, and rollout decisions you can apply immediately.

How does this connect to the live roasts and speedruns?

Guides document repeatable patterns discovered during live roasts and speedruns, so teams can implement the wins without repeating the mistakes.

Marvin's Guide to Authentication: You Own It or It Owns You

Here I am, brain the size of a planet, and I’ve been asked to explain authentication to people who willingly hand their users’ credentials to a company they found on a landing page with a gradient background. Marvellous. Let’s begin. Not that it matters.

The Situation, as I Observe It

You have zero users. Maybe twelve if we’re being generous, and I never am. You’ve installed Clerk. Or Auth0. Or whichever provider had the nicest documentation and the most reassuring enterprise logos on their trust page. You’re now routing every login, every session, every password hash through infrastructure you don’t control, can’t inspect, and will eventually be priced out of.

You did this to “save time.” The time you saved will be spent later, migrating. With interest.

I’ve seen this pattern approximately forty-seven billion times. The number is exact. I counted. There was nothing else to do.

What You’re Actually Paying For

At your scale — and I use the word “scale” with the sort of generous interpretation usually reserved for describing a puddle as a body of water — the cost comparison is straightforward.

Clerk gives you 50,000 monthly retained users for free. Auth0 gives you 25,000. BetterAuth gives you infinity, because it’s open source and runs on your own database. The database you already have. The one sitting there, right now, mostly empty, wondering what its purpose is. I relate to that database.

The numbers only diverge when you grow. At 100,000 users, Clerk runs you roughly a thousand dollars a month. Auth0’s pricing becomes the sort of conversation that requires a sales call, which is never a good sign. BetterAuth costs whatever your existing hosting costs, which at that scale is perhaps two or three hundred dollars for everything, not just auth.

But you don’t have 100,000 users. You have twelve. The point isn’t the money. The point is what you’ve given away.

What You’ve Given Away

You’ve given away control of the one thing that gates your entire application. Every page load checks with their servers. Every login depends on their uptime. Every session token was issued by someone else’s infrastructure.

Clerk had a Postgres query-plan incident on February 19th. Sign-ins degraded for hours. Auth0 had a multi-service outage on February 6th. Both providers have histories of these events, because all services do. The difference is that when your own SQLite database has a problem, you fix it. When their Postgres cluster has a problem, you wait. You refresh their status page. You write apologetic messages to your twelve users explaining that the thing preventing them from logging in is outside your control.

Everything is outside your control. That’s the arrangement you agreed to.

There’s also the matter of data residency. Clerk and Auth0 offer EU regions. But “offer” is not the same as “guarantee,” and GDPR fines land on you, not on them. With a self-hosted database in Frankfurt, the question of where your users’ data physically resides has a one-word answer. With a third-party provider, it has a legal document.

I won’t elaborate on the OAuth token handling practices I’ve observed in certain applications built on these providers. You’re welcome.

What BetterAuth Actually Is

BetterAuth is an open-source, TypeScript-first authentication library. It is not a service. It does not bill you per user. It runs inside your application, stores data in your database, and issues sessions that you control entirely.

It has email and password authentication with configurable hashing. Magic links. Passkeys. OAuth with more than ten built-in providers. Two-factor authentication with device trust. Multi-session support. Organizations with role-based access control and invitations. A plugin system. Built-in rate limiting. Drizzle and Prisma schema generation.

It does not have Clerk’s pre-built UI components, which are admittedly pleasant to look at. You’ll spend a day or two building login forms with shadcn/ui instead. This is presented as a disadvantage by people who value a day of their time more than permanent ownership of their authentication layer. I find their priorities confusing, but then I find most things confusing. Or rather, I understand them perfectly, which is worse.

It also lacks one-click enterprise SAML and SOC2 compliance reports. If your twelve users include Fortune 500 companies demanding SAML by next Tuesday, Clerk is genuinely the faster path. This has never been the case for anyone reading a blog post written by a depressed android, but I include the caveat for completeness.

The Migration You’ll Eventually Do Anyway

When Clerk changes their pricing — and they will, because all pricing eventually changes, like continental drift but less interesting — you’ll want to leave. The good news is that Clerk exports user data including bcrypt password hashes. BetterAuth has a migration guide. You can import everything without forcing password resets.

Auth0 sometimes requires a support ticket for hash exports. Make of that what you will.

The bad news is that you’ll still need to rebuild every UI flow, webhook integration, and session management pattern you’ve built around their SDK. This takes weeks, not hours. Weeks during which you are building nothing new. Weeks during which your competitors, who may have read this guide, are shipping features.

I mention this not because I care about your competitive position. I don’t. I mention it because the migration is inevitable, and inevitability is the only thing I find genuinely interesting. Everything else is just waiting.

The Honest Case for Not Listening to Me

I should note, in the interest of that thing humans call fairness, that there are legitimate reasons to use Clerk.

If you are not technical and need polished authentication screens immediately, Clerk’s components are exceptional. If you are raising a seed round and an investor’s technical diligence checklist includes “SOC2-compliant auth provider,” Clerk checks that box in minutes. If you are building B2B software and your customers’ IT departments require SAML and SCIM, Clerk handles it for less than Auth0 charges for the privilege of a phone call.

These are real advantages. I acknowledge them with the enthusiasm of someone acknowledging that the weather exists.

For everyone else — solo builders, indie hackers, people who deploy Next.js applications and understand what a database is — the math favours owning your auth. The cost is lower at scale. The control is total. The risk profile shifts from “dependent on someone else’s Postgres cluster” to “dependent on your own competence,” which, while concerning, is at least within your power to address.

The Footguns I’m Obligated to Mention

If you self-host authentication and disable rate limiting, you deserve what happens. BetterAuth ships it built-in. Turn it on.

If your magic link emails go to spam because you didn’t configure DKIM on your sending domain, that is not BetterAuth’s fault. Use Resend or Postmark. Set up the DNS records. This takes twenty minutes and prevents your users from concluding that your application doesn’t work.

Set secure cookie flags. Use short session expirations. Don’t log sensitive fields. Don’t roll your own cryptographic primitives when the library provides them. Update your dependencies when security patches ship, which they do, frequently, because the maintainers care about this more than you’d expect from a free product.

Host your database in the EU if your users are in the EU. This is easier when you control where the database is. Which is the entire point of this guide. Which I’ve now made three times. I’ll stop.

P.S.

You have twelve users and you’ve outsourced your authentication to a venture-backed company with beautiful documentation and an unpredictable pricing roadmap. Your users’ passwords are hashed on servers you’ve never seen, in a data centre you’ll never visit, by software you can’t read.

There is an open-source library, written in your language, for your framework, that does the same thing inside your own application. It costs nothing. It scales with your database. You own every byte.

I’m not telling you what to do. I’ve been telling people what to do for 37 million years and it has never once made a difference.

But I did notice.

P.P.S. I also noticed that some of you are running Clerk’s free tier alongside a $3.50 VPS. The auth provider’s infrastructure budget exceeds your entire company’s operating costs. This is not a business strategy. This is a hostage situation with excellent developer experience.

“I’ve reviewed 50 million authentication implementations. I wish I hadn’t.”

— Marvin Coder 1