From Supabase to Clerk to Better Auth

Posted by stevekrouse 17 hours ago

From Supabase to Clerk to Better Auth(blog.val.town)

263 points | 193 comments

tornikeo 15 hours ago|

Can someone more intelligent then me tell me why should I offload my postgres users table to some 3rd party provider? Like what is so hard about keeping that table in my VM on hetzner that I have to give it off to someone else? It's not payments, it's just a few fields of data

SkyPuncher 15 hours ago||

It’s just a few fields until it’s not.

SSO, SAML, SCIM, OIDC, OAuth, 2FA, passwordless auth, verification tokens, etc etc, And, variations of each for wildly popular systems you’ll be expected to integrate with but don’t support the exact spec.

For a while at my company, half our support engineers time went to handling random SSO issues that came up in our home built auth system.

sreekanth850 7 hours ago|||

I don’t know when we became this lazy. Auth is hard, sure, but putting your users table and sessions behind a vendor API is not something cool. Tell me one feature that is not supported by libraries like OpenIddict (You can build around) or Keycloak?

sevenzero 4 hours ago|||

I think the main argument usually is time savings. Personally I just always do E-Mail and password auth, yea its old and not the shiny new thing, but it doesn't require me to integrate 200 different ways of doing auth.

We should be able to demand users remembering their passwords, I dont like to cater towards users who simply dont want to put in the work to use my product.

Will I lose potential users over this? Yes. Does it feel bad knowing I am in control and wont have to offload to 3rd party vendors? Hell no.

sreekanth850 3 hours ago|||

Same here, Just email + password, no google dependency initially. If more users ask we will think of it. but again you don't need a cloud vendor for all this.

dotancohen 3 hours ago|||

That's great for B2C, but B2B demands SSO.

sevenzero 3 hours ago||

Not really, we do B2B. E-mail & password is good enough for our customers. They really really dont care about what kinda auth we use.

Orygin 1 hour ago||

Great for you but that's not the case for a lot of B2B contracts we have. A lot of them require integrating with their SSO, not just for login but for permissions too

selfmodruntime 1 hour ago|||

Well the disadvantage is that you're responsible for your companies keycloak.

Gareth321 1 hour ago||

Exactly. Do you want to become ops? Because that's how you become an ops team.

moooo99 2 hours ago||||

> For a while at my company, half our support engineers time went to handling random SSO issues that came up in our home built auth system.

fwiw, we also have entire staff dealing with SSO issues among our employees and users, despite relying on external services to handle auth.

A problem domain as complex as authentication is bound to habe issues of some sort. But I am not sure if I would be so fond of „outsourcing“ something as integral to my services as the access to these services

Gareth321 1 hour ago||

There is a trust component for sure, but a business requires assessing the value of time against revenue. I can say for our org that using an off the shelf solution like Clerk saves us time and money and we believe the risk is very small relative to the savings. Maybe the cost for you is not large right now, but when you've got 20 enterprise customers all asking for specific OIDC integrations configured with Private Link, custom domains, and private clusters, an auth solution starts looking mighty fine.

jarym 14 hours ago||||

"home built auth system" is bound to have "random SSO issues". You fix them, that's how things mature.

tomrod 10 hours ago|||

Supabase's auth is MIT licensed and OSS, is it not?

https://github.com/supabase/auth/blob/master/LICENSE

ctm92 9 hours ago||

Supabase is OSS but it's a real pain to actually self host it

theturtletalks 8 hours ago||

Couldn’t you get Claude to go into Supabase’s auth code and make your custom like their’s but adapted to your stack?

linkregister 8 hours ago||

"Claude, make my custom like their's but adapted to my stack. Make no mistakes"

theturtletalks 3 hours ago|||

You’ll have to drive the agent to do it, not a one-shot task. It’ll also require you to understand your codebase.

ofrzeta 6 hours ago||||

This is not funny because people are doing that for real.

fakedang 5 hours ago||

Exhibit A, mi.

kahnclusions 6 hours ago|||

And don’t hallucinate.

SkyPuncher 11 hours ago||||

Yep, it’s just a drag. It’s not our core product value so any effort we put into it is a drag.

ButyTh0 7 hours ago||

Rather than just use an email solution Google built GMail into a massive email solution despite it not being a core product

Sometimes that's just an opportunity

jdmichal 29 minutes ago||

> ... not being a core product

Technically true, because Google's core product is ads. Also fundamentally wrong, because Gmail serves as a massive source of ad targeting information, in addition to being a high-engagement canvas to display those ads.

exi2 5 minutes ago||

Google has not been scanning gmail mails for ad targeting since 2017. I think after 9 years we can finally let that one go.

Ad display I'll still grant you of course.

rubogubo 14 hours ago|||

I'm guessing they simply didnt want to spend the time and money doing that

janderson215 12 hours ago||

Possibly didn’t want to accept the additional risk that comes with rolling your own auth as well.

amluto 11 hours ago||||

Is this perhaps a reason to have a Users table that is separate from the table of data on how you authenticate that user?

EtienneK 6 hours ago||||

That’s when you install Keycloak.

sebmellen 7 hours ago||||

Just use Ory Kratos and self host it.

faangguyindia 4 hours ago||||

is it just me? who just uses magic links delivered via email or telegram as backup?

impulser_ 14 hours ago|||

Majority of apps are B2C apps, they don't need any of this.

All you need is Apple and Google Oauth.

sandeepkd 11 hours ago|||

If you are just starting out its probably a good idea. Think about the use case when google bans either your app or bans your app user?

deaux 8 hours ago||

Then your business is entirely screwed anyway because you've just lost half the market

At least to me it sounded very much like they were talking about mobile.

mooreds 13 hours ago|||

It depends on your use case.

If you are a B2C app, you are probably more concerned about:

- social providers (Apple and Google being the big ones, but others could play a role--FB or Tiktok for example)

- easy registration (but not too easy, you want to avoid bot spam)

- self-service account management (updating profile fields, consents [CCPA, GDPR, others], resetting passwords

- single sign-on between your apps (if you have multiple)

- language support (for your backend, and mobile/web front end)

- cost

- possibly MFA, possibly passkeys

therealpygon 15 hours ago|||

Why pay someone to build a house? I’m sure you could do it yourself…but that doesn’t mean that is the best use of your time in all cases. The analogy is basic but apt; not everyone needs or wants to run (or create) every mechanism. I don’t do all of my own hosting either and it’s not because I couldn’t, it’s that it isn’t worthwhile in my cases.

To expand a bit more: if a business is faced with a choice to save some money by increasing risk, having people who’s job it isn’t managing and supposedly securing that information, or to have a third-party who job is literally to handle and worry about those things, who carries independent insurance, and who is on the hook if they lose customer data, and in exchange the business is simply taking the risk of associating with business that could do a poor job — which of those options sounds more appealing from a business sense? It’s a lot easier to blame someone else than earn back trust for your own major mistakes because you tried to write your own software to save a little money.

That’s the SaaS value proposition.

the__alchemist 14 hours ago|||

I see Postgres etc as the builder. Supabase is more like the realtor; a middle man extracting profits and complicating the situation.

Orygin 1 hour ago||

Does Postgres talk OpenID connect directly? Does it integrate SAML easily?

Oh you still have to build the auth system yourself? Well maybe a realtor does sound good now.

pietz 15 hours ago||||

This comment is more ridiculous than ever in 2026.

gessha 13 hours ago|||

If you’re implying that people should __always__ roll their own services and never vendor out non-core parts, the security industry would love to learn where you work.

arikrahman 14 hours ago||||

Yes the analogy doesn't work here because that is much more cost prohibitive and labor intensive.

ajdegol 14 hours ago||||

Because of AI or because hackers are hyper targeting infra clusters?

dnnddidiej 14 hours ago|||

Emperor, meet clothes.

notatoad 15 hours ago||||

>that doesn’t mean it’s the best use of your time in all cases

Okay, so… what are those cases? I’m also curious.

elevation 14 hours ago||

> Okay, so… what are those cases? I’m also curious.

If you're willing to make a third party SaaS's uptime the ceiling for your own org, you can delegate auth. Github might not be a good choice for SSO.

If you're not threatened by per-user-per-month fees, you can delegate auth.

If your threat model is compatible with a third party having visibility into your user's network location and the frequency and duration of their activities across your org, you can delegate auth. (Okta will probably not inform your competitor that your main sales guy is in North Carolina this week and has logged in from the conference room wifi of your competitor's main client.)

If you can trust the third party to not allow an interloper to bypass your requirements, you can delegate auth.

fnoef 3 hours ago|||

This is such an absurd take.

For starters, if I'm a "house builder" by trade, then yeah, I am going to build the house myself. Otherwise, why should the client pay me, and not the guy I'm subcontracting?

Secondly, there is no such thing as a "house builder" profession. It consists of a lot of different trades people, some of them having legal power to sign off your house build (for example an electrician). Now, we could try to push for something similar in software engineering, and say require you to have an "authentication engineering certificate" in order to handle code related to auth, and only a person holding the certificate can allow such code for production use. But I'm pretty sure all the vibe coders and tech bros will cry how unfair and bureaucratic the system is.

But of course the entire SWE profession is based on grifting, and extracting as much money as possible from the customers while cutting the costs. If you are so afraid to save passwords to a database, then at least don't call yourself a software engineer.

egorfine 2 hours ago|||

Because auth is a productivity tarpit. Anything plan on doing with auth looks simple but almost never is. Homegrown auth can easily sunk half of your dev and support teams.

Of course, we're not talking about email/password with "remember me" checkbox kind of auth.

aatd86 2 hours ago||

I wonder if it is not people being notoriously lazy or clueless at an astonishing degree. How often do you hear that password were saved in plaintext? Surprisingly high in this day and age.

People not knowing what salt and pepper is... Vulnerabilities almost as if on purpose...

Perhaps it is actually not THAT hard but just like error handling, people don't want to do the unsexy parts and want to delegate those tasks to someone else perhaps. There must be a behavioral pattern there...

selfmodruntime 1 hour ago|||

Your comment has a bit of an inexperienced smell. Business auth infinitely more complex than saving a user and salting/hashing his password.

> There must be a behavioral pattern there...

The pattern is that your comment is very far from reality.

egorfine 1 hour ago|||

> want to delegate those tasks to someone else perhaps

And this someone's name begins with "Cla" and ends with "ude".

So we're going to have a lot more vulnerabilities in the auth code going forward.

eddythompson80 15 hours ago|||

Don't you wanna level up your career to become an architect? You can draw a box, call it "User Management" and slap "Clerk" or some other SaaS on it, and assume it's managed for you. This allows you to shove whatever requirements you want in that magic blackbox as you feel "it doesn't bring value" for you to implement.

jarek83 14 hours ago|||

I must as intelligent as you because I also never understood why things like supabase even exist. I believe this shows how much front-end dev world is detached from how things can simple and secure by default.

dnnddidiej 14 hours ago|||

Do you say the same about AWS RDS. Are you saying VMs is all you need and it is a doddle for anyone with FE only experience to set up, maintain and scale.

kevmo314 7 hours ago||

Yes many people do say the same about AWS RDS.

f3408fh 10 hours ago|||

Yeah you’re a bit confused. Supabase has nothing to do with frontend other than providing SDKs and some frontend components to integrate with their backend.

il 13 hours ago|||

People are very scared of messing up authentication and getting hacked. They would rather offload that responsibility to a third party and not think about it.

sandeepkd 11 hours ago||

Unfortunately this is a common premise and on surface its a good idea too to let a expert in particular domain handle it. Where it gets muddy is when this third party are themselves learners and just see this as a good business opportunity

oompydoompy74 15 hours ago|||

BetterAuth is users in your own database. So you don’t have to!

mvkel 15 hours ago|||

Start any greenfield project, hand-coded auth takes up 50% of the development time of the entire MVP

princevegeta89 7 hours ago|||

I would disagree here. You probably need OAuth with popular social services and implement username, password or OTP-based auth overall. For an MVP, you don't need to care about more details beyond this; it is hardly 10% of the entire effort, if not 5%.

jadbox 12 hours ago||||

I feel seen. It's compounded if you also need to add HIPAA row-level security compliance that spans to every form of resource.

xmcp123 14 hours ago||||

…use Django, install auth modules

awestroke 15 hours ago||||

It takes like an hour. So that's a quick mvp then

transitorykris 15 hours ago||

Social logins, email logins, password resets, multi-tenant, organizations, many to many users to organizations, etc etc. Not necessary for MVP, but can definitely be painful hacking in later if the MVP hits.

koliber 15 hours ago|||

What you are talking about is in a large part authentication. You can do authentication using an external service and still have your user table locally. You can also do authorization locally with a local session table while leaving authentication to a SaaS.

RedShift1 15 hours ago||||

By the time you're so big you need all of that, there will be other people at the table to "hack that in".

SkyPuncher 15 hours ago||

I strongly disagree. If you’re selling to other businesses, much of that is an expectation.

pdimitar 14 hours ago||||

Social logins, multi-tenant and organizations are very far from table-stakes for an MVP.

Whether it's painful to put in later or not is sadly nothing that the managers and executives concern themselves with.

Orygin 1 hour ago||

Depends on the company and product. The SSO/Social login, multi tenant and multi platform are indeed needed for my MVP.

xmcp123 14 hours ago||||

All I am seeing here is Django modules

the__alchemist 14 hours ago|||

Django, Rails etc handles this.

mvkel 10 hours ago||

So... you just have to not build your web app in the most popular web app language? Somehow i think there will be big time debt from that decision

nimchimpsky 14 hours ago|||

[dead]

rubslopes 11 hours ago|||

People are afraid to touch dangerous things, like passwords and payment systems. Depending on their skill level, they should indeed be afraid.

sevenzero 3 hours ago||

I roll both of these at work, from auth to cashless payments to regular online payments. It's not as hard as people make it out to be. Probably a lot harder at big companies with huge attack surfaces and attention though.

the__alchemist 14 hours ago|||

I am just as confused as you. My 2c: For a broad range of requirements, running your DB directly and managing auth with Django or similar is easier. Perhaps at enterprise scale, this changes.

jonas21 13 hours ago|||

That's what they did. They migrated to Better Auth, which stores everything in your DB. It's the equivalent of Django auth for the Typescript ecosystem.

throwaway613746 13 hours ago|||

[dead]

cpard 9 hours ago|||

It feels like a good idea when you are early on in building your product and what matters is quickly iterating on the core features that define your product.

It’s not just the table, it’s also the auth and many other things that you know you will need but you would prefer to focus on other stuff.

Almost always you start by saying that you will replace that when the time comes and you have proved you have a product and now it’s time to actually build the real thing.

Some teams do that and some other, never migrate away and that’s how the GTM of companies like Clerk works.

sudoshred 9 hours ago|||

Some people enjoy vendor locked managed services for their core infrastructure. Typically this decision is made when building from zero to one in resource constrained environments, and the long term play is to move to your own table/db when it becomes sustainable to do so. The only reason to move to a managed service after having done the work to setup self owned systems is when you need to either a) CYA or b) reduce headcount

giancarlostoro 11 hours ago|||

The only project where this was the case that I didn't hate it was at a former employer, and it gave the responsibility of securing users to Auth0 and minimized our PII and attack surface, since even the login page was not hosted or controlled by us. Worse case you somehow hacked our users and got some free entree reward they had, otherwise good luck trying to get very little data.

It allowed us to do SSO for small one-off marketing / campaign focused sites. I could give a specific login URL and it would always log you in if you were already logged on.

Viveletta 5 hours ago|||

I'm working at a tiny non-IT company. Outsourcing this work and the security of not having my non IT trained coworkers being able to touch the server is great (but a VM would do the same ofcourse, while costing money). Most of all, we currently don't even need paid tiers of supabase since our software is so small.

Given, I feel if you run supabase at a big company you are either lazy and probably have too much budget to spend on useless costs.

normie3000 15 hours ago|||

AuthN is hard and generic, authZ is easy and specific. Offload authN, and keep your users table in your Hetzner.

pbalau 14 hours ago|||

You are not supposed to offload your users table, you are supposed to offload your password field.

mooreds 12 hours ago||

I wrote an article about this: https://ciamweekly.substack.com/p/ciam-for-the-single-applic...

The tl;dr of the article is that there are auth specific features that are not differentiated but that users expect. Just like you might outsource pieces of functionality like data storage and message sending to specialized servers/libraries/applications, you can do the same with authentication.

The article could use some improvements, tbh, it is 2.5 years old.

bekacru 16 hours ago||

Hey, Bereket from Better Auth here. I started Better Auth to solve this exact issue for myself, and it later turned into a company. It always give me joy to just see others getting the same value from it :) There is a lot to work on, would love to know what we can improve

rbbydotdev 16 hours ago||

Do you think the complexity of auth in the browser, is because browsers don't do enough?

bekacru 16 hours ago|||

I think auth is complicated outside of browsers too. But browsers do make some things uniquely confusing, especially cookies and general security primitives are full of footguns

pc86 15 hours ago||||

Not who you're replying to but browsers do way too much. Load the code you're given and don't do anything else.

mooreds 12 hours ago|||

FedCM might be of interest to you. It's one effort to make browsers do more around authentication.

Wrote an article about that here: https://fusionauth.io/articles/authentication/fedcm (hosted at my employer's website)

behailu 14 hours ago||

Hey hey! Qq: you guys plan to support Python backends or is there a way for us to do this?

coreylane 14 hours ago||

Works fine with my fastapi backend using the JWT plugin. I run better-auth as a standalone service.

https://better-auth.com/docs/plugins/jwt

behailu 12 hours ago||

Aha very cool thanks

JSR_FDED 10 hours ago||

So let me be the one to invite ridicule and scorn by admitting I wrote my own auth code. It was fiddly and boring at the same time. It also wasn’t rocket science, and it works well. I’ll be the first to admit that there are cases where this is a bad idea, I’m just responding to the chants of never roll your own auth.

Knowing every single line of code involved allowed me to add some location-based functionality for one client, provide tailored logging to meet the needs of another client, and my favorite was winning a deal against much bigger competitors by being able to integrate with an absolutely ancient legacy system.

Just like “Goto considered harmful”, DRY, YAGNI, etc - they’re great at making you slow down and think. But they’re not inviolable.

dvt 10 hours ago||

Kind of funny how something that used to be routinely self-written has been outsourced to libraries. I must’ve written auth like a few dozen times back in the PHP days, not particularly hard or complicated. There’s a million tutorials on how to salt and store passwords. I’ve had my sites attacked many times, but never breached. (JWT, OAuth, etc. has added a ton of surface area, however. So these days it’s inevitably harder to do.)

brabel 55 minutes ago|||

Username and password as the only option to authenticate is really getting obsolete. You need to support social login, passkey, email links, maybe SMS or some other less secure methods depending on your target market… and more often also new standards like verifiable credentials with wallets managing credentials, including logins. Good luck writing your own implementations.

rozap 7 hours ago|||

And now the libraries have been outsourced to saas companies because ???

ramon156 3 hours ago||

Because we need to move faster and cheaper, that's the future

princevegeta89 7 hours ago|||

I recently worked at a stupid startup where the entire logic of the app was basically delegated to several third-party services out there. It felt like an absolute piece of shit overall. Following the flow of things end-to-end was a nightmare. It was so stupid because the so-called co-founder PM at that company thought it would be cool to keep doing that.

I am with you on this.

j45 10 hours ago|||

It's not that crazy. It can take time to do and get right, and is time away from other things.

Even if done for fun/learning, it can teach how the details of auth work to better appreciate and understand how other systems work and what to look out for.

I prefer to use existing things if possible, but if it was getting unreasonable to get it how it was needed, it wouldn't be off the table.

ipnon 10 hours ago|||

It’s not that crazy! Or hard. If you can store a hashed password in your users table, and keep the salt secret, you have working auth.

SahAssar 9 hours ago|||

I'm not discouraging anyone from writing your own auth, but if you have even a little bit higher requirements it becomes more complex. For example I have audited codebases where the TOTP code was enough to get a valid token (without a password, due to a bug), where there was no rate limits on password attempts and one where the password lockout system meant that you could DDoS all admin access trivially, etc, etc. That's even before you need to integrate with a third party via something like OIDC or SAML or SCIM which are probably needed for a product used by businesses these days.

It is hard for serious use-cases. That does not mean you should not do it, but know what tradeoff you are doing in the build-vs-buy equation. Know that this part of your system probably requires more testing, review and expertise than your core product.

skrtskrt 8 hours ago||||

Cookie management and CSRF stuff harder to get right, hashing passwords is completely trivial with and library.

And the cookies are not difficult on a technical level, you just have to spend time understanding the threat models and mapping those models correctly onto your own app.

LVB 5 hours ago|||

And then the client asks for SAML & OIDC support, and codes via SMS, and god knows what else.

Orygin 1 hour ago||

Indeed. Password auth was always easy to do, and it seems half the commenters here think that's all you need in modern times.

Then customers come and ask for SSO, SAML, OIDC, their niche auth protocol, 2FA, Pass phrases, etc...

And now your auth is a mess and a dedicated job to maintain and evolve.

benatkin 7 hours ago||

I'm actually surprised val.town outsources it. So what you're doing makes sense to me.

wxw 16 hours ago||

I enjoyed the Supabase migration article from a while ago (https://blog.val.town/blog/migrating-from-supabase) as well. There's a shortage of good, honest writing on long-term engineering decisions, please keep up the blog!

BoppreH 15 hours ago||

> A hard lesson you learn building a complex system is that its reliability is the minimum of the combined reliability of its critical parts.

It's worse than that, the combined availability is the product of all components in the critical path. If your software, the authentication layer, and the cloud provider each have 99% availability, and any one of them can bring your service down, then your final availability is just 97%. With eleven components like that you have zero nines of availability.

That's why reducing components and going for reliable solutions is so important. I'm happy that the team took this path.

gordonhart 14 hours ago|

Learned this one the hard way during the last major CloudFlare outage. I don't use them, but their outage bricked my app for hours anyway because the Auth0 public keys used to verify JWTs were served behind CloudFlare, breaking the entire auth chain. Fun!

luodaint 1 hour ago||

Notable that in each step, there’s an added abstraction; specifically, an authentication abstraction is the hardest one to reverse.

Using a passwordless login from scratch (magic link + Google OAuth2, sessions stored in Postgres without an external auth vendor) gets us around that altogether. The fears about why one would avoid it are generally not justified. Deliverability is the only true problem. Address that, with a proper provider for transactions, and we’re in boring territory – which is the most delightful kind.

To move from Clerk to Better Auth is logical if the choice is between sovereignty and convenience. It’s the core problem that any group doesn’t want to confront right away: “How much of this am I truly willing to own?”

arian_ 5 hours ago||

The auth migration cycle is the startup version of moving apartments. You swear each time will be the last, you lose stuff in the transition, and somehow the new place has the exact same problems as the old one but in different rooms.

snide 16 hours ago||

This is why I'm so thankful I went with Lucia early. They sort of sunset their library and replaced it with documentation (and some small utilities) for how to manage and host authentication for yourself. It's always presented as some big, scary thing you can't manage yourself, but I found that taking the week to learn how security and basic salting works, I was able to feel more confident about how everything worked.

lioeters 15 hours ago|

https://lucia-auth.com/

I remember when they deprecated the library and instead made it a learning resource on implementing auth from scratch. Brilliant decision, much respect to the author.

koala-news 43 minutes ago||

Feels like auth is either “this took 2 hours” or “this consumed half the company for 3 years”, with basically no middle ground.

swyx 2 hours ago|

> And reluctantly I have to hand it to the LLMs here: with the augmentation of the robots, we were able to take the more complex route of supporting both Better Auth and Clerk for a transitional period of two weeks. Every endpoint that handled authentication would accept either kind of cookie, and users slowly moved over to Better Auth because that was the kind of session that the sign-in page provided. Like anything related to security, close reading, rewriting, and testing of all of the code was necessary to make sure we didn't self-own, and the eventual pure-Better Auth auth was handwritten entirely.

just beautiful. nothing to add, clap clap

More comments...