From Supabase to Clerk to Better Auth

Posted by stevekrouse 18 hours ago

From Supabase to Clerk to Better Auth(blog.val.town)

263 points | 193 commentspage 2

danborn26 1 hour ago|

Better Auth has been a huge time saver for me. Clerk's pricing got a bit out of hand for side projects.

_heimdall 12 hours ago||

I'm surprised to see so many top comments here promoting building your own auth. For years I've only heard "never roll your own auth."

DimmieMan 11 hours ago||

I think it's a correction, There's multiple levels of interpretation:

1. Don't roll your own crypto

2. Don't roll your own auth strategy

3. Don't Roll your own auth code

4. Don't host your own auth infrastructure.

For the last few years level 4 has been aggressively pushed with a lot of advertising spend to push people towards prohibitively expensive hosted providers. Donning a tinfoil hat for a moment, auth as a service companies have made everything seem substantially more difficult than it is too for simple needs.

Now we're seeing a correction back to 2 and 3 as people way up the risks of SaaS vs just using a easier to manage local library and discovering it's not as scary as it's been made out to be if you follow now fairly well established patterns.

the providers aren't going anywhere, people still need them for a variety of reasons but their time as the default is ending and whether this is good is to be determined.

jpalomaki 6 hours ago|||

It’s likely because the quick thought is that auth is just user table with hashed password.

Then when you really start thinking about it, the list of requirements grows.

Of course it’s still totally doable for an average developer, but takes time and mistakes can be catastrophic. And maybe the time is better spent developing stuff that differentiates you from others.

small_scombrus 12 hours ago||

There are few hard and fast rules, but "never use something that could change as a primary key" and "never roll your own Auth" will always be true

jillesvangurp 6 hours ago||

This sounds like moving the problem, not solving it. I've been doing server based systems since forever and sso is this big complicated topic where people seem to bias to using either really complicated and convoluted enterprise solutions or some walled garden with lots of limitations.

In both cases you are buying into somebody else's solution. That complex framework is complex because the company behind it threw everything and the kitchen sink at it. You don't actually need most of what it needs. And that company makes money by adding more crap to it, via certification, training and consulting. It's complex by design. You can't just sit down and use it. You have to study it first. Become an expert in using it. If you've ever used Keycloak, Spring Security, or similarly convoluted solutions, you know what I'm talking about.

And then that walled garden thing (auth0 or whatever is in fashion these days) is super simple to use. Just do magic steps 1 2 and 3 and you are good to go. But don't deviate from the happy path! There is a happy path. Either you are a perfect match for it or you aren't.

The middle ground is realizing that a users table with a bcrypt encrypted password column and a few other bits and bobs isn't all that hard. Building some sane flows around resetting passwords, 2FA, emailing login links, etc. Easy.

You can actually vibe code most of this stuff these days. And I've done all this manually in the past as well. I've implemented SSO, Oauth (1 & 2), OpenID Connect, etc. I've implemented API call counting, rate limiting, 2FA, etc. I use some frameworks for most of the heavy lifting and dealing with hashing, JWTs, and all the rest. Most of the rest is just simple API plumbing. Most of these flows aren't all that complex. You need good tests and a good understanding of what the system is supposed to do. But that's a constant in this space. Trying to use somebody else's really complicated solution without that is not going to be easier, better, or faster.

WilcoKruijer 17 hours ago||

You could almost call the comparison between Clerk and Better Auth unfair. One is a service and one is a library, apples to oranges. Any third-party service integrated into a stack is a liability, libraries as well, but to a lesser degree. It’s about time for more services to be replaced by libraries. Better Auth really shows how to do that imo, it’s a library that integrates on the frontend, backend, and database. This is why it’s so good.

oncensher 15 hours ago||

Had a similar journey recently. Started with Stack Auth, found it unusable in production due to extremely hard rate limits and bad performance even when not rate limited. Switched to WorkOS AuthKit, which works much better and supports useful enterprise features. But inclined to BetterAuth for new projects.

- Syncing external auth provider state with your user state is a bug center. It helps to keep as little state as possible in the auth provider, but there is still some. - Refreshing JWT access tokens every few minutes is another bug center and honestly there is no need to do this if you control your own auth. - WorkOS does not have a complete API. It is built on the assumption that you have one product per billing account and a fixed number of environments (staging, production, and they can give you another one if you ask support). You have to whitelist redirect and other URLs in the dashboard, and there doesn't seem to be an easy way for agents to do it.

Outsourcing auth does not make much sense IMO. The less you can split your state over multiple services the fewer problems you will have. Sometimes it is inevitable, like for payments, or if you need specialized databases for performance reasons. But for auth there is really no good reason if good libraries are available. To people who say that using a service will help you get started faster, none of the problems I hit with auth services had to do with having high scale -- most of them hit before I even launched.

mooreds 13 hours ago|

> Outsourcing auth does not make much sense IMO. The less you can split your state over multiple services the fewer problems you will have.

I agree with the general principle. Fewer moving pieces make for more stable applications ("choose boring technology"[0]).

However, I was wondering what you do when you have more than one application that the same userbase wants to access. I can see 3 options:

1. make them register/have credentials for each application (not a great user experience)

2. use a standalone auth server and deal with the increased complexity

3. pick one of your applications to 'own auth' and have the other applications delegate to it. congrats, you've just invented a standalone auth server that is coupled to one of your apps

What am I missing?

0: https://boringtechnology.club/

jakubriedl 9 hours ago||

I've recently switched from Clerk to BetterAuth as well and it's really good and definitely would recommend to anyone. It supports more things I need, it's more reliable, and much cheaper.

The reason why it work for me is that it's finally a open-source solution that is on par or better with commercial. When I've selected Clerk originally the reason was that there wasn't open-source alternative, and I won't roll my own auth, I'm not suicidal. But now? I really don't see a single reason why I would pick Clerk, Auth0, Kinde, ...

swyx 9 hours ago||

> There is no val associated with this domain

stevekrouse 9 hours ago|

back online!

elAhmo 16 hours ago||

Using Clerk, quite unhappy with it. No proper RBAC (roles are tied to organizations, not stored on user itself, so you cannot have a concept of global admin or something like that, unless you use metadata for storing arbitrary key value paris), and more than once in the past weeks/months it had a downtime causing the whole app to fail.

Would think twice before using it in the future.

nateb2022 8 hours ago||

You're conflating authentication and authorization.

Clerk is an authentication provider for the most part, it concerns itself with telling you who the user is. Based on that your business logic should be able to determine what they are entitled to do.

They offer a Org/Role based RBAC but since you're doing something different I'd just scrap it entirely and roll your own authorization flow, they have a guide that'll help you get your own started here: https://clerk.com/docs/guides/secure/basic-rbac

elAhmo 4 hours ago||

For the most part is the troubling part :D Ideally there is one vendor that handles this, as a team we don't want to deal with Clerk + something else just for RBAC, so naturally we tried to solve it via Clerk.

Their recommended guide is to pretty much have your own RBAC using key value pairs they offer, which is IMO relatively lazy and most teams come up with this on their own anyway. I wish they offered something that is not prone to someone editing a JSON input manually on their website. You can do basic stuff with it, build tooling around it, but again the fundamental model of only user having a role on the org level has its limitations.

mooreds 13 hours ago|||

Disclaimer: I work for a Clerk competitor, FusionAuth.

Can you share your evaluation process? I'm always curious how folks evaluate auth providers.

Did you do a spike? Full POC across a couple of solutions? Rely on a recommendation from a friend? Run through a quickstart and decide it worked and you had bigger problems to solve? Something else?

nateb2022 8 hours ago||

Nice website! I like your docs too. Small tip though, the couple obviously AI-written articles (ostensibly for SEO purposes) in your footer are a little of a code smell.

Also design wise, the main logo item (vortex looking thingy) is a tad bit complex, maybe think about a redesign focused on making it more simple/recognizable. The rotating dashes on the landing page hero are a good motif though, so I'd lean into that.

Also noticed that on this page: https://fusionauth.io/tech-papers/winter-2026-g2-fusionauth-... the form under "To get this tech paper complete the form below." doesn't load on Firefox with Enhanced Tracking Protection enabled. Disabling it causes the form to load though.

pdantix 13 hours ago||

i'm currently in the process of evaluating switching our b2b app off clerk too. a customer asked for custom roles (diverging from our default set), which is technically possible on clerk now with role sets, but it's a bit of a workaround rather than first class.

thankfully i'm familiar with better auth from a side project, but migrating SSO/SCIM sounds like it might be a bit of a pain

colinclerk 11 hours ago||

[dead]

rbbydotdev 17 hours ago||

Tom's articles are always a good read.

Anyone remember Auth0 and passportjs?

The churn of auth services is never ending, but I suppose so are the standards.

mooreds 13 hours ago||

Disclaimer: I work for an Auth0 competitor, FusionAuth.

Heya, Auth0 is still around! They got bought by Okta in 2021 but still have a free tier and we see them in a lot of bake-offs.

clintonb 17 hours ago||

OAuth 2.x and OIDC haven’t changed much. I still use Passport.js with Firebase.

olegoode 8 hours ago|

Super validating, as someone who was recently tempted to use Supabase for a project and decided to give Better Auth a shot instead. It's really made things super simple so far to the point I was semi-worried I'd missed a crucial step. But nope, they just thought of everything.

More comments...