Why we built Own Auth
We've used Clerk, Auth0, Firebase Auth, and a handful of others. They all share the same pitch: don't build auth, just plug ours in. And they deliver on that pitch for a while.
The problem with hosted auth
The first sign of trouble is usually pricing. You grow, your MAU count climbs, and suddenly auth is a line item that rivals your database bill. The second sign is the migration doc, or rather, the absence of one. Getting your users out of a hosted auth platform is either painful or impossible.
The third sign is subtle: you want to do something slightly unusual, like a custom session duration, a different email template, or an unusual login flow. The platform says no. Or says yes, on the enterprise plan.
The problem with DIY auth
The alternative is building it yourself. This is where weekends go to die. Password hashing, session management, CSRF protection, rate limiting, magic links, email verification, phone codes, API keys, organisations, audit logs. The list never ends. And every item on that list is a security surface you have to get right.
The middle ground
Own Auth is a library. You install it, connect your Postgres database, and call functions. It handles the hard parts: hashing, tokens, sessions, and rate limiting, while your data stays in your database and your code stays in your codebase.
No hosted dependency. No vendor dashboard. No migration anxiety. If you ever want to stop using Own Auth, your data is already in your database. There's nothing to export.
What's included
- Passwords with secure hashing (bcrypt)
- Magic links with single-use, expiring tokens
- Phone login with SMS OTP
- Database-backed sessions
- Organisations with roles, members, and invites
- API keys with secure hashing
- Audit logs for every auth event
- Rate limiting with zero configuration
All of this is open source. The core library is free and will stay free. Own Auth Delivery, the managed email sending service, is a paid add-on for teams who don't want to set up their own email provider.
What's next
We're building in public. This blog will document the technical decisions behind Own Auth, the security trade-offs we've made, and the features we're shipping. If you want auth that you actually own, give it a try.