Starter kits pick an identity strategy for you. That choice shapes your monthly burn, your compliance story, and how painful a migration will be two years later. Know which camp you are buying into.
Custom auth (email/password + sessions or JWT)
- Pros: no per-MAU identity bill, full control of UX, data stays in your database.
- Cons: you own hashing, reset flows, lockouts, and session theft response.
- Best when: you want a lean stack and can maintain security basics.
Hosted auth vendors
- Pros: faster OAuth, battle-tested flows, less crypto surface area in your repo.
- Cons: pricing scales with users; migration off-vendor is a project; outages are external.
- Best when: speed and enterprise SSO matter more than unit economics early.
Questions to ask the codebase
- Where do password hashes live, and which algorithm?
- Can you revoke all sessions for a user?
- Are refresh tokens rotated and reuse-detected?
- If OAuth exists, are state parameters validated?
- Is there an escape hatch if you drop the vendor later?
Cost curve intuition
At 100 users, hosted auth fees are noise. At 50,000, they can dwarf your kit purchase. Custom auth front-loads engineering and back-loads ops. Pick deliberately; do not inherit the kit author's burn rate by accident.
Hybrid patterns
Some kits use custom passwords plus optional Google/GitHub. That is fine when both paths write to the same users table and share session rules. It is a mess when OAuth users are a parallel universe with different entitlement checks.
Match the kit's auth model to your constraint sentence from the selection guide, then verify revoke and reset paths before you trust it with real accounts.