Skip to main content
🔐

Authentication Checklist for AI-Built Apps

Sign up, log in, password reset, 2FA

When you vibe code authentication with tools like Cursor, Lovable, Bolt, v0, or Claude Code, the generated code often works in development but misses critical production requirements. This checklist helps you catch what AI missed before you ship.

Danger Zone

critical risk

If someone can pretend to be your user, nothing else in your app matters

Login looks simple — an email field, a password field, a button. But behind that button is a whole world of things that need to go right: remembering who's logged in across page refreshes, making sure "forgot password" links can't be guessed, stopping someone from trying a million passwords, and handling what happens when people sign in with Google or GitHub. Every shortcut here is a door left unlocked.

Failure scenario

You launch your app. 500 people sign up. Everything works great for a few months. Then someone figures out that your "stay logged in" tokens never expire — so a token leaked in a browser extension or shared computer lets them into someone else's account permanently. Now you're emailing 500 users about a security breach before you've even made revenue.

Common mistakes

  • Passwords stored in a way that's easy to reverse (like a simple scramble instead of a proper one-way lock)
  • "Stay logged in" tokens that never expire — so a leaked token works forever
  • "Forgot password" links that follow a guessable pattern
  • No limit on login attempts — someone can try thousands of passwords per minute
  • Sign in with Google/GitHub that doesn't properly verify the response, letting attackers fake it

Time to break: 6-18 months before someone finds and exploits a weakness

How are you building this?

Showing what to check when using a managed service

Audit Prompts

Copy these into your AI coding assistant to check your implementation.

Is your login service set up correctly?
security
Look at how we've connected our login service (like Clerk, Auth0, or Supabase Auth). Check these things: Do login sessions expire after a reasonable time? When the service sends us updates (webhooks), do we verify they're actually from the service? Are the URLs where users get redirected after login locked down to only our site? Is the login service's code library up to date? Are we using the service's built-in protections or bypassing them anywhere?

Even when you use a login service, a bad setup can leave holes. It's like having a great lock on your door but leaving the window open.

Can people access pages they shouldn't?
security
Check every page and API endpoint that should require login. Are they actually checking if the user is logged in on the server (not just hiding the link in the menu)? Could someone access another user's data by changing a number in the URL? Are admin-only actions actually restricted, or just hidden from the UI?

The most common mistake with login services is hiding buttons in the UI but not actually locking down the pages behind them. It's like removing the doorknob but not the door.

What happens when someone forgets their password?
security
Check our password reset setup. Do reset links expire quickly (within an hour)? Does the account lock after too many wrong password attempts? Is email verification required before someone can access the app? When someone types a wrong email on the login page, does the error message reveal whether that email has an account?

"Forgot password" is the back door to every account. If someone can guess or intercept a reset link, the actual password doesn't matter.

Is login slowing down your app?
performance
Check how our login system affects page speed. Is the app calling the login service on every single page load? Is it caching (remembering) login status so it doesn't need to re-check every time? When someone navigates around the app, does each page wait for a login check before showing anything?

Login checks happen on every page. If each check takes an extra half-second because it's calling an external service, your whole app feels sluggish.

Checklist

0/10 completed

Smart Move

Use a service

Login is the riskiest thing to build yourself. One mistake exposes every user. Services like Clerk or Auth0 handle security updates, edge cases, and compliance across millions of apps — and most have generous free tiers. Unless you have a very specific reason to build your own, don't.

Clerk

Plug-and-play login pages, Google/GitHub sign-in, and user management — works great with Next.js

10,000 monthly active users free

Auth0

Enterprise-grade login with 30+ social sign-in options and compliance certifications

25,000 monthly active users free

Supabase Auth

Good choice if you already use Supabase for your database — login is built in

50,000 monthly active users free

Tradeoffs

You're trusting a third party with your most critical system. If you ever need to switch services, it means rebuilding your entire login flow and migrating all user accounts. Worth it for the security you get in return.

Did you know?

86% of web application breaches involve stolen login credentials, and it takes an average of 287 days to even detect that it happened.

Source: Verizon 2024 Data Breach Investigations Report

Related Checks

💳Payments

One-time and recurring charges

🤝CRM

Track leads, deals, and customer relationships

✉️Email

Send transactional and marketing emails