Auth provider
An auth provider is the managed service handling user identity — sign-up, sign-in, password reset, OAuth, MFA — so app code doesn't reinvent the security-critical user flow. Supabase Auth, Clerk, Auth0, WorkOS are 2026 leaders.
Building auth from scratch is a known footgun: timing attacks, password hashing, session expiry, OAuth state validation, MFA flows, refresh tokens, account-takeover paths. Auth providers handle the entire surface as a managed service. 2026 categories: BaaS-bundled (Supabase Auth, Firebase Auth, Appwrite Auth) integrated with the same vendor's database; standalone consumer (Clerk, Auth0, Stytch) with polished UI components; standalone enterprise (WorkOS, Frontegg) with SSO, SCIM, RBAC; self-host (Keycloak, Authentik, Ory). Choosing: BaaS-bundled if you're already using the BaaS; Clerk if Next.js + great DX; WorkOS if SSO / SCIM are the requirement; Keycloak if EU residency + open source.
When to use auth provider
- Any production app — don't roll your own auth.
Common mistakes
- Rolling your own auth — known footgun.
- Skipping MFA on admin accounts.
FAQ
What is auth provider?
An auth provider is the managed service handling user identity — sign-up, sign-in, password reset, OAuth, MFA — so app code doesn't reinvent the security-critical user flow. Supabase Auth, Clerk, Auth0, WorkOS are 2026 leaders.
When should I use auth provider?
Any production app — don't roll your own auth.
What are the most common mistakes with auth provider?
Rolling your own auth — known footgun. Skipping MFA on admin accounts.
Related terms
- Row-level security (RLS) — Row-level security is a Postgres feature where access policies are enforced per-row at the database layer — Supabase's primary auth pattern, foundational for multi-tenant apps that talk to Postgres directly from the client.
Last updated: 2026-06-01. Raw markdown: https://promtable.com/glossary/auth-provider.md.