Don’t Roll Your Own Auth (Please)

Every junior developer tries to build a login system from scratch with JWTs stored in local storage. This is a security nightmare (XSS attacks). This item compares the best modern solutions: NextAuth.js (Auth.js): Best for Next.js apps. Own your data, easy social logins (Google, GitHub). Clerk: incredible DX, handles multi-factor auth, session management, and user profiles out of the box. Expensive at scale but free for starters. Supabase Auth: Great if you are already in the Supabase ecosystem. Key Takeaway: Storing JWTs in localStorage is bad practice. Use httpOnly cookies. I’ve included a diagram showing the secure flow of a refresh token rotation.