AI tools generate auth code that works in demos and fails under attack. The reason is structural: AI is trained on code that demonstrates patterns, not code that has survived adversarial conditions. Security is adversarial by nature.
What AI Gets Wrong About Authentication
Session management.
AI generates sessions that work for the happy path. Token refresh, concurrent sessions, and invalidation on password change are where real auth breaks.
Authorization vs. authentication.
AI reliably generates authentication — are you logged in? — and misses authorization — are you allowed to do this specific thing? The result: authenticated users can access another user's data.
Cryptographic implementation.
AI generates cryptographic code that is syntactically correct but semantically wrong: deprecated algorithms, incorrect key derivation, or insecure random number generation.
Privilege escalation paths.
AI doesn't reason about attack paths. It generates the happy path. Privilege escalation attacks find the paths that weren't designed for.
What to Use Instead
| Auth Concern | Managed Solution |
|---|---|
| User authentication | Clerk, Auth0, Supabase Auth, AWS Cognito |
| OAuth / social login | Managed auth providers |
| API authentication | AWS API Gateway, Kong, managed JWT with proper libraries |
| Row-level access control | Supabase RLS, PostgreSQL policies, Oso |
| Secrets management | AWS Secrets Manager, Doppler, HashiCorp Vault |
The argument against managed solutions is usually cost or customization. The actual cost of a breach is orders of magnitude higher than any managed auth service.
The Audit Checklist
- Is token refresh handled correctly?
- Is authorization checked on every endpoint?
- Are passwords hashed with bcrypt or argon2?
- Are API keys stored in a secrets manager?
- Is RLS enabled on all tables containing user data?
- Is there rate limiting on authentication endpoints?
FAQ
Is there any auth code AI can safely generate?
AI can safely scaffold integration with a managed provider. It cannot safely generate the auth logic itself.
Our app is small and low-risk. Do we still need managed auth?
Yes. The attack surface depends on what data you have and what an attacker can do with it, not how important you think you are.
How much does a managed auth provider cost?
Clerk, Supabase Auth, and AWS Cognito all have free tiers sufficient for early-stage apps. This is not a meaningful cost consideration against the alternative.
Need an auth review?
If AI generated your auth or authorization logic, review it before a user or attacker does.
Apply for a 30-min intro call