Val Town's experience with Supabase Auth illustrates that bundled auth is convenient only until you outgrow the bundle. When auth is a feature of your database provider, migrating away from either service forces you to migrate both, turning a simple infrastructure change into a compounding problem.
After running both Supabase Auth and Clerk in production and hitting real limits with each, Val Town chose Better Auth, an open-source TypeScript framework they can self-host. Their trajectory — from bundled to managed to self-owned — reflects a broader industry shift away from delegating auth to third-party services.
Clerk was Val Town's 'grown-up' choice — purpose-built for auth with polished components and good DX. But even a dedicated auth service introduced constraints around customization and deep integration that a maturing product eventually cannot tolerate, prompting yet another migration.
Val Town's post reads as a warning that auth decisions have compounding consequences. Each migration required moving real users and reworking integrations, demonstrating that what seems like a low-stakes early choice becomes increasingly expensive to reverse as the product grows.
The post resonated strongly on Hacker News (231 points, 155 comments), suggesting the developer community widely recognizes the pain of auth lock-in. The detailed post-mortem format — covering two full production migrations — lends credibility to the argument that teams underestimate auth switching costs.
Val Town — the browser-based coding platform that lets developers write and deploy serverless functions — published a detailed post-mortem of their authentication journey. They've now migrated their auth stack twice: first from Supabase Auth to Clerk, then from Clerk to Better Auth, an open-source TypeScript authentication framework.
This isn't a theoretical comparison post. Val Town ran each system in production, hit real limits, and migrated real users — twice. The post, which rocketed to 231 points on Hacker News, reads like a field journal from someone who has learned the hard way that auth provider choice compounds over time.
The trajectory itself tells a story the industry is quietly living through: the managed-auth-as-a-service era may have peaked, and a new wave of open-source, self-hosted auth frameworks is pulling teams back toward ownership.
Val Town started with Supabase Auth because they were already using Supabase for other infrastructure. It's a natural choice — bundled auth that comes with your database provider, minimal setup, decent developer experience out of the box.
But Supabase Auth's limitations showed up as Val Town's needs matured. The auth system is tightly coupled to Supabase's ecosystem, which becomes a constraint when you want to customize session handling, add non-standard OAuth providers, or integrate auth logic deeply into your own application layer. The user management UX is functional but basic. And once you start outgrowing Supabase's other services, you're left with an auth system tied to infrastructure you're moving away from.
The core issue: bundled auth is convenient until the bundle becomes a cage. When your auth provider is a feature of your database provider, migrating either one forces you to migrate both.
Clerk was the "grown-up" choice. It's purpose-built for auth, has polished drop-in components, handles the ugly parts of OAuth and session management, and markets itself as the premium developer experience for authentication.
Val Town moved to Clerk and, initially, the experience was genuinely good. The pre-built UI components saved engineering time. The dashboard was slick. Session management mostly worked without thinking about it.
Then the bills arrived.
Clerk's per-monthly-active-user pricing model creates a predictable problem: the better your product does, the more auth costs, with no corresponding increase in value from the auth layer itself. For a platform like Val Town where users might sign up, run a quick function, and come back weeks later, the MAU model is particularly punishing. You're paying for users who hit your login page once.
Beyond pricing, Val Town encountered the deeper issue with managed auth services: opacity. When sessions behaved unexpectedly, debugging meant staring at a black box. When they needed to customize token claims or session lifecycle, they were constrained by Clerk's API surface. The user data lived in Clerk's infrastructure, which meant every feature that touched user identity required an API call to a third party.
The vendor lock-in wasn't theoretical — it was architectural. Clerk's session tokens, user IDs, and webhook contracts became load-bearing walls in Val Town's codebase. The longer they stayed, the harder leaving would become.
Better Auth is a relatively new open-source TypeScript authentication framework created by Bereket Engida. Unlike Clerk or Auth0, it's not a service — it's a library that runs in your own application, stores data in your own database, and gives you full control over the auth flow.
For Val Town, Better Auth addressed every pain point from the previous two systems:
Ownership. User data lives in Val Town's own PostgreSQL database. No API calls to retrieve your own users. No webhook choreography to keep local data in sync with a remote source of truth. Your user table is just a table in your database, queryable with SQL, backupable with pg_dump.
No per-user pricing. Better Auth is MIT-licensed open source. The cost is engineering time to set it up and maintain it — a fixed cost that doesn't scale with your user count. For a growing platform, this is the difference between auth costs that are O(1) and O(n).
Customizability. Need a custom OAuth provider? Write a plugin. Need non-standard session behavior? Override the handler. Need to add fields to the user model? It's your database schema. The framework is designed to be extended, not just configured.
TypeScript-native. For a team already building in TypeScript, Better Auth slots in without a language boundary. Type-safe auth handlers, typed session objects, no SDK version mismatch issues.
The tradeoff is real: you're now responsible for auth security, session management correctness, and keeping up with OAuth spec changes. But Val Town's argument — and it's a strong one — is that they were already responsible for those things when using Clerk. They just couldn't see or control the implementation.
Val Town's migration path mirrors a broader pattern in the industry. The 2020-2023 era saw a rush toward managed auth services: Clerk, Auth0, Stytch, WorkOS. The pitch was compelling — auth is hard, don't build it yourself, focus on your product.
But teams are discovering that "don't build it" and "don't own it" are different propositions. The new generation of auth tools — Better Auth, Lucia, Oslo — let you not build the hard parts while still owning the infrastructure. You get well-tested OAuth flows, session management, and password hashing without giving up your user table or paying per-user rent.
If you're evaluating auth solutions today, Val Town's journey suggests a checklist:
1. Where does user data live? If the answer is "in the provider's infrastructure," you're one vendor decision away from a forced migration. 2. What's the pricing model at 10x your current users? Per-MAU pricing that's cheap at 1,000 users can be brutal at 100,000. 3. Can you debug session issues with your own tools? If debugging auth requires a support ticket, you've outsourced a critical path. 4. How deep are the integration points? Every Clerk component in your JSX, every Auth0 rule in your pipeline, is migration debt accruing interest.
This doesn't mean managed auth is always wrong. For a team of two shipping an MVP, Clerk's drop-in components are genuinely valuable. The mistake is treating that convenience as permanent architecture.
The auth landscape is fragmenting in a healthy way. Managed services will continue to serve teams that prioritize speed over control. But the open-source alternatives have matured to the point where the "build vs. buy" framing is outdated — it's now "buy vs. adopt." Better Auth, Lucia, and similar projects represent a middle path: community-maintained auth logic that you deploy and own, without reinventing PKCE flows from scratch. Val Town's willingness to migrate twice — and document it publicly — gives the rest of us a rare, honest look at what each tradeoff actually costs in practice. The 231-point Hacker News response suggests a lot of teams are quietly nodding along.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.