Adding Auth Without Really Understanding Auth

Login and user accounts used to be a whole engineering project. Supabase and Clerk turn it into a 20-minute prompt. Here is the playbook.

30 min · Reviewed 2026

Auth Used to Be a Project

Building login from scratch used to mean hashing passwords, managing sessions, resetting passwords over email, and praying you did not leak data. Now Supabase and Clerk do all of that. You add a few lines and you have real users.

Pick one: Supabase or Clerk

Tool	Strength	Pick it when
Supabase Auth	Free tier, bundled with a Postgres DB	You also need a database and storage
Clerk	Prebuilt UI, best-in-class UX, social logins	You want the login page to look professional out of the box

Add email magic-link sign-in using Supabase to this Next.js app.

- Install @supabase/supabase-js and create lib/supabase.ts
- Store SUPABASE_URL and SUPABASE_ANON_KEY in .env.local
- Create /login page with an email input and a Send magic link button
- Create /dashboard page that requires a logged-in user — redirect to /login if not
- Add a small header showing the user's email and a Sign out button

Keep the styling consistent with the rest of the app.One scoped prompt, one clean auth system. Tell the agent exactly which pages to protect.

Middleware redirects unauthenticated users to /login (Next.js middleware.ts)
Server components check auth at render time before showing sensitive data
Client components use a hook like useUser() to show loading states
Never trust the client to enforce security — always check on the server

The big idea: auth is a solved problem. Use Supabase or Clerk, let your AI wire it up, and spend your brain cells on the feature that makes your app special instead.

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-vibecoder-supabase-auth

A developer wants to add user accounts to their web app and also needs a database to store user data. Which authentication service would be the better choice according to the comparison in this material?
1. Clerk, because it offers the best prebuilt UI for login pages
2. Auth0, because it has the most extensive enterprise features
3. Firebase Auth, because it integrates best with mobile apps
4. Supabase, because it bundles authentication with a PostgreSQL database
In a Next.js application, what does middleware.ts handle for authentication?
1. It stores session tokens in browser cookies
2. It encrypts user passwords before storing them in the database
3. It generates new user accounts automatically
4. It redirects users who are not logged in to the /login page
By default, are tables in Supabase public or private?
1. Public - anyone can read and write without authentication
2. Hidden - tables exist but cannot be queried
3. Private - only the table owner can access them
4. Encrypted - data is scrambled but accessible with the right key
What does the useUser() hook do in a client component?
1. It checks if a user is logged in and provides their information for UI display
2. It creates new user accounts in the database
3. It automatically logs out inactive users
4. It encrypts user data before sending it to the server
What is described as the #1 security mistake that vibe-coders make with Supabase?
1. Using Clerk instead of Supabase
2. Not installing enough authentication providers
3. Forgetting to enable Row-Level Security on their tables
4. Using too complex passwords for their admin account
When building login from scratch in the past, what were developers NOT required to do?
1. Manage user sessions
2. Build a social login feature
3. Hash passwords before storing them
4. Implement password reset functionality over email
What is the main value proposition of modern auth services like Supabase and Clerk?
1. They turn authentication from a complex engineering project into a quick setup task
2. They eliminate the need for any server-side code
3. They automatically create beautiful user interfaces for your entire app
4. They make authentication completely free with no limitations
What specific advantage does Clerk offer over Supabase for login pages?
1. It automatically translates login pages into any language
2. It includes prebuilt UI components that make login pages look professional immediately
3. It works without any internet connection
4. It provides a free database with every account
What does a server component check when rendering a page that contains sensitive data?
1. The screen size of the device
2. Whether the user is authenticated before showing the data
3. The user's keyboard layout
4. The browser's local storage for saved passwords
What type of policy should you create in Supabase to ensure users can only access their own data?
1. A policy that checks if the requesting user's ID matches the owner ID in the row
2. A policy that allows anyone to read all rows
3. A policy that requires an admin password
4. A policy that only works on weekends
What is a 'magic link' in authentication?
1. A link that connects multiple accounts together
2. A backup login method using SMS codes
3. An email containing a one-tap login URL that authenticates the user without a password
4. A link that grants admin access to all users
Why should you let your AI assistant wire up authentication rather than building it manually?
1. Manual authentication is more secure
2. It saves time and lets you focus on features that make your app unique
3. AI cannot help with authentication
4. AI assistants can hack into any website
What feature does Clerk specifically excel at that makes it attractive for professional apps?
1. Its inability to handle email authentication
2. Its requirement that all users verify with a phone number
3. Its ability to integrate social logins like Google and GitHub
4. Its lack of any user interface
What happens if you only check authentication on the client side and not the server?
1. Users could potentially bypass authentication using browser developer tools
2. Nothing changes - client and server checks are equivalent
3. Your database will automatically back up
4. Your app will run faster
What should you ask your AI to enable when setting up Supabase to prevent unauthorized data access?
1. Unlimited storage space
2. A free SSL certificate
3. Row-Level Security (RLS) with policies for user data ownership
4. Automatic database backups

← Back to interactive lesson

Tendril · Creators · AI-Assisted Coding

Adding Auth Without Really Understanding Auth

Login and user accounts used to be a whole engineering project. Supabase and Clerk turn it into a 20-minute prompt. Here is the playbook.

30 min · Reviewed 2026

Auth Used to Be a Project

Pick one: Supabase or Clerk

Tool	Strength	Pick it when
Supabase Auth	Free tier, bundled with a Postgres DB	You also need a database and storage
Clerk	Prebuilt UI, best-in-class UX, social logins	You want the login page to look professional out of the box

Add email magic-link sign-in using Supabase to this Next.js app.

- Install @supabase/supabase-js and create lib/supabase.ts
- Store SUPABASE_URL and SUPABASE_ANON_KEY in .env.local
- Create /login page with an email input and a Send magic link button
- Create /dashboard page that requires a logged-in user — redirect to /login if not
- Add a small header showing the user's email and a Sign out button

Keep the styling consistent with the rest of the app.One scoped prompt, one clean auth system. Tell the agent exactly which pages to protect.

Middleware redirects unauthenticated users to /login (Next.js middleware.ts)
Server components check auth at render time before showing sensitive data
Client components use a hook like useUser() to show loading states
Never trust the client to enforce security — always check on the server

The big idea: auth is a solved problem. Use Supabase or Clerk, let your AI wire it up, and spend your brain cells on the feature that makes your app special instead.

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-vibecoder-supabase-auth

A developer wants to add user accounts to their web app and also needs a database to store user data. Which authentication service would be the better choice according to the comparison in this material?
1. Clerk, because it offers the best prebuilt UI for login pages
2. Auth0, because it has the most extensive enterprise features
3. Firebase Auth, because it integrates best with mobile apps
4. Supabase, because it bundles authentication with a PostgreSQL database
In a Next.js application, what does middleware.ts handle for authentication?
1. It stores session tokens in browser cookies
2. It encrypts user passwords before storing them in the database
3. It generates new user accounts automatically
4. It redirects users who are not logged in to the /login page
By default, are tables in Supabase public or private?
1. Public - anyone can read and write without authentication
2. Hidden - tables exist but cannot be queried
3. Private - only the table owner can access them
4. Encrypted - data is scrambled but accessible with the right key
What does the useUser() hook do in a client component?
1. It checks if a user is logged in and provides their information for UI display
2. It creates new user accounts in the database
3. It automatically logs out inactive users
4. It encrypts user data before sending it to the server
What is described as the #1 security mistake that vibe-coders make with Supabase?
1. Using Clerk instead of Supabase
2. Not installing enough authentication providers
3. Forgetting to enable Row-Level Security on their tables
4. Using too complex passwords for their admin account
When building login from scratch in the past, what were developers NOT required to do?
1. Manage user sessions
2. Build a social login feature
3. Hash passwords before storing them
4. Implement password reset functionality over email
What is the main value proposition of modern auth services like Supabase and Clerk?
1. They turn authentication from a complex engineering project into a quick setup task
2. They eliminate the need for any server-side code
3. They automatically create beautiful user interfaces for your entire app
4. They make authentication completely free with no limitations
What specific advantage does Clerk offer over Supabase for login pages?
1. It automatically translates login pages into any language
2. It includes prebuilt UI components that make login pages look professional immediately
3. It works without any internet connection
4. It provides a free database with every account
What does a server component check when rendering a page that contains sensitive data?
1. The screen size of the device
2. Whether the user is authenticated before showing the data
3. The user's keyboard layout
4. The browser's local storage for saved passwords
What type of policy should you create in Supabase to ensure users can only access their own data?
1. A policy that checks if the requesting user's ID matches the owner ID in the row
2. A policy that allows anyone to read all rows
3. A policy that requires an admin password
4. A policy that only works on weekends
What is a 'magic link' in authentication?
1. A link that connects multiple accounts together
2. A backup login method using SMS codes
3. An email containing a one-tap login URL that authenticates the user without a password
4. A link that grants admin access to all users
Why should you let your AI assistant wire up authentication rather than building it manually?
1. Manual authentication is more secure
2. It saves time and lets you focus on features that make your app unique
3. AI cannot help with authentication
4. AI assistants can hack into any website
What feature does Clerk specifically excel at that makes it attractive for professional apps?
1. Its inability to handle email authentication
2. Its requirement that all users verify with a phone number
3. Its ability to integrate social logins like Google and GitHub
4. Its lack of any user interface
What happens if you only check authentication on the client side and not the server?
1. Users could potentially bypass authentication using browser developer tools
2. Nothing changes - client and server checks are equivalent
3. Your database will automatically back up
4. Your app will run faster
What should you ask your AI to enable when setting up Supabase to prevent unauthorized data access?
1. Unlimited storage space
2. A free SSL certificate
3. Row-Level Security (RLS) with policies for user data ownership
4. Automatic database backups

← Back to interactive lesson