Home-built auth accumulates technical debt faster than almost anything else.
JWT rotation, session management, password reset flows, brute force protection, token revocation — these are solved problems. Building them from scratch compounds over time. Migrating to Clerk or NextAuth.js eliminates the maintenance burden and adds features (SSO, 2FA, passkeys) that customers will eventually ask for.
Custom-built authentication system with security issues, missing features, or ongoing maintenance burden — and a need to migrate to a proper auth solution
Homegrown auth systems accumulate problems:
JWT issues: Tokens that never expire, no revocation mechanism (so a stolen token is valid forever), no rotation.
Password hashing: Using MD5 or SHA-1 instead of bcrypt/argon2. If the database is leaked, all passwords are exposed.
Session management: Sessions stored in cookies without proper security flags (HttpOnly, Secure, SameSite). Session IDs that are predictable.
Password reset: Reset tokens that don't expire, that work multiple times, or that leak in URLs (logged in access logs).
Brute force protection: No account lockout or rate limiting on the login endpoint.
No 2FA: Enterprise customers will ask for it.
No SSO: Enterprise customers will require it.
The migration to Clerk:
Clerk is the standard modern auth provider for Next.js applications. Migration involves:
- Create Clerk application, configure sign-in methods
- Install Clerk SDK, wrap app with
ClerkProvider - Migrate existing users: Clerk has a user import API — import email + bcrypt hashed passwords. Existing users' passwords continue to work; they're rehashed with Clerk's system on next login.
- Replace auth middleware with Clerk middleware
- Replace
useAuthreferences with Clerk's hooks - Test all auth flows
The migration risk: Users who don't log in during the migration window may hit issues if their session tokens become invalid. Communicate the change; provide a grace period.
Auth system migration to Clerk (or NextAuth.js) with all existing users migrated and auth functionality improved
Clerk setup
with the required auth methods
User data migration
(existing users imported to Clerk)
Middleware replacement
(Clerk middleware for route protection)
Session transition
with minimal user disruption
Auth feature addition
(2FA, SSO, social login as needed)
One honest number to start.
Fixed-scope, fixed-price. The number below is the starting point — final scope is built from your brief.
Auth system migration to Clerk (or NextAuth.js) with all existing users migrated and auth functionality improved
Three steps, every time.
The same repeatable engagement on every project. No surprises, no mystery, no billable ambiguity.
Brief & discovery.
We send you questions, then get on a call. Output: a written scope with every step, feature, and integration listed.
Build & ship.
Fixed schedule, weekly reviews. No scope creep unless you change the scope — and if you do, we reprice it transparently.
Warranty & retainer.
30-day warranty on every launch. Most clients stay on a monthly retainer for ongoing features and maintenance.
Why Fixed-Price Matters Here
Auth migration scope is the existing user count and the complexity of the current session implementation. Fixed-price from the audit.
Questions, answered.
Usually no. Clerk accepts bcrypt-hashed passwords during import. The user logs in with their existing password; Clerk takes over from that point.
NextAuth.js is the open-source alternative. More configuration required; more control. Runs in your own infrastructure. Pick based on the team's appetite for configuration vs managed service.
Tell Ryel about your project.
Describe what you’re building and what outcome you need. You’ll have a written, fixed-price scope within the week.