Full control over authentication without building session management from scratch.
Lucia auth for Next.js applications that need email/password authentication, OAuth, and session management under full control — without the dependency on Clerk or Auth.js. We implement Lucia for applications with custom auth requirements.
Application that needs custom authentication — white-labeled auth, multi-tenant session management, or auth requirements that hosted services like Clerk can't accommodate
Authentication services like Clerk or Supabase Auth are the right choice for most applications — they handle email/password, OAuth, MFA, session management, and security maintenance without custom implementation. Use them.
The cases where custom authentication is the right call:
White-label requirements. Hosted auth services run on their own domains and show their branding on auth UI. Applications that need fully white-labeled auth — the login page is entirely on the customer's domain with no third-party branding or cookies — need self-hosted auth.
Custom data model requirements. Auth services store user data in their systems. If user records need to be tightly coupled with other data in the application's database (complex organization membership models, custom session metadata, user state that drives application logic), managing sessions directly gives more flexibility.
Self-hosted compliance requirements. Some regulated industries require that authentication and session data not be stored with third-party vendors. On-premise or single-tenant deployments need self-hosted auth.
Cost at scale. Clerk and Auth.js pricing is per-MAU at scale. At high user volumes, self-hosted auth can be significantly cheaper.
Lucia is not a full auth framework — it's a session management library. It handles session creation, validation, and invalidation. You build the auth flows (email/password, OAuth) on top of it.
Lucia auth implementation with session management, email/password auth, OAuth providers, and the database adapters that integrate with the application's data model
Session management
Session creation on login. Session validation middleware. Session invalidation on logout. Sliding expiry.
Email/password auth
Password hashing via Argon2id. Email verification flow. Password reset with single-use tokens.
OAuth providers
GitHub, Google, or other OAuth 2.0 providers via Arctic (Lucia's companion OAuth library). State parameter CSRF protection.
Database adapters
Drizzle ORM or Prisma adapters for session storage. Sessions table in the application's Postgres database.
Middleware
Session validation on every protected request. User context available in Server Components.
One honest number to start.
Fixed-scope, fixed-price. The number below is the starting point — final scope is built from your brief.
Lucia auth implementation with session management, email/password auth, OAuth providers, and the database adapters that integrate with the application's data model
Three steps, every time.
The same repeatable engagement on every project. No surprises, no mystery, no billable ambiguity.
Brief & discovery.
We send you questions, then get on a call. Output: a written scope with every step, feature, and integration listed.
Build & ship.
Fixed schedule, weekly reviews. No scope creep unless you change the scope — and if you do, we reprice it transparently.
Warranty & retainer.
30-day warranty on every launch. Most clients stay on a monthly retainer for ongoing features and maintenance.
Why Fixed-Price Matters Here
Auth implementation scope is defined by the provider requirements and the session model. Fixed price.
Questions, answered.
Default to Clerk. It handles the security maintenance, provides a well-tested implementation, and saves significant development time. Switch to Lucia when: white-label requirements prevent using Clerk's hosted UI, the data model requires tight coupling, or compliance requires self-hosted sessions.
Auth is included in every application build. If custom auth implementation (vs. Clerk) adds significant scope, it's priced into the fixed-price proposal.
Lucia handles session management correctly (timing-safe comparison, CSRF protection via the double-submit cookie pattern). Password hashing, email enumeration prevention, and rate limiting on auth endpoints must be implemented alongside Lucia.
Tell Ryel about your project.
Describe what you’re building and what outcome you need. You’ll have a written, fixed-price scope within the week.