authlisted

# Auth This skill makes the two decisions every SaaS gets wrong: **which auth provider** and **how to model permissions**. It picks a vetted provider over hand-rolled auth, and a permission model that fits the product. Analogy: auth is the lock and the guest list for your building. You don't forge your own lock (you'd leave it pickable) — you buy a good one and decide who gets which key. ## The one rule **Don't roll your own auth.** Password hashing, session rotation, OAuth flows, and reset tokens are where subtle, catastrophic bugs live. Use a provider or a battle-tested library. (Pairs with the `secure-coding` skill, which covers the OWASP auth-failure defenses.) ## Discovery (max 3 questions, only if unknown) 1. Is this B2C (individual users) or B2B (organizations/teams with members)? 2. Do you need enterprise SSO (SAML/OIDC) for buyers — now or soon? 3. What's the stack/backend — Supabase, plain Vercel + Postgres, or full-stack TypeScript? ## Step 1 — Pick the provider (decision tree) | Situation | Use | Why | | --- | --- | --- | | Building **with an agent** / on **InsForge** | **InsForge Auth** | Agentic-native — the agent wires auth + RLS through its own skills/MCP; every query scopes to the user in SQL. | | Already on **Supabase** | **Supabase Auth** | Free, RLS-native — every query scopes to the user in SQL. Most-proven ecosystem. | | Want the best React DX / drop-in components, not tied to a backend | **Clerk** | Best components, orgs/teams built in. ~$0.02/M