DEV Community: Samuel Recio

Firebase lock-in is a ticking time bomb. Here is the architectural escape hatch.

Samuel Recio — Mon, 27 Apr 2026 20:42:35 +0000

Firebase is the ultimate honey trap. It gives you incredible speed on day one, and makes it incredibly painful to leave on day one thousand.

If you build on Firebase, Google owns your authentication state, your database query structure (Firestore), and your serverless compute. The moment your startup needs a relational SQL query, or the moment Google changes its pricing, you are facing a 6-month complete rewrite.

The Illusion of Speed: Why BaaS products incentivize tightly coupled, proprietary code.

The Pain of Migration: Why moving auth state and un-tangling NoSQL data models destroys engineering teams.

The Escape Hatch: You don't need a different BaaS. You need to adopt the Trust Layer Standard. By separating your identity provider from your database and your logic, you become immune to lock-in.

With Pubflow’s architecture, your authentication (Flowless) is decentralized. Your data model? Yours. Need to switch from Firebase to PostgreSQL? Or to LibSQL? Pubflow's standard lets you do that with some clicks, you can Bring your own Database or use their cloud Databases.

Startups should own their infrastructure from day one without sacrificing development speed. Adopt the Trust Layer Standard, pick your database, and keep your freedom. Check the migration guides and starter kits at pubflow.com.

Vibe Coding is dangerous without a Trust Layer: The Missing Piece of AI

Samuel Recio — Mon, 27 Apr 2026 20:39:32 +0000

AI coding tools are superpowers. Using Cursor, Copilot, or Claude, an average developer can spin up a fully-featured UI and complex business logic in an afternoon. It’s called "vibe coding"—staying in the flow while the AI does the heavy lifting.

But there is a massive, silent crisis happening right now: AI cannot architect trust.

Every day, developers are shipping AI-generated applications to production that handle sessions insecurely, fail to revoke access correctly, and expose sensitive validation tokens to the client. AI is building the car fast, but forgetting the locks on the doors.

The Blind Spot of LLMs: AI understands code formatting, but struggles with distributed state, session revocation, and multi-tier security validation.

The Disaster Scenario: What happens when an AI generates your JWT middleware but forgets to validate the signing algorithm? (Hint: Instant API takeover).

The Solution - A Trust Layer: Instead of asking AI to prompt-engineer secure auth, you decouple it entirely.

Pubflow is the missing infrastructure for the AI era. It acts as the "Trust Layer Standard". You let the AI generate your frontend and business logic (Flowfull), while Pubflow’s managed trust layer (Flowless) handles the cryptographic assurance in the background. No exposed tokens. Instant revocation. <1ms validation.

AI shouldn't write your session security. Architecture should handle it. If you're building apps at the speed of thought, put them on a foundation that won't crumble. Grab the free tier and secure your AI-generated app in minutes.

pubflow.com/vibe-coding

Why I stopped rebuilding auth from scratch and built a universal trust layer instead

Samuel Recio — Mon, 27 Apr 2026 20:28:35 +0000

I’ll admit it: I used to take pride in building bespoke authentication systems. Every new SaaS or client project meant spinning up a new database, writing JWT middleware, handling password resets, OAuth callbacks, and rate limiting. It felt like "real engineering."

Until I realized I was wasting 2-3 months of runway on plumbing before writing a single line of business logic.

Worse? The alternatives didn't solve the core architectural problem. Auth0 priced me out at scale. Firebase locked my entire database into Google's ecosystem. Supabase held me hostage to PostgreSQL. And everyone still relied on exposing JWTs to the client browser, opening the door to XSS session theft.

The Architecture Trap: How mixing authorization, authentication, and business logic creates monolithic technical debt.

The JWT Illusion: Why client-side JWTs are a ticking time bomb (delayed revocation, algorithm confusion, XSS exposure).

Docker didn't sell containers; it defined a standard. REST defined APIs. Application backends needed a standard for trust.

Introducing The Trust Layer Standard: We don't need highly-coupled auth products. We need a stateless architecture where the client only holds a meaningless session_id, and all trust verification happens entirely in the backend through cryptographically verified Trust Tokens.

The Freedom Architecture: With a Trust Layer, your backend is just business logic. You can use any language (Node, Python, Go) and switch from PostgreSQL to LibSQL by changing one environment variable (We support most database) even BYOD and Zero lock-in.

Stop paying the recurring tax of rebuilding infrastructure. Stop locking your apps into closed ecosystems. You can build under our Trust Layer in 5 minutes at pubflow.com, clone a starter repo, and own your code forever.