DEV Community

Cover image for ๐Ÿšซ Why We Removed NextAuth from Our SaaS
FJRG2007 ใƒ„ for Dymo (TPEOficial)

Posted on

๐Ÿšซ Why We Removed NextAuth from Our SaaS

Some time ago, we were struck by a real-world case: a Kick (Twitch alternative) user got hacked, and the attacker started streaming from their account.

The issue? Kick was using JWTs stored on the client side to manage sessions, and they couldnโ€™t invalidate a single compromised session without rotating the secret โ€” which would log out everyone. All of this was done to avoid database queries.

That situation taught us a powerful lesson:
๐Ÿ‘‰ Optimizing for fewer DB calls should never come at the cost of security.

We decided to build our own authentication system inspired by NextAuth โ€” but entirely based on database-backed sessions.

As far as we know, thereโ€™s no public implementation with this level of control yet.

Since then, weโ€™ve continued to improve our security stack even further.

๐Ÿ’ฌ Would you be interested in a deep dive into how we built it?

auth #nextauth #cybersecurity #nextjs #typescript #programming #dymoapi

Top comments (0)