Auth fixes for AI-built apps

The most common failures

Six auth-category failure modes dominate rescue intakes across Lovable, Bolt, v0, Cursor, Claude Code, Base44, and Replit Agent. Each is a predictable consequence of AI tools optimizing for a localhost demo, not a production domain.

• OAuth redirect URI still on localhost. The AI tool wired Google or GitHub OAuth during scaffolding with http://localhost:3000/auth/callback in the Authorized redirect URIs. The production deploy hits Google, Google rejects the callback with Error 400: redirect_uri_mismatch, the user sees an error page. See Google OAuth redirect_uri_mismatch and OAuth callback URL not working in production.
• Supabase Site URL left on localhost. Google authenticates the user, redirects to localhost:3000 instead of the production domain, and the session never lands. Supabase Dashboard → Authentication → URL Configuration → Site URL must be the production URL before any real sign-in works. See Users can't log in after deploy.
• Signup swallows its own error. Click signup, nothing happens — no network request, no console error. Usually a missing NEXT_PUBLIC_SUPABASE_ANON_KEY in production, a Supabase client initialized with undefined config, or an RLS policy silently blocking the profile insert. See Signup button does nothing.
• Cookie flag mismatch on session. Secure flag set on a non-HTTPS preview URL drops the cookie. SameSite=Strict rejects the set-cookie on an OAuth callback redirect. JWT exp in milliseconds instead of seconds makes every token look expired. See Session expires immediately after login.
• Password reset emails vanish. Supabase default SMTP is shared infrastructure, rate-limited to a handful of emails per hour per project. The founder tests it twice and it works; the first user cohort gets silently dropped. Wire Resend, Postmark, or SendGrid. See Password reset email not sending.
• Tokens stored in localStorage. Not in any single leaf because it is the pattern beneath several — an XSS payload can exfiltrate every active session in one line of JavaScript. Migrate to HttpOnly cookies via Supabase SSR helpers, Clerk middleware, or the Auth.js cookie adapter.

Shared root causes

Auth failures cluster around four root causes. Any rescue starts by ruling each out before re-reading the code.

• Config written for localhost. OAuth redirect URIs, Supabase Site URL, Clerk Production Instance, and NEXT_PUBLIC_SITE_URL were set during scaffolding and never updated on the production deploy.
• Env-var scope drift. NEXT_PUBLIC_SUPABASE_ANON_KEY, NEXTAUTH_SECRET, or CLERK_SECRET_KEY exists in Development but not Production. Every auth call resolves to undefined and errors get swallowed by try/catch blocks the AI tool wrapped around every request.
• Session storage in the wrong place. Tokens in localStorage, sessions without HttpOnly cookies, or a middleware that reads before the set-cookie has returned.
• Concurrency never tested. The generator verified signup once with one user on one tab. Two tabs, two devices, a background session refresh, or an email verification clicked on a different browser — all untested. Race conditions surface at the first ten concurrent users.

Prevention checklist

Merge these before the next auth-related deploy. Each one eliminates a class of silent failure.

1. Set Supabase Dashboard → Authentication → URL Configuration → Site URL to the production URL. Add preview URLs to Additional Redirect URLs.
2. Add every production and preview callback URL to Google Cloud Console → APIs & Services → Credentials → Authorized redirect URIs.
3. Scope NEXTAUTH_SECRET, CLERK_SECRET_KEY, or the Supabase anon/service keys to every Vercel environment that will serve auth.
4. Wire a real SMTP provider (Resend, Postmark, SendGrid) and configure SPF, DKIM, and DMARC on the sending domain.
5. Move session tokens out of localStorage. Use Supabase SSR cookies, Clerk middleware, or the Auth.js cookie adapter exclusively.
6. Set cookies with HttpOnly, Secure, and SameSite=Lax (not Strict for OAuth flows).
7. Write an integration test that signs up a user, verifies the profile row exists, logs out, logs back in, and confirms the session cookie round-trips.
8. Test the password-reset flow end-to-end from a non-developer email account on the production domain before launch.
9. Log the first 8 characters of auth secrets on boot so a misconfigured deploy is visible in function logs within one request.
10. Run the smoke test on two devices in parallel — race conditions only appear under concurrency.