What is authentication?

Corbin Brown
2 min read
Part of the Vibe Coding Fundamentals video series on YouTube.
Authentication is your app answering one question: who is this? Every login screen, every “Sign in with Google” button, every “check your email for a magic link” — all of it is the same job. It sounds simple. It is famously the feature where simple-sounding goes to die, which is why it deserves five minutes of your attention before you prompt an agent to build it.
The wristband analogy
Think of a venue with a doorman. You show ID once (that's logging in), and the doorman puts a wristband on you (that's a session — in practice a token stored by your browser). For the rest of the night, staff check the wristband, not your ID. When the wristband expires, you're back to the doorman. Every authentication system — passwords, Google sign-in, magic links — is a different kind of ID check that ends in the same wristband.
One more term, because agents use it constantly: authorization is what you're allowed to do once you're inside — a regular ticket versus a backstage pass. Authentication is the door; authorization is the rooms.
The rule: don't hand-roll it
Here's the vibe coding trap. Ask an agent to “add login” with no other guidance and it may write a from-scratch password system — storing passwords, comparing them, minting its own tokens. It'll work in the demo. It'll also quietly skip the twenty things production auth needs (rate limiting, password hashing done right, reset flows, session revocation), and you won't know what's missing because you didn't know to ask.
The professional move — the one actual engineers make — is to use a maintained auth service or library and let it carry that weight. The prompt is one sentence:
Add authentication using an established provider (Clerk, Auth.js,
or Supabase Auth — pick what fits this stack). Do not build
password storage or session logic from scratch.FAQ
Is “Sign in with Google” safer than passwords?
For your app, usually yes — Google carries the password risk and you never store one. The trade-off is that your users need a Google account and you depend on a third party for your front door. Many apps offer both.
How do I know if my vibe-coded auth is safe?
Ask your agent directly: “Is any part of our authentication hand-rolled? List what a maintained provider would handle that we currently don't.” If the answer includes password storage or token minting written from scratch, migrate to a provider before launch.
The 60-second version
In a hurry? What is Authentication? — the whole idea, as a Short.