zach.codes

zach.codes

From $3K/Month to $0: Why We Ditched Auth0 and Built Our Own Authentication

Finally had an excuse to do it: kill our Auth0 subscription ✅

Zach Silveira's avatar
Zach Silveira
Sep 03, 2025
∙ Paid
Share

There's a secret that so many providers don’t want you to know.

You really can roll your own auth, and that doesn't have to mean not following standards or being opened up to new vulnerabilities.

At my current job, this was a discussion we had about a year ago. Originally there was a choice to use email logins and pay for a service called Magic Link.

It ended up costing too much, and the team decided to move it to Auth0.

At which point we started entering a period of trying to cut costs. One of my first suggestions was, "Let's cut Auth0 and do it in-house."

This wasn’t a new decision for me. I've always felt like you shouldn't have to pay for auth. There are standard ways to do this without paying per user or per login.

Auth0 just uses SendGrid for emails

I tried to make this point clear, that Auth0 just uses SendGrid, and we can still use SendGrid ourselves. Auth0 isn't doing anything special to ensure magic email link delivery.

They’re just generating a time based one time code that gets emailed to the recipient, this type of hash logic can be done easily in any language.

At the time, better-auth did not exist. If I were doing this today, I would much rather use their library, as it supports so many integrations out of the box with a simple abstraction.

Instead, we implemented an OTP very similarly to this library, if you’re interested in doing this yourself.

How long did it take us

It didn't take more than a week to fully replace Auth0. That's a testament to the way we're using it in the first place. We don't need a lot of their features. We're just using Auth0 to take an email and send a link, click the link, and now be logged in, and also for social logins. One click Google, Microsoft, and other OAuth login flows.

It kind of boggles my mind that people would pay per login for these features, especially with social logins that require registering oauth clients manually either way you do it.

In the next section, I'll dive into a few things we specifically used to replace it, and also comment on some of the common gotchas people constantly bring up trying to say you shouldn’t do this.

And just remember, we've been doing this for an entire year. Saving the company nearly $30,000 and it's been working perfectly.

Keep reading with a 7-day free trial

Subscribe to zach.codes to keep reading this post and get 7 days of free access to the full post archives.

Already a paid subscriber? Sign in
© 2025 Zach Silveira
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture