Lucia vs Supabase Auth for Solo Developers
Comparing Lucia and Supabase Auth for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.
Quick Comparison
| Feature | Lucia | Supabase Auth |
|---|---|---|
| Type | Open-source auth library (self-hosted) | Auth built into Supabase platform |
| Status (2026) | v3 deprecated, now a learning resource | Actively maintained SaaS service |
| Latest version | lucia 3.2.2 (Oct 2024, last release) | supabase-js 2.106.2 (May 2026) |
| Pricing | Free and open source | Free (50,000 MAU) then $25/mo Pro (100,000 MAU) |
| GitHub stars | 10,466 | 103,136 (monorepo), 2,444 (auth server) |
| npm weekly downloads | ~204K | ~19.9M (supabase-js client) |
| Learning Curve | Moderate-High | Easy |
| Best For | Learning auth internals, fully custom flows | Full-stack apps using Supabase as backend |
| Solo Dev Rating | 7/10 | 9/10 |
Lucia Overview
Lucia is an open-source authentication library that provides session management, cookie handling, and token generation without prescribing how your auth should work. You install it, connect a database adapter, and build your authentication flows using Lucia's functions. Everything else, the forms, the OAuth integration, the middleware, is your responsibility.
The design is deliberate. Lucia handles the security-critical parts (session tokens, secure cookies, CSRF protection) and lets you control the rest. Your database schema, your user model, your business logic. No vendor lock-in, no dashboard, no external API calls during authentication.
I built auth with Lucia in a project where sessions needed to carry custom data and expire based on business rules no managed service would support. Lucia let me define exactly what a session contained and when it expired. That flexibility was the whole point.
One thing you need to know before you reach for it today. The maintainer deprecated Lucia v3. The repository README now reads "Lucia v3 will be deprecated by March 2025. Lucia is now a learning resource on implementing auth from scratch." The reasoning was that the database-adapter model was too rigid for a low-level library, so instead of shipping a package you install, Lucia became documentation that teaches you to build the same session logic directly in your codebase. The npm package still exists at version 3.2.2 (its last release was October 2024) and still pulls roughly 204,000 weekly downloads, so plenty of running apps depend on it, but you should treat it as frozen rather than evolving. The companion libraries the same author maintains, Oslo for crypto primitives and Arctic for OAuth, are still developed. Everything below about Lucia's design and trade-offs still holds; just go in knowing you are adopting a pattern, not a maintained dependency.
Supabase Auth Overview
Supabase Auth is the authentication system built into the Supabase platform. It supports email/password, magic links, phone auth, and social OAuth providers. The defining feature is its integration with PostgreSQL Row Level Security, where RLS policies reference auth.uid() to control data access at the database level.
The free tier offers 50,000 MAU. Users are stored in your PostgreSQL database in the auth schema. The JavaScript client handles session management automatically. Social providers are toggled in the dashboard and configured with OAuth credentials.
I use Supabase Auth in a project where the entire backend is Supabase. The auth-to-database pipeline is seamless: user logs in, RLS policies enforce access, queries return only the right data. I never wrote authorization middleware because the database handles it.
Key Differences
Setup time. Supabase Auth takes 15-20 minutes. Enable providers in the dashboard, initialize the client, call signInWithOAuth() or signUp(). Lucia takes a few hours because you're building the registration form, login handler, session middleware, and password hashing yourself. If speed to working auth matters, Supabase wins by a wide margin.
Database integration. Supabase Auth integrates with Row Level Security at the PostgreSQL level. RLS policies like auth.uid() = user_id enforce access control without application code. Lucia stores sessions in whatever database you configure, but your application code handles authorization. Supabase's approach eliminates a whole category of authorization bugs. Lucia's approach gives you more flexibility but more responsibility.
Data ownership. Both solutions store user data in your database. With Supabase, it's in the auth schema of your Supabase PostgreSQL instance (exportable). With Lucia, it's in whatever database you choose with whatever schema you design. Both give you real data ownership, but Lucia gives you complete schema control.
Cost. Both are free for most solo developers. Lucia has no usage limits. Supabase Auth is free up to 50,000 MAU on the free tier. At that scale, neither costs anything. Beyond it, you move to Supabase Pro at $25/month, which includes 100,000 MAU, and then pay $0.00325 per additional MAU. Lucia stays free at any scale, with the catch that you maintain the now-deprecated code yourself. See the worked numbers below for what this means at 150,000 users.
Social login. Supabase Auth makes social login easy: toggle the provider, add OAuth credentials, call signInWithOAuth(). Lucia requires you to implement OAuth flows yourself, typically using a library like Arctic. The OAuth dance (redirect, callback, token exchange) is more code and more testing. Supabase abstracts this away.
Flexibility. Lucia gives you complete control over session behavior, token contents, and auth flows. You can implement auth patterns that Supabase Auth doesn't support: custom session metadata, non-standard expiry logic, hybrid auth schemes. Supabase Auth is flexible within its boundaries but has boundaries.
By the Numbers (2026)
Numbers checked on 2026-05-28. They tell a clear story about where each tool sits today.
Lucia
- Latest release: lucia 3.2.2, published 20 October 2024. No releases since, consistent with the deprecation.
- Status: v3 deprecated, repositioned as a learning resource. The GitHub repo is public and not archived, last pushed 13 July 2025.
- GitHub stars: 10,466 on lucia-auth/lucia.
- npm weekly downloads: 203,729 for the week of 21 to 27 May 2026. Still heavily used despite being frozen.
- Pricing: free, MIT-style open source, no usage limits, no account.
- OAuth: not built in. The recommended path is the Arctic library from the same author.
Supabase Auth
- Latest client: @supabase/supabase-js 2.106.2, published 25 May 2026. Actively shipping.
- npm weekly downloads: 19,918,901 for the @supabase/supabase-js client, week of 21 to 27 May 2026. Roughly 98 times Lucia's volume.
- GitHub stars: 103,136 on the supabase/supabase monorepo, and 2,444 on supabase/auth, the standalone Go auth server (formerly GoTrue) that powers the service.
- Pricing tiers: Free at $0, Pro at $25/month, Team at $599/month.
- Auth quotas: 50,000 monthly active users (MAU) included on Free, 100,000 MAU included on Pro and Team, then $0.00325 per additional MAU. An MAU is a distinct user who logs in or refreshes a token during the billing cycle.
- Free-tier caveat: projects pause after one week of inactivity, so the free plan is fine for prototypes but awkward for a low-traffic production app.
Real Cost at Solo-Dev Scale
The two tools sit on opposite ends of the cost model, so it helps to run a concrete workload rather than wave at "both are free for most people."
Assume a solo-dev SaaS that grows over its first two years. Here is what auth actually costs under the published 2026 rates.
Scenario A, side project: 2,000 MAU. Lucia costs $0, you only pay for whatever database and host you already run. Supabase Auth costs $0 too, you are well inside the 50,000-MAU free tier. The one asterisk is the free-tier inactivity pause; if your side project goes quiet for a week, the Supabase project sleeps until you wake it. Verdict: a tie on price, slight edge to Lucia if you cannot tolerate a paused backend.
Scenario B, real product: 40,000 MAU. Lucia is still $0 in licensing. Supabase is also still $0 for auth specifically, since 40,000 is under the 50,000 free quota, though most products at this size move to Pro at $25/month for the always-on database, daily backups, and email-volume headroom rather than for auth. So call it $0 to $25/month on Supabase depending on whether you stay on Free. Verdict: near tie, Supabase's $25 is buying infrastructure, not the auth itself.
Scenario C, growing product: 150,000 MAU. Lucia is $0 in licensing. Supabase Pro at $25/month includes the first 100,000 MAU, then bills the extra 50,000 at $0.00325 each, which is 50,000 times $0.00325, or $162.50. Total Supabase auth-related cost: $25 base plus $162.50 overage, about $187.50/month, and that is before storage, bandwidth, and database compute. Verdict: this is the first scenario where the gap is real money. Lucia's "$0 forever" starts to matter, but only if you are also willing to own and maintain the deprecated session code yourself.
The pattern: at side-project and early-product scale the price difference is noise, and Supabase's speed-to-auth wins. The Lucia cost advantage only becomes meaningful past roughly 100,000 MAU, and you pay for it in engineering time maintaining frozen code. For a solo developer, the honest math is that Supabase Auth is cheaper than it looks until you are large enough to have revenue that easily covers it.
When to Choose Lucia
- You need custom session or token behavior that managed services can't support
- You want to use a database that isn't PostgreSQL (MongoDB, MySQL, etc.)
- Complete control over your auth schema and logic is a priority
- You're building something where auth needs to work differently than standard patterns
- Zero external dependencies for authentication is important
When to Choose Supabase Auth
- You're using Supabase as your backend (this is the obvious choice)
- Row Level Security integration for database-level access control appeals to you
- Speed of setup matters and you want auth working in 20 minutes
- You want social login without implementing OAuth flows manually
- The 50,000 MAU free tier aligns with your budget
The Verdict
For solo developers using Supabase, the choice is clear: use Supabase Auth. The RLS integration is genuinely powerful and eliminates authorization bugs by design. You'll have auth working quickly and it integrates perfectly with the rest of your stack. Choosing Lucia when you're on Supabase would mean giving up one of the platform's best features.
For solo developers NOT using Supabase who need custom auth behavior, Lucia is a solid library. It handles the hard security parts and lets you build exactly the auth system you need. But be honest about whether your requirements are actually custom or if you're over-engineering. Most apps need standard login, signup, and social auth, which Supabase Auth handles with much less code.
My recommendation: if Supabase is your backend, use Supabase Auth without thinking twice. If you're on a different backend and genuinely need custom auth logic, Lucia is excellent as a pattern, just remember it is now a learning resource rather than a maintained package, so you are committing to owning that session code. If you just need standard auth on a different backend, there are managed solutions (Clerk, AuthJS, Better Auth) that will be faster than building with Lucia.
Sources
All figures checked on 2026-05-28.
- Lucia repository and deprecation notice: https://github.com/lucia-auth/lucia
- Lucia deprecation announcement discussion: https://github.com/lucia-auth/lucia/discussions/1707
- Lucia v3 documentation: https://v3.lucia-auth.com/
- Lucia npm package (version 3.2.2, last published Oct 2024): https://registry.npmjs.org/lucia
- Lucia npm weekly downloads (203,729): https://api.npmjs.org/downloads/point/last-week/lucia
- Arctic OAuth library (Lucia's recommended OAuth path): https://github.com/pilcrowonpaper/arctic
- Supabase pricing (Free $0, Pro $25, Team $599, MAU quotas and $0.00325 overage): https://supabase.com/pricing
- Supabase MAU counting and quotas: https://supabase.com/docs/guides/platform/manage-your-usage/monthly-active-users
- Supabase auth server (formerly GoTrue) repository: https://github.com/supabase/auth
- @supabase/supabase-js npm package (version 2.106.2): https://registry.npmjs.org/@supabase/supabase-js
- @supabase/supabase-js npm weekly downloads (19,918,901): https://api.npmjs.org/downloads/point/last-week/@supabase/supabase-js
Like this? You'll like what I'm building too.
Two ways to support and get more of this work.
HEARTH
A privacy-first Life OS for your desktop. Journal, tasks, and notes that stay on your machine. Coming soon, direct download from this site.
Read moreMY TOOLKITS
Receipts-first toolkits for shipping after hours, building Claude agents, publishing on Amazon, and more. The exact methods I used, not theory.
Browse on WhopRelated Articles
Angular vs HTMX for Solo Developers
Comparing Angular and HTMX for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.
Angular vs Qwik for Solo Developers
Comparing Angular and Qwik for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.
Angular vs SolidJS for Solo Developers
Comparing Angular and SolidJS for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.