Building Authentication with Claude Code: What to Review Carefully
Claude can build auth flows. The output needs more review than most code. Here's what to check and what to never skip.
Authentication is the one area where I review Claude's output more carefully than everything else combined. Not because Claude doesn't understand auth — it does — but because auth bugs are silent until they're catastrophic, and the "it looks right" feeling is exactly what makes them dangerous.
What Claude handles well
Standard JWT flows, session management patterns, OAuth integration scaffolding, bcrypt password hashing, CSRF token generation. These are well-documented patterns and Claude has seen enough examples to get them right in most cases.
If you're building a standard email/password login with JWT tokens, Claude can produce a working implementation. I've shipped Claude-generated auth code in production. The key word is "reviewed."
The checklist I always run
Token expiry is set and enforced. Claude sometimes generates JWT code that creates tokens but doesn't enforce expiry on verification. Check that the verify call actually validates the exp claim.
Passwords are hashed, never stored plain. Obvious, but worth confirming explicitly in the code. Also check that comparison uses a timing-safe compare, not ===.
Error messages don't leak information. "User not found" vs "Incorrect password" tells an attacker which accounts exist. Both should return the same generic message.
Token secrets are from environment variables. Not hardcoded defaults. Not empty strings as fallbacks. If the env var is missing, the app should fail to start, not use an insecure fallback.
Refresh token rotation is actually rotating. If you're using refresh tokens, confirm that each use issues a new refresh token and invalidates the old one. Claude sometimes generates refresh token code that reuses the same token indefinitely.
Rate limiting is on the auth endpoints. Claude often doesn't add rate limiting unless you ask. Always ask for rate limiting on login, registration, and password reset endpoints.
The specific prompt additions that help
When asking Claude to build auth, I add these to every prompt:
- "Token secrets must come from environment variables with no default fallback"
- "Error messages should not distinguish between wrong username and wrong password"
- "Include rate limiting on all auth endpoints"
- "Add the security considerations you'd flag in a code review"
That last one is good for any security-sensitive code. Claude will often add a comment block with the considerations it would raise in review. It surfaces things it knows but didn't include by default.
What to use a library for instead
Session management complexity, OAuth provider integration, multi-factor auth flows — use a battle-tested library. NextAuth, Auth.js, Passport. Claude can wire these up correctly. It shouldn't be writing the underlying crypto or session logic from scratch.
The principle: Claude for the application-layer auth logic (who can access what, when sessions are valid), libraries for the cryptographic primitives and protocol implementations.