Skip to content
Flows
0/9 steps0%

Step 1 of 9

Set the auth architecture and choose the real persistence layer

Force the AI builder to define and implement a real authentication approach before generating UI.

💡

If your app already uses a stack like Supabase, Firebase Auth, Auth0, Clerk, NextAuth, or a custom backend, tell the builder to use that existing stack instead of inventing a fake one.

Prompt capsule

Inspect this codebase and implement a real authentication foundation using the existing stack where possible. I need email/password signup, login, logout, session persistence across refresh, protected dashboard routes, duplicate email handling, password reset, loading states, error states, and mobile responsive UI. Do not build placeholder forms. Use a real auth provider or real backend persistence, define where user state lives, define how session restoration works on app load, and wire the routing strategy for protected pages.

Paste into Claude · Complete implementation prompt with explicit requirements

Expected after this step

The app has a real auth strategy selected and wired into the project, with a clear user/session state source and route protection plan.

Should not happen

  • Creating signup and login forms that do not connect to a real auth provider or backend
  • Pretending session persistence exists while user state resets on refresh
  • Allowing direct access to protected routes by URL when logged out
  • Handling duplicate email or invalid credentials only in console logs instead of showing UI errors

Verify before continuing

Do not move on until every check is true. The complete button stays locked until then.

Do not continue if…

  • !Creating signup and login forms that do not connect to a real auth provider or backend
  • !Pretending session persistence exists while user state resets on refresh
  • !Allowing direct access to protected routes by URL when logged out
  • !Handling duplicate email or invalid credentials only in console logs instead of showing UI errors
  • !Storing tokens or passwords insecurely or exposing sensitive auth logic in the client
  • !Adding a reset password screen that is not connected to a real reset mechanism

If the AI messes this up

Use this when the AI fakes progress or breaks the feature. It forces a real fix.

You built forms without proving real auth integration. Replace any mock auth logic with a real provider or backend implementation for signup, login, logout, session restore, password reset, and protected routes. Show exactly where the real session comes from and remove all fake success redirects.

Your notes for this step