Step 1 of 9
Set the auth architecture and choose the real persistence layer
Force the AI builder to define and implement a real authentication approach before generating UI.
If your app already uses a stack like Supabase, Firebase Auth, Auth0, Clerk, NextAuth, or a custom backend, tell the builder to use that existing stack instead of inventing a fake one.
Inspect this codebase and implement a real authentication foundation using the existing stack where possible. I need email/password signup, login, logout, session persistence across refresh, protected dashboard routes, duplicate email handling, password reset, loading states, error states, and mobile responsive UI. Do not build placeholder forms. Use a real auth provider or real backend persistence, define where user state lives, define how session restoration works on app load, and wire the routing strategy for protected pages.
Expected after this step
The app has a real auth strategy selected and wired into the project, with a clear user/session state source and route protection plan.
Should not happen
- ✕Creating signup and login forms that do not connect to a real auth provider or backend
- ✕Pretending session persistence exists while user state resets on refresh
- ✕Allowing direct access to protected routes by URL when logged out
- ✕Handling duplicate email or invalid credentials only in console logs instead of showing UI errors
Verify before continuing
Do not move on until every check is true. The complete button stays locked until then.
Do not continue if…
- !Creating signup and login forms that do not connect to a real auth provider or backend
- !Pretending session persistence exists while user state resets on refresh
- !Allowing direct access to protected routes by URL when logged out
- !Handling duplicate email or invalid credentials only in console logs instead of showing UI errors
- !Storing tokens or passwords insecurely or exposing sensitive auth logic in the client
- !Adding a reset password screen that is not connected to a real reset mechanism
If the AI messes this up
Use this when the AI fakes progress or breaks the feature. It forces a real fix.
You built forms without proving real auth integration. Replace any mock auth logic with a real provider or backend implementation for signup, login, logout, session restore, password reset, and protected routes. Show exactly where the real session comes from and remove all fake success redirects.