Auth is a trap. Not because it's technically hard — it isn't, anymore — but because it feels like a decision that matters, so teams debate it. Meanwhile the clock is running.
Here's the framework I use: pick based on what your project actually needs in the next 24 hours, not what it might need in six months.
The Three Hackathon Auth Scenarios
Scenario A: You need users, but users aren't the point
Your project is about the feature — a CV analyzer, a route optimizer, a damage estimator. Users need to log in to save their work, but the auth itself isn't a selling point.
Use: Supabase Auth with Google OAuth.
Setup time: ~20 minutes. You get sessions, user records, and row-level security for free. Add @supabase/ssr, set your Google OAuth credentials, copy the callback route. You're done.
npm install @supabase/ssr @supabase/supabase-jsScenario B: You need email/password with your own UX
Maybe your judges are going to judge the login screen. Maybe your brand requires it. Maybe you just want full control.
Use: Supabase Auth with email/password + a custom form.
You write the form, Supabase handles the rest. Still no JWT implementation, no password hashing logic on your end.
Scenario C: You don't actually need auth
This one gets ignored too often. If your hackathon project is a data visualization, a generative tool, a calculator, or anything that doesn't need to persist user-specific state — skip auth entirely.
It sounds obvious. But I've seen teams spend two hours building a login flow for a project that didn't need one. Your demo doesn't need a user account. The judges aren't going to create accounts. Ship without it.
The 10-Minute Decision Tree
- Does your project need to save user-specific data across sessions? → Yes: go auth. No: skip it.
- Do you have more than 20 minutes to spend on auth? → Yes: Supabase. No: skip it.
- Is the .edu email check a feature you want to show? → Yes: Supabase, it auto-detects .edu.
The Supabase Setup Cheatsheet
1. Create project at supabase.com
2. Enable Google provider: Supabase dashboard → Authentication → Providers → Google → Enable → paste Google Cloud credentials
3. Install and configure:
// src/lib/supabase/client.ts
import { createBrowserClient } from "@supabase/ssr"
export const createClient = () => createBrowserClient( process.env.NEXT_PUBLIC_SUPABASE_URL!, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY! )
4. Add the callback route at /auth/callback — Supabase's docs have a one-page version you can copy verbatim.
5. Add middleware to refresh sessions on every request.
Total time with a reference implementation: 15–20 minutes. That's the budget. If it's taking longer, you're overthinking it.
The Common Mistakes
Mistake 1: Building auth before the core feature. Always prove the core idea works first — even with a hardcoded user — then add auth.
Mistake 2: Custom JWT implementation. Never. Not in 24 hours. Not ever in a hackathon context.
Mistake 3: Spending time on "forgot password." Judges don't lose their password in the demo. Cut it.
Mistake 4: Not testing the OAuth redirect on production. The Google OAuth client ID needs your production domain as an authorized redirect URI. Add both localhost and your Vercel URL before you deploy.
Auth is a commodity now. The goal is to pick a solution and move. The component library on Codefest.ai has direct links to the reference implementations for each approach — setup time estimates included.
Don't let auth be the reason your project doesn't exist.