TL;DR: Firebase Auth is faster to ship but costs more at scale and locks you into Google’s ecosystem. Auth.js (formerly NextAuth.js) gives you full control, runs on your own infrastructure, and costs less — but requires more setup. Pick Firebase if you need auth live in days. Pick Auth.js if you’re building for scale or want to avoid vendor lock-in.
Last updated: March 2026 · John Calloway
I spent a weekend migrating a side project from Firebase Auth to Auth.js last month. Not because Firebase Auth was broken — it works great for what it does. But I hit the moment every developer hits: I needed more control, and Firebase’s pricing was starting to sting at scale.
Here’s the thing that surprised me: Auth.js isn’t objectively “better.” But it’s a radically different approach to the same problem. Firebase Auth is a managed service. Auth.js is a toolkit you deploy yourself. One is Netflix, the other is AWS.
Let me walk you through the actual tradeoffs so you can stop second-guessing yourself.
Firebase Auth: The Fast Track
Firebase Authentication isn’t flashy. It just works. Google handles the infrastructure, the security updates, the compliance gymnastics. You call a library, get OAuth working in 30 minutes, and ship.
What Firebase does well:
Firebase Auth integrates with Google Cloud (obviously) and handles email/password, phone auth, OAuth providers (Google, GitHub, Apple, Facebook, Twitter), and anonymous auth out of the box. The SDK is solid, the docs are readable, and you don’t manage a database — Firebase stores your user data.
I’ve shipped three projects on Firebase Auth. The experience is consistently smooth until it isn’t.
The real cost breakdown:
Firebase pricing looks cheap upfront — $0 until you hit 50,000 MAU (monthly active users). But here’s where it gets spicy: after 50K, you’re paying $0.005-$0.015 per user. For a 500K MAU app, you’re looking at $2,500-$7,500/month just for auth. Before you even count Firestore, Functions, or hosting.
Compare that to Auth.js: you control the infrastructure cost. A single $5/month VPS handles auth for a million users.
Firebase Auth comparison in context:
| Feature | Firebase Auth | Cost at 100K MAU |
|---|---|---|
| Setup time | 30 mins | $500-1500/mo |
| OAuth providers | Built-in (6+) | ✅ |
| Custom logic | Limited | ⚠️ Limited hooks |
| Database | Google manages | Included |
| Vendor lock-in | High | 🔒 Yes |
Auth.js: The Developer’s Gambit
Auth.js (renamed from NextAuth.js in 2024) takes a completely different stance: auth should be open source and owned by you.
Instead of Firebase’s “we handle everything” model, Auth.js says “here’s a battle-tested library, wire it up however you want.” You choose your database (Postgres, MongoDB, any ORM), you host it on your infra, you control the logic.
The setup is longer — you’re writing more configuration code. But the payoff is real: you own your authentication layer.
Real example: I set up Auth.js with Drizzle ORM and Vercel for my latest project. Total time: 2 hours (including reading docs). Cost: $0 (free tier) up to millions of requests.
What Auth.js gives you:
- Multiple databases: Postgres, MySQL, MongoDB, Prisma-compatible anything
- Custom providers: Add your own OAuth flows, SAML, or proprietary auth in hours
- No per-user pricing: You pay for compute, not per auth request
- Session control: JWT, database sessions, or hybrid — your call
- Callbacks everywhere: Modify user objects, handle special cases, enforce team permissions
- Open source: If something’s broken, you can patch it locally
Here’s the callback that sold me on Auth.js. Want to auto-create a user in your database when they sign in via GitHub? One callback:
callbacks: {
async jwt({ token, account, user }) {
if (account) {
token.accessToken = account.access_token;
}
return token;
},
async session({ session, token }) {
session.accessToken = token.accessToken;
return session;
},
async signIn({ user, account }) {
// Custom logic: check if user is on whitelist, provision resources, etc.
return true;
}
}Firebase Auth doesn’t give you hooks like that. You have to use Cloud Functions as a workaround.
Speed to Ship: Firebase Crushes Auth.js
Let’s be honest: if you need auth working today, Firebase Auth wins by a mile.
Firebase gives you a drop-in library, OAuth working in minutes, and zero infrastructure decisions. You’re not managing a database, not writing session handlers, not debugging deployment issues.
Auth.js requires more decisions: Which database? Where do you host this? Do you want JWT or database sessions? Each question adds 15 minutes.
Real timeline comparison:
| Milestone | Firebase Auth | Auth.js |
|---|---|---|
| OAuth set up | 10 mins | 45 mins |
| Deploy | 20 mins | 90 mins (DB setup, env vars) |
| First user sign-in | 35 mins | 140 mins |
| Custom logic (e.g., role-based access) | Cloud Functions | Callbacks |
Firebase Auth wins here. Full stop.
Scaling and Cost: Auth.js Dominates
Where the math flips is scale.
A bootstrapped SaaS with 200K users paying $0.01 per user to Firebase Auth? That’s $2,000/month just for auth. Before your actual product costs.
The same 200K users on Auth.js hosted on a $20/month Render container or your own Postgres? Still $20/month. Maybe $50 if you’re paranoid about load.
The vendor lock-in tax:
Firebase Auth is cheaper until it isn’t. Once you’re over 100K MAU, the per-user pricing starts strangling margins. And extracting your users from Firebase is a nightmare — you have to export them, hash the passwords (Firebase doesn’t expose them), and migrate to a new system.
Auth.js user data is always yours. Export it, migrate it, no questions asked.
Deployment and Infrastructure
Firebase Auth: Nothing to deploy. It lives in Google Cloud. You call it from your frontend and backend. No servers, no database to manage, no infrastructure decisions.
Auth.js: You host it. This means more infrastructure burden, but more flexibility. You can deploy to Vercel (edge middleware), AWS Lambda, Render, Railway, or a VPS. You wire it to your database. You control the uptime.
If you’re running your app on Vercel (which most Next.js devs are), Auth.js is a natural fit — it’s literally built for this. Firebase Auth requires a Google Cloud account and different mental models.
My take: For a solo developer on Vercel, Auth.js is less friction than Firebase, not more. Firebase makes you dance with Google Cloud IAM and service accounts.
OAuth Providers and Flexibility
Firebase Auth has solid provider support: Google, Apple, Facebook, GitHub, Twitter, Microsoft, Yahoo. Enough for most projects.
Auth.js has the same built-in providers plus a thriving ecosystem of community providers (Discord, Slack, Notion, etc.). And you can wire up any custom OAuth flow in minutes.
If you need a niche provider (like a custom OAuth server your enterprise client built), Firebase Auth forces you to use a workaround. Auth.js lets you write a provider in hours.
✅ Firebase Auth wins on standard providers ✅ Auth.js wins on custom/emerging providers
Security Considerations
Both are secure. Firebase Auth handles compliance, PCI-DSS, and regular security audits. Auth.js is open source, which means the community audits it constantly. Different models, both trustworthy.
One caveat: if you’re storing sensitive data in Firebase, you’re subject to Google’s data residency policies. Some enterprises require data to stay in-region. Auth.js on your own infrastructure gives you that control.
When to Pick Firebase Auth
✅ You’re shipping an MVP in days — Firebase Auth is the fastest path from zero to authenticated users ✅ You’re building for a non-technical audience — Firebase’s console is intuitive; Auth.js requires code comfort ✅ Your user base is <50K MAU — pricing is negligible, simplicity wins ✅ You love Google products — Firebase plays nice with Firestore, Functions, Cloud Run ✅ You don’t want to manage infrastructure — Firebase handles everything
When to Pick Auth.js
✅ You’re scaling beyond 100K users — Auth.js costs 90% less per user ✅ You need custom auth logic — roles, permissions, team invites, granular control ✅ You want to avoid vendor lock-in — Auth.js users are always exportable ✅ You’re on Vercel/Next.js — Auth.js is built for this stack ✅ You need specific OAuth flows or SAML — Auth.js is infinitely flexible ✅ Your enterprise client demands on-prem options — Auth.js can live anywhere
The Migration Question
Here’s what keeps developers up at night: “What if I pick wrong and need to switch later?”
Firebase → Auth.js is painful but doable. You export users, migrate passwords (Firebase hashes them, you can’t read the originals, so users reset on first login), set up a new database, and redeploy. Takes a weekend for a medium-sized app.
Auth.js → Firebase is easier because you control your data. Export users, import into Firebase, done. No password reset required.
The asymmetry matters. If you’re uncertain, Auth.js is the safer bet — you keep your options open.
Bottom Line
If you’re deciding right now:
Pick Firebase Auth if you’re a solo dev, shipping fast, and have <50K users. You’ll ship in hours and never think about auth again.
Pick Auth.js if you’re building a real product, expect growth, or want to own your stack. You’ll spend more time in setup, but you’ll save thousands in hosting costs and have infinite flexibility.
The honest truth: This isn’t about which technology is objectively better. It’s about your constraints. Firebase Auth is a Uber for auth — you pay a premium for someone else’s infrastructure. Auth.js is driving your own car — more responsibility, but you keep the keys.
Most developers should probably use Auth.js in 2026, honestly. The setup tax is smaller than it used to be, the ecosystem is mature, and locking yourself into Firebase’s pricing model is increasingly risky.
But if you’re an indie hacker with one weekend to ship? Firebase Auth. No contest.
Resources
- Auth.js Documentation — The source of truth. Their “Getting Started” guide has you running in 30 minutes, and the callback examples are gold.
- Firebase Authentication Guide — If you’re going the Firebase route, this is comprehensive and well-maintained.
- Designing Data-Intensive Applications — Not auth-specific, but if you’re building systems at scale and wondering about user data architecture, this book shapes how you think about the problem.
- NordVPN for Secure Development — If you’re testing auth flows or deploying infrastructure remotely, using NordVPN’s 73% off deal → keeps your authentication tokens and API keys safe on public networks.
— John Calloway writes about developer tools, AI, and building profitable side projects at Calloway.dev. Subscribe to The Dev Stack Weekly → for free weekly deep-dives.*
You Might Also Enjoy
- Turborepo vs Nx in 2026: The Monorepo War That’s Reshaping Enterprise Development (And Why Your Choice Could Make or Break Your Next Project)
- Supabase vs Firebase 2026: The Database Battle That’s Reshaping How Developers Build Apps
- [Dagger vs CircleCI 2026: Which CI/CD Pipeline Tool Wins?](https://jcalloway.dev/dagger-vs-circleci-2026-which-cicd-pipeline-tool-wins)