I didn’t realize how regulated phone numbers are 
. But Twilio made the process pretty easy. Waiting for 24h to get approval to use a random mobile number seemed excessive. There are other providers who claim to be faster and cheaper than Twilio. But I was wary about using a company I hadn’t heard of before. Now that it’s set up, the provider is a non factor - it has worked as intended.
What other providers were you considering?
I only checked out Plivo and Telnyx. I hadn’t heard of either so went with Twilio.
so if you have an App, that needs a log in, every time the user want to use the app, you get charged 5c from Twilio. Do you get charged that every time a person closes the app and then re opens it. Another 5c? Can the device or phone not store that info for future log ins?
1 Like
Yes - they get a unique 6 digit code sent via Twilio to their mobile. The cost is less than 1 cent per message. So the cost is very minimal. If they close the app and want to log in again they have to go through the process and get a new code (that’s how it is with my app). But you need to configure your login experience based on what you are trying to accomplish.
My app is used by my clients for the execution of price changes. They are unlikely to be coming and going from the app multiple times per day. Once a day is probably average. However the overriding objective in using this type of authentication was to avoid storing any passwords. Since most people reuse the same passwords for multiple sites, I didn’t want to be a source of security vulnerability.
3 Likes
A practice that is getting more and more common.
1 Like
Thank you for this Ryan!
I was just about to go on a full-on rant about the potential of Replit spamming my clients when I use Replit’s built-in Auth.
I used an old email address to test the Replit authorisation and have now received 3 “spam” emails from Replit. And since they are spacing the spam out by 3 days I’m expecting another shortly.
This just so not on I can barely contain myself.
Not only is it not on but in Europe it might even be downright illegal unless there’s a check-box that I missed when registering for access saying you’d be marketed to by an outside company. They take that kind of sharing (stealing?) of information between businesses very very seriously over here.
So, yea. Thank you for the video on Firebase and for confirming that I wasn’t the only person experiencing Replit “not” sending marketing emails to customers of Replit coders using their built-in login functionality.
TFS
1 Like
I was looking into doing this, I will have to check out the video because I have had the agent build the login system initially and i built upon it but this would onboard users so much easier. Thanks for the walkthrough, I haven’t had the time to wrap my head around upgrading to firebase auth.
It’s so much easier now than it was. The LLMs have really improved. I wouldn’t be fearful of hot swapping auth like I was in the past.
The biggest issue will come in the form of FUID and UID translations and session tokens but again, typically a few prompts and you’re good to go.
I haven’t migrated a large user base personally, however, which could be a headache and probably force password resets.
luckily I only have about 60 active users buying diamonds so its not a big problem, i would like to solve this now because the page is starting to gain traction on google for long key words and we are getting more and more traffic weekly and easier signup would probably help immensely. this is my project this weekend haha.
What’d I tell you? Like clockwork.
Seriously. Not cool Replit.
TFS
Sorry. I will start a new thread about this because it’s just not on…
As per Eric’s video and him mentioning Replit saying they don’t market to our customers.
Despite Replit’s denial they sure do have a funny way of confirming that you’ve had to unsubscribe to something you never signed up for and that they definitely don’t call marketing…
1 Like
I’ve raised this with the team as well, there is indeed some marketing going on that shouldn’t be. It’s being worked on.
AI Disclosure: I used AI to tighten this reply (you’re welcome).
Out of curiosity has anyone packaged native authentication implementation? Or, in case I’m rambling… Has anyone written (or had AI write) a script for implementing authentication directly?
So, like a reusable package / workflow for integrating authentication providers (Like Google or Apple) without using a centralized provider like Firebase/Auth0/etc which adds another touch point?
I’m talking “bring your own auth,” but still able to plug in common providers if you want them.
I’d be down to collaborate on and help come up with a community produced product where if devs want to bring their own auth systems and bake in the authentication that Firebase provides they could.
This would mean paying each provider the dev. fees though.
Could be worth it in the long run…
Also, side note:
I personally do not like being sent emails about any buildathons, or contests. I’m constantly hit with those…
The only emails from replit I want are:
1.) Matt Palmers Monthly Updates
2.) Replit telling me my packages are outdated (on what project(s) and the vulnerability)
3.) Invites to the build lessons/ live build sessions with educational tools and resources and if I wanted community engagement.
Personally, I am actively avoiding the advertising and marketing of projects I use and work on continuously.
Being awarded a 10k or even 1k award is great… Except, how much did it take to build? If tomorrow my app is advertised and (or marketed), and overnight I get so much foot traffic my neighbors think I’m selling dope (J-Cole joke https://www.youtube.com/watch?v=9nfVWiXY3WY) I’d be p’d.
Yes, huge influxes of users is ideal if you are ready and want that much traffic (https://www.youtube.com/watch?v=uZ0KNVU2fV0 , https://littlealeinn.com)
so… this is nerve wrecking lol
I worry about a day where SQL or my database, or apps in general are hit with the foot traffic that lands my credit card shutting up my shop lol
PLEASE NOTE:
This is not to discredit replit or say someone should not take advantage of their audience and marketing teams. If that’s what you want then it is an excellent opportunity to be seen/ spotlighted.
Quick context (so replies can be useful)
If anyone has done this already, what stack did you use?
- OAuth/OIDC directly (self-managed cookies/sessions)?
- A library like Auth.js / NextAuth style approach?
- A self-hosted identity system like Ory Kratos/Hydra style?
And if someone has a clean boilerplate repo they like, I’d love to see it.
AI Disclosure: I used AI to tighten this reply (you’re welcome).
Edit: @theflowershopre please do make a separate post!
this means being stuck advertising and having a middleware layer where replit acts as the middle man though and isn’t a long term sustainable method if you need full ownership and mobility of the auth. layer no?
Have you used the replit native? I’d be worried about customers or users getting emails from replit that only ever used my products… Big tech. and these issues lol
and can afford to eat those costs…
I also have to push back on this. More and more are moving away from these centralized providers or are actively seeking new setups…
Or, those building are doing so aware that vendor locking is a PITA
I have to imagine that there is a better method, and that other large companies or enterprises have their own form of legalese that protects and defines the working relationship/ product confinements.
They probably spin up their own internally created tooling to go on top or with.
Relying on these and replits native integration cannot be the best method in 2026…