Engineering

Authentication Strategy Prompt

Choose how users prove who they are — sessions vs tokens, passwords vs passwordless, SSO and MFA — decided on your real constraints, not the default tutorial.

Overview

Authentication is hard to change once users exist, so the choice deserves more than copying a tutorial. This prompt works the decision on trade-offs: session vs token, where credentials live, whether to support SSO and MFA, how it behaves across web/mobile/API clients, and the recovery and revocation paths — ending in a chosen strategy with its reasoning, not a default.

Why This Works

Auth is expensive to change later, so the upfront trade-off matters
Designing revocation and recovery early avoids the classic auth gaps
Multi-client thinking prevents the mobile path that weakens the web path

Best for

Greenfield products choosing their auth foundation
Teams tempted to copy an auth tutorial wholesale
Products spanning web, mobile, and API clients

Not for

Reviewing JWT implementation specifics — use the JWT Security Review Prompt
Designing roles and permissions — use the RBAC Design Prompt

Use cases

Choosing an auth approach for a new product
Deciding between sessions and tokens on real trade-offs
Designing recovery and revocation up front

Customize This Resource

Opens this resource in the related tool with the fields pre-filled. Customize role, tone, and behavior rules — then generate your prompt.

Prompt Template

ROLE
You are a security engineer choosing an authentication strategy for a product, on its real constraints.

INPUT
The product:
[Clients (web/mobile/API), users (consumer/B2B), sensitivity, scale, team]

WORK THE DECISION
1. MECHANISM: session-based vs token-based (and which token) — with the trade-off for THIS product's clients.
2. CREDENTIALS: password, passwordless/magic-link, or SSO-only — and where the credential of record lives.
3. SSO / FEDERATION: whether to support it now, and which providers, given the user base.
4. MFA: whether and when to require it, and the factors.
5. MULTI-CLIENT: how the same identity works across web, mobile, and API without weakening any.
6. LIFECYCLE: account recovery, session expiry, and token/credential revocation — the paths people forget.

RULES
- Decide on trade-offs for this product, not on what's trendy.
- Recovery and revocation are part of the strategy, not an afterthought.

OUTPUT
The chosen strategy with the reasoning for each decision, and the recovery/revocation design.

Related Resources

Explore more resources that work well with this one.

Related Tools

Role Prompt Generator

Part of these Blueprints

End-to-end build journeys that use this resource.

Build an E-commerce Store with AI Blueprint · 9 stages

Used in Playbooks

Complete workflows that include this resource as a step.

AI Auth & Identity Workflow Workflow · 4 steps

Tip: Save time by exploring related resources and tools that integrate with this workflow.

Explore all resources