The Stack That Owns You

4 min read Original article ↗

Level09

Press enter or click to view image in full size

Last week I stared at my side project’s architecture diagram. Fourteen boxes. Twelve were third-party services.

Auth0 for login. Supabase for database. Vercel for hosting. Resend for email. Clerk for user management. Stripe for payments. Cloudflare for CDN. Algolia for search. PlanetScale for something I apparently forgot I needed because Supabase was already doing it.

My full-stack app looked more like a collection of hostage notes written in API keys.

When Did Building Apps Turn Into Wiring SaaS Together?

Modern dev advice basically says:

Need auth? Don’t build it, that’s illegal now. Use Auth0. Or Clerk. Or Firebase. Or Supabase Auth. Or the latest YC startup promising passwords, but better.

Need a database? Don’t run Postgres yourself, that’s for people who own screwdrivers. Use Neon. Or Turso. Or PlanetScale. Or Supabase again, because their marketing team is everywhere.

Email? Jobs? Feature flags? Analytics?

There are at least a dozen SaaS companies ready to auto-bill you for each problem you didn’t actually have.

Somewhere along the way, shipping fast turned into outsourcing my entire architecture to strangers.

The Part Nobody Mentions at the Conference Talk

Vendor lock-in.
Try migrating 50k users off Clerk. Their password hashes, OAuth tokens, MFA seeds — all in Clerk’s format, Clerk’s database, Clerk’s please contact enterprise sales for export.

Pricing cliffs.
The free tier is a warm hug. The paid tier is a second mortgage.

Outages you can’t fix.
Auth0 goes down, your job is to refresh their status page and pretend you have any control over the situation.

Compliance roulette.
Your user data lives somewhere in the cloud. Which cloud? Which country? Is that GDPR compliant? Your vendor says yes. Cool, cool, totally reassuring.

More failure points than a Jenga tower in an earthquake.
Every service is a network call that can timeout, an API that can change, a company that can pivot, get acquired, or just ghost you.

The Blind Spot We All Share

We optimized for deployment speed and accidentally traded away control.

Focus on your product, not infrastructure sounds wise until you realize infrastructure IS your product. When Clerk goes down, your app goes down. When Supabase has a bad day, so do you. When that hot new database startup gets acqui-hired by Google, your roadmap becomes toilet paper.

I’ve watched teams spend three days debugging someone else’s SDK. They could have written the feature themselves in an afternoon.

What Self-Hosting Actually Looks Like (It’s Not 2008 Anymore)

Self-hosting in 2024 doesn’t mean racking servers in your garage.

It means:

  • A $5–20/month VPS you actually control
  • Postgres running next to your app, not three network hops away
  • Auth living in your codebase, not someone’s dashboard
  • Email sent via SMTP like a normal person
  • Files on disk or S3 (the one dependency that makes sense)

More work upfront? A little.

Less 3 AM panic when a service you don’t control decides to have an incident? Absolutely.

Auth: Where This Hurts the Most

Auth SaaS products are seductive. Pretty login widget. Slick dashboard. Magic links!

But also:

  • Your users’ credentials stored in someone else’s kingdom
  • Custom flows limited to whatever their API bothered to expose
  • WebAuthn and advanced MFA locked behind enterprise tier
  • One acquisition away from we’re sunsetting this feature

Meanwhile, libraries like Flask-Security-Too have been doing this for over a decade. WebAuthn, TOTP, OAuth, password recovery, role-based access, session management. All yours. Running on your server. Storing data in your database.

No monthly invoice. No contact sales. No praying their uptime holds.

The Quiet Rebellion

There’s a growing number of devs going back to basics:

  • One server
  • One database
  • Auth that lives in the app
  • Cron jobs instead of serverless scheduled functions
  • SMTP instead of email delivery infrastructure

Not nostalgia. Just math.

This boring setup often ends up faster, cheaper, and more reliable than the twelve-dashboard circus.

Before You Add Another Integration

Ask yourself:

  1. What if this service vanishes tomorrow? How screwed are you?
  2. What’s the real cost at scale? Not the free tier. The you have 10k users now tier.
  3. Does my framework already do this? Half the time, yes.
  4. Where does the data actually live? And do you trust that?
  5. Is this a real problem or a marketing-induced one? You need observability vs you need console.log and a coffee.

Own Your Stack

The best architecture is the one you understand completely.

Every external box is a piece of your system you’re renting instead of owning. Sometimes the rent is fair. Sometimes it’s a scam with a good landing page.

Next time someone says self-hosting is reinventing the wheel, ask them how many wheels they’re currently renting.

Then count the invoices. Count the integrations. Count the times you’ve refreshed a status page hoping someone else would fix your problem.

If the total looks like a horror movie budget, maybe it’s time to own a few wheels.

I maintain Enferno, an open-source Flask framework with self-hosted auth built in. Yes, I’m biased. No, I don’t charge you monthly for it.