Guides

Production Launch Checklist

Hardening AuthCore for production comes down to configuration, monitoring, and drills. Work through the sections below before pushing your new authentication stack live.

Environment variables

Keep secrets outside git and prefer per-environment overrides (.env.production, CI variables, or secret managers). Double-check the following values in staging before promotion.

.env.production
  • • Rotate NEXTAUTH_SECRET when cloning databases.
  • • Use provider-specific SMTP API keys (SendGrid, Postmark, Resend) instead of personal passwords.
  • • Point DATABASE_URL to a managed MySQL/Postgres instance with backups enabled.

Authentication flows

Generate production OAuth credentials (Google, Microsoft, GitHub) and wire them into NextAuth if you plan to support SSO. Test password reset and email verification with your real SMTP provider.

Drill: run through login, invitation, and organization switching flows with a non-admin account. Confirm role-based redirects behave as expected.

Security posture

Enable account lockout, disposable email blocking, and user enumeration protection. Tighten password policy to match your compliance requirements.

Security settings

Pair this with a SIEM alert when lockoutPolicy.enabled is toggled off so you never miss an unexpected relaxation.

Monitoring & alerts

Forward key lifecycle events into your observability stack. Start with signIn, signOut, session, and linkAccount. Attach correlation IDs to trace requests end-to-end.

Telemetry hook

Use console.log during development, but send production logs to Datadog, Sentry, OpenTelemetry, or your platform of choice.

Audit trail

Record security mutations to an immutable table. The example below adds a simple audit log row whenever tenant security settings change.

Audit logging
Retention: keep audit events for at least 180 days (SOC2 requirement). Move them into cold storage if the volume grows too large for hot tables.

Resilience drills

Run through failure scenarios quarterly: database failover, SMTP outage, compromised account. Document the manual overrides your support team needs to know.

  • • Ensure seed:admin can restore a super admin quickly.
  • • Practice revoking API tokens and resetting 2FA for users locked out of their devices.
  • • Schedule backup restores in staging to validate snapshots.