The Stack Behind Claudit

A full-stack AI audit platform built on Next.js 15, React 19, and Claude — designed for developers who want to ship fast without cutting corners on security.

How Claudit Works

1

Paste your code

Drop in source files, paste code, upload files, or import from a URL. Each agent has a prep prompt to help you gather the right files.

2

AI analyzes it

Your code is sent to Claude (Anthropic's API) with a specialized system prompt. Results stream back in real-time — typically under 30 seconds.

3

Get a structured report

Every audit produces a severity-rated report with specific line references, remediation steps, and a composite score. Export as Markdown or JSON.

The Full Stack

Framework

Next.js 15

React 19 with App Router, Server Components, and ISR. Pages that need auth are server-rendered; audit pages are statically generated at build time.

AI Engine

Claude (Anthropic)

Claude Sonnet 4.6 via the Anthropic SDK. Each of the 50 audit agents has a specialized system prompt with structured output, severity ratings, and scoring.

Styling

Tailwind CSS 3.4

Utility-first CSS with dark mode, responsive breakpoints, and the typography plugin. Motion library for hover/tap animations. Lenis for smooth scrolling.

Authentication

Better Auth

Self-hosted auth with email/password, GitHub & Google OAuth, admin roles, 2FA, and email verification. No vendor lock-in, free at any scale.

Database

PostgreSQL + Drizzle

Supabase-managed Postgres with Drizzle ORM (7KB bundle, no codegen). Stores users, sessions, and audit history with full TypeScript type safety.

Deployment

Railway

Auto-deploys on push to main. Nonce-based CSP, HSTS, and security headers via middleware. Usage-based pricing starting at $5/mo.

Why This Beats the Alternatives

FeatureBetter AuthNextAuth v5ClerkSupabase Auth
Self-hosted (you own the data)Partial
EU data residency
Admin roles & user management
Built-in 2FA (TOTP)
Organizations & teams
Email verification
OAuth providers
Active maintenance
No vendor lock-inPartial
Free at any scalePartial
TypeScript-firstPartialPartial
Next.js App Router support

⚠️ NextAuth.js (Auth.js v5)

In maintenance mode since early 2025. The lead maintainer left and the project was absorbed into Better Auth. Still receives security patches, but no new features. Starting a new project on Auth.js in 2026 is inadvisable.

💸 Clerk

Excellent DX and beautiful pre-built UI, but no EU data residency (GDPR risk), and pricing climbs fast: $1,825/mo at 100K users, $19,825/mo at 1M users. Your entire user system lives on their infrastructure — migration means rebuilding from scratch.

🔒 Supabase Auth

Strong contender with EU hosting and a generous free tier. Falls short on admin roles, 2FA, and organization management — you'd build these yourself. Auth is coupled to Supabase's platform, making future migration harder.

🪦 Lucia Auth

Deprecated in March 2025. The author converted it into an educational resource. Do not use for new projects.

🔧 Custom (bcrypt + JWT)

Rolling your own auth means implementing OAuth, email verification, password reset, 2FA, session management, CSRF protection, rate limiting, and account enumeration prevention. The surface area for security mistakes is enormous. Better Auth already solves all of this with battle-tested code.

What Better Auth Gives You Out of the Box

Better Auth uses a plugin system — you add only what you need. Here's what powers Claudit:

Core

Built-in
  • Email & password authentication
  • Session management (in your database)
  • Password hashing (bcrypt/argon2)
  • CSRF protection
  • Rate limiting on auth endpoints
  • Account enumeration prevention

OAuth

Built-in
  • GitHub, Google, and 20+ providers
  • OAuth2 + PKCE flow
  • Account linking (same email)
  • State parameter CSRF protection
  • Automatic profile sync

Admin Plugin

Plugin
  • User roles (user, admin, custom)
  • Ban/unban users with reasons
  • User impersonation for debugging
  • Admin-only endpoints
  • User management API

Two-Factor (2FA)

Plugin
  • TOTP authenticator app support
  • Backup recovery codes
  • OTP via email/SMS
  • Per-user enable/disable
  • Remember trusted devices

Email Verification

Built-in
  • Verification link on signup
  • Configurable expiry time
  • Resend verification endpoint
  • Custom email templates (via Resend)
  • Require verification before access

Password Reset

Built-in
  • Secure reset token generation
  • Configurable token expiry
  • Rate-limited reset requests
  • Custom reset email templates
  • Token invalidation after use

Also available (not used in this project)

Organization & teams plugin, Magic link auth, Phone/SMS auth, Passkeys (WebAuthn), API key management, Session impersonation, and more. See the Better Auth plugin directory.

Cost: ~$30/mo

A production-ready stack with auth, database, hosting, and email — for less than a Netflix subscription.

ServicePlanMonthly
SupabasePro (8GB DB, daily backups, EU region)$25
RailwayPro (hosting, usage-based)$5
Better AuthOpen source — forever free$0
Drizzle ORMOpen source — forever free$0
ResendFree tier (3,000 emails/day)$0
Total~$30/mo

For comparison: Clerk

10K users: Free

50K users: $825/mo

100K users: $1,825/mo

1M users: $19,825/mo

This stack at scale

10K users: ~$30/mo

50K users: ~$50/mo

100K users: ~$80/mo

1M users: ~$200/mo

Get Started in 5 Minutes

  1. 1

    Get your Supabase connection string

    Go to your Supabase project → Settings → Database → Connection string (URI). Copy it and use it as DATABASE_URL.

  2. 2

    Add environment variables

    Copy .env.example to .env.local. Add your DATABASE_URL, generate a BETTER_AUTH_SECRET with `openssl rand -base64 32`, and add your ANTHROPIC_API_KEY.

  3. 3

    Push the database schema

    Run `npx drizzle-kit push` to create all tables in your Supabase database. This creates user, session, account, verification, twoFactor, and audit tables.

  4. 4

    Start the dev server

    Run `npm run dev` and open localhost:3000. Sign up for an account — you're live.

  5. 5

    Add OAuth (optional)

    Create OAuth apps on GitHub and Google, add the client IDs and secrets to .env.local. The login page will automatically show the OAuth buttons.

Architecture

┌─────────────────────────────────────────────────┐
│  Next.js 15 · React 19 · TypeScript 5.9         │
│  ├── app/                                       │
│  │   ├── (auth)/login/signup/reset/2fa/         │
│  │   ├── dashboard/  settings/  history/        │
│  │   ├── audit/[agent]/  audit/custom/[id]/     │
│  │   ├── stack/                                 │
│  │   ├── api/                                   │
│  │   │   ├── auth/[...all]/   ← Better Auth     │
│  │   │   ├── audit/           ← Claude stream   │
│  │   │   └── fetch-url/       ← URL importer    │
│  │   └── layout.tsx           ← Navbar + Footer │
│  ├── components/                                │
│  │   ├── AgentCard.tsx        ← Motion animated │
│  │   ├── AuditInterface.tsx   ← Stream + render │
│  │   └── 12 more components                     │
│  ├── lib/                                       │
│  │   ├── agents/ (registry + 50 system prompts) │
│  │   ├── ai/anthropicProvider  ← Claude SDK     │
│  │   ├── auth.ts + auth-client ← Better Auth    │
│  │   └── db.ts + auth-schema   ← Drizzle ORM   │
│  └── middleware.ts   ← Nonce CSP + auth gate    │
├─────────────────────────────────────────────────┤
│  Tailwind CSS 3.4 · Motion · Lenis scroll       │
├─────────────────────────────────────────────────┤
│  Claude Sonnet 4.6 (Anthropic API, streaming)   │
├─────────────────────────────────────────────────┤
│  Better Auth (self-hosted, in-process)          │
│  Plugins: admin, 2FA, email verification        │
├─────────────────────────────────────────────────┤
│  Drizzle ORM (7KB, no codegen)                  │
├─────────────────────────────────────────────────┤
│  Supabase PostgreSQL (managed, EU region)        │
├─────────────────────────────────────────────────┤
│  Railway (auto-deploy on push to main)           │
└─────────────────────────────────────────────────┘