Lucia

Lucia was the auth library every indie hacker recommended — simple session management without the bloat of NextAuth or the vendor lock-in of Auth0. Clean API, framework-agnostic, TypeScript-first. Was.

Lucia v3 was deprecated in March 2025. The maintainers concluded that the database adapter model was too rigid and recommended just implementing sessions yourself. Better-Auth has emerged as the spiritual successor. NextAuth (Auth.js) is the established alternative. Clerk and Auth0 are the commercial options.

Don't use Lucia for new projects. It's now an educational resource — the docs teach you how sessions work, which is genuinely valuable, but the library itself isn't maintained.

The catch: if you're already running Lucia v3 in production, it still works — there are no breaking changes. But you're on your own for bug fixes and security patches. Migrate to Better-Auth or roll your own session layer using Lucia's docs as a guide. The BSD-0 license means you can fork it, but nobody is.