Every developer has built it at least once. A UsersController , a POST /auth/login endpoint, a PasswordHasher , a JwtService that generates tokens. It feels like the natural thing to do — auth is just another feature, right? It isn't. And I learned that the hard way. What "rolling your own JWT auth" actually means On the surface it looks simple: var token = new JwtSecurityToken ( issuer : "myapp" , claims : claims , expires : DateTime . UtcNow . AddHours ( 1 ), signingCredentials : credentials ); Enter fullscreen mode Exit fullscreen mode But that's just the token. The moment you decide to own your auth stack, you're signing up for all of this: Password storage — hashing, salting, choosing the right algorithm (bcrypt? Argon2?…