How to Add Authentication to a Ruby on Rails App (2026 Guide)
Complete guide to Rails auth. Covers the Rails 8 auth generator, Devise, Rodauth, and managed providers for Ruby apps.
Ruby on Rails has always been opinionated about how web apps should work, and Rails 8 finally brought that opinion to authentication. For years, the community relied almost entirely on Devise. Now developers have a genuine choice: the new built-in generator, Devise, Rodauth, or a third-party provider.
This guide covers every practical approach to rails auth in 2026, with honest trade-offs for each option.
What Changed with Rails 8
Rails 8 shipped an official authentication generator that produces a complete, convention-based auth system. Running rails generate authentication creates:
- A User model with
email_address(uniquely indexed) andpassword_digestusinghas_secure_password - A Session model that tracks
token,ip_address, anduser_agentfor every login - A SessionsController handling login and logout
- A PasswordsController with reset flow and mailers
- A
require_authenticationbefore_action callback for protecting controllers
One advantage over Devise: the generator tracks full session history instead of just storing the latest session. You can see every active session, which device it came from, and revoke individual sessions.
But the generator deliberately stays minimal. It covers sign-in and password recovery. Everything else — sign-up, social login, 2FA, account confirmation, account locking — is left to you.
Common Rails Auth Approaches Compared
Rails 8 Built-in Generator
The official generator gives you a working auth system in minutes that follows Rails conventions and is fully customizable since you own all the generated code.
What works well:
- No external dependencies — pure Rails
- Full source code ownership (generated, not hidden in a gem)
- Session history with IP and user agent tracking
- Follows Rails conventions perfectly
- Easy to understand and modify
Where it falls apart:
- No sign-up flow generated
- No social login or OAuth support
- No two-factor authentication
- No account confirmation or locking
- You build every missing feature yourself
Devise
Devise has been the Rails auth standard for over a decade. It provides a modular system where you opt into features: confirmable, lockable, recoverable, rememberable, timeoutable, trackable, and OmniAuth integration.
What works well:
- Extremely well-tested with millions of production deployments
- Modular — enable only the features you need
- OmniAuth integration for social login
- Extensive community with solutions for most edge cases
- Works with Rails 7 and 8
Where it falls apart:
- Hides auth logic inside the gem, making customization harder
- Heavy for simple use cases
- OmniAuth configuration is verbose
- Can conflict with custom user models and non-standard setups
Rodauth
Rodauth is Ruby’s most advanced authentication framework. Built on Roda and Sequel (not ActiveRecord), it provides comprehensive auth features with a security-first design.
What works well:
- 2FA, WebAuthn, and passkey support built in
- Account verification and recovery included
- Password complexity rules and breach detection
- Can run as middleware in front of a Rails app
- Highly configurable security policies
Where it falls apart:
- Uses Sequel instead of ActiveRecord by default
- Steeper learning curve than Devise
- Smaller community and fewer tutorials
- Integration with Rails requires the rodauth-rails gem
Authentication Zero
Authentication Zero is a newer generator that goes further than the Rails 8 built-in generator. It creates code for 2FA (TOTP), passwordless login, sudo mode, masquerading, and session logging — all following Rails best practices.
What works well:
- Generates 2FA, passwordless auth, and sudo mode
- All code is generated and owned by you
- Follows Rails security best practices
- Active maintenance and development
Where it falls apart:
- Less battle-tested than Devise
- Smaller community for troubleshooting
- Generated code requires understanding to maintain
- No managed infrastructure — you host everything
The Real Problem: Auth Is Only Half the Battle
Rails makes auth relatively straightforward compared to other frameworks. But authentication does not generate revenue. If you are building a SaaS, you still need Stripe integration for payments, subscription management, and a customer portal.
Adding Stripe to a Rails app after auth means building webhook handlers, mapping users to Stripe customers, handling subscription state changes, and building billing UI. That is another 1-2 weeks of work.
How Beag Simplifies Rails Auth and Payments
Beag combines auth and payments into a single script tag. Instead of running rails generate authentication and then integrating Stripe separately, you add the Beag script tag to your layout and get:
- Authentication with email, social login, and magic links
- Stripe payments with checkout, subscriptions, and customer portal
- User-to-customer mapping handled automatically
- Session data accessible from your controllers
For solo developers and small teams, this eliminates weeks of infrastructure work. Read about common SaaS mistakes to avoid during your build.
Choosing the Right Approach
| Solution | Cost | Setup Time | Auth + Payments |
|---|---|---|---|
| Rails 8 generator | Free | 30 minutes | Auth only |
| Devise | Free | 2-4 hours | Auth only |
| Rodauth | Free | 4-8 hours | Auth only |
| Authentication Zero | Free | 1-2 hours | Auth only |
| Beag | $19/month | 15 minutes | Both included |
For comparisons with other backend frameworks, see our Django auth guide or the Laravel auth guide. Browse all guides in the guide hub.
What to Do Next
- Try the Rails 8 generator first. It covers basic auth with zero dependencies.
- Add Devise or Rodauth when you need social login, 2FA, or advanced features.
- Factor in total cost. Free gems still require engineering time to integrate.
- Ship faster. Try Beag free for 7 days or explore the docs.
Frequently Asked Questions
Does Rails 8 have built-in authentication?
Yes. Rails 8 introduced an official authentication generator that creates a User model, Session model, SessionsController, password reset mailer, and all required migrations. It handles login, logout, and password recovery out of the box. Unlike Devise, it tracks session history with IP address and user agent for each login.
Should I still use Devise in 2026?
Devise remains the most widely used auth gem for Rails, with a massive community and plugin ecosystem. However, Rails 8's built-in generator is now a strong alternative for new projects that need basic auth. Use Devise when you need features like confirmable, lockable, or OmniAuth integration that the built-in generator does not include.
What does the Rails 8 auth generator not include?
The generator only covers sign-in and password recovery. It does not generate a sign-up flow, social login, magic links, phone authentication, account confirmation, account locking, or two-factor authentication. You build these features yourself or add gems like Devise or Rodauth.
What is Rodauth and when should I use it?
Rodauth is Ruby's most advanced authentication framework, built on Roda and Sequel. It supports 2FA, WebAuthn, account recovery, and account verification out of the box. Use Rodauth when you need comprehensive auth features with high security standards and are comfortable with its non-ActiveRecord approach.
How long does it take to add auth to a Rails app?
The Rails 8 built-in generator takes about 30 minutes for basic login. Devise setup with confirmable and social login takes 2-4 hours. A full Rodauth setup takes 4-8 hours. If you need auth and payments together, Beag handles both in about 15 minutes.
Skip the Auth and Payments Headaches
Beag handles authentication and Stripe payments with a single script tag. Ship your SaaS faster.
Start 7-day free trial