Greenfield CIAM: how to ship the first version in 8 weeks

What "first version" means

A working CIAM for a new product covers: signup, sign-in, password reset, email verification, social login, basic profile, and session management. Anything beyond is phase 2.

Week-by-week

Weeks 1-2. Pick the vendor. Read this site's vendor comparisons. Spin up a free tier. Wire signup and sign-in with the SDK. Decide on session strategy (JWT in cookie vs server session).

Weeks 3-4. Email verification. Password reset. Social login (Google and Apple at minimum). Custom branded emails.

Weeks 5-6. Profile screens. Password change. MFA enrollment (TOTP for now, passkey is phase 2).

Weeks 7-8. Audit logging. Account deletion flow (GDPR). Rate limiting. Production hardening.

What to defer

• Federation with enterprise IdPs (only when first enterprise prospect asks)
• SCIM provisioning (only when first enterprise deal requires it)
• Custom auth flows (default flows handle 95% of cases)
• Migration tooling (you have no users yet)
• Advanced authorization (RBAC is enough until it isn't)

Common pitfalls

• Building auth in-house "because it's just a login form"
• Storing passwords with anything but bcrypt/argon2
• Sending JWTs in localStorage where XSS can grab them
• Skipping email verification "for conversion" and accepting fake accounts
• Hardcoding redirect URLs that prevent staging from working