The Auth Wall: Why AI Struggles with Stateful Systems
If you watch a demo for an AI coding environment like Cursor, the pitch is always the same: type a prompt, watch the code write itself, and deploy. A straight, frictionless line from idea to production. But actually pushing this Next.js and Payload CMS site live over the last week told a different story. The reality of building with autonomous tools isn't a straight line. It’s a series of messy, overlapping loops—and nowhere did that friction hit harder than when I tried to stand up Authentication.
The Illusion of "Just Add Auth"
AI models are phenomenal at generating stateless UI. If you ask Cursor for a dashboard layout, it will nail the Tailwind grid in seconds. But Authentication isn't a component; it is a rigid, highly stateful system that touches every layer of your application.
When I prompted the agent to wire up the auth flow between Next.js and Payload CMS, the AI confidently generated hundreds of lines of code. It looked correct. It compiled. But it was a structural trap.
The Infinite Redirect Loop
Because LLMs are trained on vast amounts of historical code, they struggle with shifting architectural paradigms. Next.js recently underwent a massive shift to the App Router and React Server Components (RSC).
The AI kept hallucinating a hybrid of old and new paradigms. It tried to read secure HTTP-only cookies on the client side. It wrote middleware that conflicted with Vercel's edge network constraints. It attempted to pass server-side authentication states into components that weren't designed to hold them.
Instead of a smooth login, I found myself trapped in infinite redirect loops. I would ask the agent to fix a session bug, and it would confidently patch the leak by breaking the token validation entirely. The AI was playing a game of whack-a-mole with my security architecture.
The Human in the Loop
Fixing the auth wall required stepping completely out of the "autopilot" mindset. I had to stop the AI from generating code and force it to map out the exact data flow: where the JWT is minted in Payload, how the Next.js middleware intercepts it, and how Server Components verify the session before rendering the UI.
We are moving past the era where engineering velocity is the bottleneck. The boilerplate gets written instantly. But securing the borders of your application—understanding the exact mechanics of your cookies, sessions, and server boundaries—remains a deeply human problem.
Going live with an AI stack doesn't mean you don't need to know how the system works. It means you have to know it intimately enough to catch the AI when it confidently builds a door with no lock.