In 2021, we made a decision that seemed crazy: build our own OAuth2 Single Sign-On system instead of using Devise. Three years and three Rails upgrades later, that “crazy” decision looks like strategic foresight.

This is the story of Heis Soma—our custom authentication service powering Prayer Nook and positioning us to serve the broader Christian ministry ecosystem. It’s about architectural decisions, technical tradeoffs, and the surprising ways that following standards can future-proof your applications.

We built ~2,000 lines of OAuth2-compliant code. Survived Rails 6.1 → 8.0 with minimal changes. Achieved 10x performance improvements through Rails 7’s multiple database connections. Served 1,000+ users with zero security incidents.

Was it worth the 200-hour investment? Yes—but not for everyone. Here’s when custom authentication makes sense, when it doesn’t, and what we learned from three years in production.