In 2025, at Rails g authentication from Kaigi on Rails 2025, developer Shinichi Maeshima presented an insightful talk on Rails 8’s new rails g authentication generator and its implications for how we build authentication in Rails apps.
Rails has long given developers the building blocks for authentication — has_secure_password, session cookies, and controller concerns — but until Rails 8, there was no canonical, built-in scaffold for tying them all together. That gap led many teams to rely on external gems like Devise.
Rails 8 changes that with an official generator that produces a sane, secure, and convention-based authentication system right out of the box. Let’s dive into what it generates, why it matters, and when you might prefer Devise or other solutions.
What rails g authentication Actually Generates
When you run:
rails generate authenticationrails db:migrateRails 8 sets up a basic authentication system comprised of a small, convention-driven set of models, controllers, views, and migration files.
At a high level, this includes:
✔️ Database Models
- User – holds user credentials and leverages has_secure_password for bcrypt hashing.
- Session – persists user sessions with tokens stored in the database.
- Current – based on ActiveSupport::CurrentAttributes to provide access to the currently authenticated user.
✔️ Controllers and Concerns
- Authentication Concern – encapsulates logic for login requirements, session resumption, and redirection.
- SessionsController – handles login and logout.
- PasswordsController – manages reset requests and updates.
✔️ Views
Basic forms for signing in and resetting passwords are included, uniformly following Rails conventions.
How It Works: Philosophy and Mechanics
Local Session Storage
Instead of depending solely on session cookies, Rails 8’s auth system persists session records in the database using a token stored in a signed cookie. This approach enables deeper introspection:
- Track IP or user agent metadata
- Invalidate sessions individually
- Improve security logging and auditing
This pattern is more robust than purely cookie-based sessions and gives apps better control over who is logged in and how.
Password Reset, Not Signup
Rails 8’s generator intentionally does not include a registration flow out of the box. This keeps the built-in system minimal and focused on secure authentication rather than user onboarding. For registration you’ll need to implement your own controller/view or use a template from the community.
No Third-Party Dependencies
The generator avoids external gems entirely, relying on Rails conventions and standard libraries. This means:
- No Devise
- No gems like Sorcery, Authlogic, or Auth0
- Better understanding and control of the code you ship
For many small to medium applications, this is more than sufficient.
Why This Is a Big Deal for Rails Developers
The introduction of a built-in authentication generator accomplishes several things:
💡 Reduces Barriers for Beginners
Before Rails 8, even basic authentication required stitching together helpers, bcrypt, and controller logic or importing gems that abstracted everything away.
Now, Rails provides a clear, documented starting point that shows how authentication works under the hood — a huge win for developers learning the framework.
This was a central message in Shinichi Maeshima’s Kaigi on Rails 2025 talk.
🧠 Encourages Security Best Practices
By default, the generated code incorporates:
- Secure password hashing via bcrypt
- Session persistence for better control
- A structured approach to resetting passwords
This is a step toward reducing security mistakes common when developers roll their own authentication.
🧩 Flexible Foundation
Because Rails does not impose everything you might need (like sign-up, roles, email confirmation, etc.), the generator gives you a foundation — not a complete system for every use case. That matters:
- You own your auth code
- You can extend it without fighting a gem API
- It remains lightweight
Devise: Still Relevant or Obsolete?
Short answer: Devise is still relevant — and necessary in many cases.
Rails 8’s generator does not replace Devise for projects that require:
- Complex signup flows
- Email confirmation
- Confirmation tokens and invitation systems
- Multi-factor authentication
- OAuth or third-party integrations
Devise remains the most comprehensive solution with a large ecosystem of plugins and community support.
However, Rails’s native generator is perfect if:
- You want a minimal, maintainable auth system
- You want to understand authentication internals
- You’re building a small app that doesn’t need every feature Devise offers
When to Use the Rails Built-in Authentication
Conclusion
Rails 8’s rails g authentication generator is a major enhancement for Rails developers. It brings a built-in, secure, and convention-first authentication system to the framework’s core — something many developers have cobbled together manually or avoided due to complexity.
Thanks to talks like Shinichi Maeshima’s at Kaigi on Rails 2025 — rails g authenticationから学ぶRails8.0時代の認証 — this new feature signals a renewed emphasis on teaching developers how to build Rails apps right instead of depending on abstractions.
Whether you stick with Devise or adopt the new built-in generator, Rails 8 gives you more clarity and control over how authentication works in your application — and that’s a win for everyone in the community.
Linking Ruby knowledge from the most remote places in the world. 