Anyone using Replit apps with Clerk/Auth0/FusionAuth for public file uploads?
Hey everyone, curious how others would think through this.
We’re working on a Replit-built app that would be public-facing for a short-term application/submission process. Users would fill out a form and upload files, then probably never use the app again. Volume should only be a few hundred submissions, but the app would still be exposed publicly.
The main concern raised internally is security around public file uploads, especially denial-of-service risk, junk file uploads, scanners/crawlers finding the app, and needing to track who is uploading what.
The current direction is to require authentication for non-internal users through a CIAM tool. We evaluated Clerk, Auth0, and FusionAuth, and Clerk seems like the preferred option so far. The plan would be something like:
●Public applicants create/login with email, Google, or SSO where available
●File size and number of uploads are limited per user
●Auth events/account creation get captured through webhooks
●Internal IAM/security team oversees the CIAM admin console
●The app is only live for a few months each year
For anyone who has done something like this in Replit, does this seem like the right general approach?
Mainly wondering:
1. Is Clerk a solid choice for this kind of temporary public submission app?
2. Are auth + upload limits enough to reduce the public upload risk?
3. Any Replit-specific gotchas with webhooks, file uploads, rate limits, storage, or production hosting?
4. Would you approach this differently?
Not looking for anyone to solve our exact setup, just trying to sanity-check the architecture and hear what the community would be cautious about.