Cloudlflare builds OAuth with Claude and publishes all the prompts

Original Article ↗ Hacker News Discussion ↗

Project and Process

  • Cloudflare published a Workers OAuth 2.1 provider largely generated by Claude, with all prompts and commit messages exposed.
  • The author describes starting as an AI skeptic, then finding Claude-generated code “pretty good” for this well-specified, standards-based task.
  • Every line was manually reviewed by experienced security engineers against RFCs; several commits explicitly note when humans had to correct Claude’s mistakes or override its decisions.
  • Reported result: a library that would have taken weeks or months by hand was produced in a few focused days of AI-assisted work, though elapsed calendar time was closer to a month.

How AI Was Used (and Where It Worked)

  • Best fit was greenfield, standards-driven code (OAuth, MCP integration) on a familiar platform (Cloudflare Workers, TypeScript).
  • AI handled boilerplate, test-writing, and routine transformations; humans guided architecture, storage schema, encryption design, and fixed edge-case bugs.
  • Many commenters report similar success for:
    • UI and CRUD apps (React, Tailwind, Android apps)
    • Quickly understanding unfamiliar codebases
    • Generating scaffolding and refactors when codebases are clean and modular

Limits, Bugs, and Need for Expertise

  • Commit history shows AI:
    • Introducing security-relevant mistakes (e.g., unnecessary key backups, schema choices), later corrected by humans.
    • Sometimes unable to fix a bug even after multiple prompts, forcing manual edits.
  • A serious redirect_uri validation bug was later reported as a CVE, reinforcing concerns that “thorough review” can still miss issues.
  • Consensus in the thread: for security-sensitive systems, you must already be expert enough to validate AI output; using AI without that expertise is dangerous.

Developer Experience and Productivity

  • Some engineers find AI-assisted coding clearly faster and liberating (“do the boring boilerplate for me”).
  • Others find it slower and more cognitively demanding: explaining intentions in natural language, reviewing unfamiliar AI code, and chasing hallucinations.
  • People distinguish:
    • “Vibe coding” for low-stakes personal tools, where sandboxes and guardrails are desirable.
    • “AI-assisted coding” for production systems, where meticulous human review, tests, and specs remain essential.

Jobs, Economics, and Culture

  • Long debate on whether AI will:
    • Reduce needed headcount (fewer engineers per product), or
    • Unlock huge latent demand for bespoke software, including non-programmers automating their own workflows.
  • Concern about eroding junior roles and “knowledge collapse” if AI replaces early-career learning-by-doing.
  • Several note that much online AI discourse is polarized; this project is seen as a concrete, nuanced case: real productivity gains, but also real risks and non-trivial oversight costs.