type: architecture
status: active
timestamp: 2026-06-20
tags: [architecture, auth, firebase, spark, layer-3]

Layer 3 — auth on Firebase Spark forever

Single Firebase project on Spark plan, never Blaze auth domain auth.oriz.in shared by every site and every extension.

Layer 3 — auth on Firebase Spark forever

Concept

The family runs ONE Firebase project (oriz-app) on the Spark plan, forever. Never Blaze. Spark’s failure mode is “service stops at quota” — the only failure mode without a financial ceiling. Custom auth domain auth.oriz.in lets the same Firebase user sign in across every *.oriz.in site and every extension.

How it works

Why this shape

The 5-figure Firebase bill-shock incidents documented in 2025-2026 (simmer.io ~$98K, Tamara ~$70K, €54K Gemini key) all required Blaze. Cloud Spend Caps from Cloud Next ‘26 are private preview AND don’t cover Firestore / Storage / Hosting. The Cyclenerd Terraform killswitch lags hours-to-days behind actual spend. Spark is the only Firebase tier where “card never on file” is enforced by Google itself.

Cross-refs


Edit on GitHub · Back to index