LoginWith LoginWith Blog

What breaks when your startup hits 1,000 users

Not much in the product. A lot in auth. The specific things you'll hit in month N.

· LoginWith team

Between 100 and 1,000 users, you’re in the quietest zone a SaaS will ever see. Product metrics are legible, retention cohorts are meaningful, feedback loops are fast. But a few specific things bend in auth-land, and if you haven’t seen them before, each one eats a day or two of debug time.

1. Password reset support tickets

At 100 users you get maybe one password reset ticket a week. At 1,000, it’s 2-5 per week, and they’re the #1 support category. The drivers:

  • Users don’t know which email they signed up with
  • Users signed up with “sign in with Google” and now try to sign in with a password
  • Users change jobs and lose access to the verification email
  • Corporate email filters eat your reset emails

What to do:

  • Let users sign in with any known identifier (email, username, sometimes phone)
  • Clearly label “sign in with Google” users in the login UI: “this email signed up with Google — click here to sign in”
  • Add an alternate recovery method (backup email, security questions, or — better — passkeys)

2. Email deliverability degradation

At 1k users you start sending 1,000+ emails a month (resets, magic links, verification, digests). Gmail’s spam filter starts to notice the volume. If your sending domain reputation is low, deliverability drops from 99% to 85% overnight.

What to do:

  • Authenticate your sending domain: SPF, DKIM, DMARC (all three)
  • Warm up a new sending domain over weeks, not days
  • Monitor bounce and complaint rates via your ESP
  • Separate transactional (auth) from marketing (newsletters) sending domains — reputation shouldn’t cross

3. OAuth app quotas

Google OAuth apps in “testing” mode are capped at 100 users. The day you hit 101, new sign-ups fail silently. You need to either publish the app (2-6 week verification for certain scopes) or add users manually.

What to do:

  • Publish your OAuth app before you need to. Apply for verification weeks in advance.
  • Check the app’s scope usage — if you requested sensitive scopes (Gmail, Drive), verification takes longer than for basic openid profile email.

4. Session table bloat

At 1,000 users with 30-day session lifetime, your sessions table has maybe 10,000 rows — still fine. But if you never clean up expired rows, it grows forever.

What to do:

  • Add a nightly DELETE for expired sessions
  • Index on (user_id, expires_at) for “active sessions for user”
  • Monitor table size as a dashboard metric

5. Weird abuse patterns

At 1,000 users, you’re a target. Small, but a target. You’ll see:

  • Signup forms being scraped and tested against other sites’ credential stuffing
  • OAuth flows being abused to harvest emails (someone enumerates users by checking “does this email exist” via your sign-up form)
  • Rate-limited endpoints being retried from residential proxy networks

What to do:

  • Add signup captcha (even a simple Turnstile is enough)
  • Rate-limit sign-up by IP and by email domain
  • Log failed auth attempts and alert on anomalies

The pattern

At 1,000 users, nothing is catastrophic. Everything is “a paper cut that’s becoming a scar.” Address them one by one, ideally proactively, and you arrive at 10k users with the auth system still boring.

Want auth that just works?

Get started with LoginWith