Popular Rails authentication gem for password resets, sessions, registration and user management. Has a love-hate reputation: per Ivan Nemytchenko's wroclove.rb 2018 audience survey, 40% of respondents consider it a good thing, 36% consider it evil, and the rest think it's just complicated. Called out in Counterintuitive Rails pt. 1 as an MVC violation because it injects authentication concerns into models. Nick Sutterer's Tyrant is positioned as a Trailblazer-based replacement. Rafał Rothenberger's wroclove.rb 2022 talk documents security pitfalls: Devise misuses bcrypt (a password-hashing function with a 72-byte input limit) by allowing 128-char passwords by default and appending its optional pepper at the end, which enables byte-by-byte pepper leakage via crafted registrations and logins. Mostly designed for view-based apps — APIs typically need devise_token_auth or similar.