Yeah, unfortunately there are still some sharp edges. Was there a particular reason you decided to use the unreleased version of Phoenix 1.6 instead of using the current version of phx_gen_auth (from https://github.com/aaronrenner/phx_gen_auth/)? There's a decent bit of documentation there too.

I haven't used guardian (not a fan of JWT) so I can't comment on it.