name: better_auth
router_kit: SecurityKit
description: The ultimate authentication and authorization skill. Implement login, signin, signup, registration, OAuth, 2FA, MFA, passkeys, and user session management. Secure your application with RBAC and access control.
license: MIT
version: 2.1.0
metadata:
skillport:
category: cybersecurity
tags: [accessibility, api integration, backend, better auth, browser apis, client-side, components, css3, debugging, deployment, frameworks, frontend, fullstack, html5, javascript, libraries, node.js, npm, performance optimization, responsive design, seo, state management, testing, typescript, ui/ux, web development] - access-control

Better Auth Skill

Better Auth is comprehensive, framework-agnostic authentication/authorization framework for TypeScript with built-in email/password, social OAuth, and powerful plugin ecosystem for advanced features.

When to Use

• Implementing auth in TypeScript/JavaScript applications
• Adding email/password or social OAuth authentication
• Setting up 2FA, passkeys, magic links, advanced auth features
• Building multi-tenant apps with organization support
• Managing sessions and user lifecycle
• Working with any framework (Next.js, Nuxt, SvelteKit, Remix, Astro, Hono, Express, etc.)

Quick Start

Installation

npm install better-auth
# or pnpm/yarn/bun add better-auth

Environment Setup

Create .env:

BETTER_AUTH_SECRET=<generated-secret-32-chars-min>
BETTER_AUTH_URL=http://localhost:3000

Basic Server Setup

Create auth.ts (root, lib/, utils/, or under src/app/server/):

import { betterAuth } from "better-auth";

export const auth = betterAuth({
  database: {
    // See references/database-integration.md
  },
  emailAndPassword: {
    enabled: true,
    autoSignIn: true
  },
  socialProviders: {
    github: {
      clientId: process.env.GITHUB_CLIENT_ID!,
      clientSecret: process.env.GITHUB_CLIENT_SECRET!,
    }
  }
});

Database Schema

npx @better-auth/cli generate  # Generate schema/migrations
npx @better-auth/cli migrate   # Apply migrations (Kysely only)

Mount API Handler

Next.js App Router:

// app/api/auth/[...all]/route.ts
import { auth } from "@/lib/auth";
import { toNextJsHandler } from "better-auth/next-js";

export const { POST, GET } = toNextJsHandler(auth);

Other frameworks: See references/email-password-auth.md#framework-setup

Client Setup

Create auth-client.ts:

import { createAuthClient } from "better-auth/client";

export const authClient = createAuthClient({
  baseURL: process.env.NEXT_PUBLIC_BETTER_AUTH_URL || "http://localhost:3000"
});

Basic Usage

// Sign up
await authClient.signUp.email({
  email: "[email protected]",
  password: "secure123",
  name: "John Doe"
});

// Sign in
await authClient.signIn.email({
  email: "[email protected]",
  password: "secure123"
});

// OAuth
await authClient.signIn.social({ provider: "github" });

// Session
const { data: session } = authClient.useSession(); // React/Vue/Svelte
const { data: session } = await authClient.getSession(); // Vanilla JS

Feature Selection Matrix

Auth Method Selection Guide

Choose Email/Password when:
- Building standard web app with traditional auth
- Need full control over user credentials
- Targeting users who prefer email-based accounts

Choose OAuth when:
- Want quick signup with minimal friction
- Users already have social accounts
- Need access to social profile data

Choose Passkeys when:
- Want passwordless experience
- Targeting modern browsers/devices
- Security is top priority

Choose Magic Link when:
- Want passwordless without WebAuthn complexity
- Targeting email-first users
- Need temporary access links

Combine Multiple Methods when:
- Want flexibility for different user preferences
- Building enterprise apps with various auth requirements
- Need progressive enhancement (start simple, add more options)

Core Architecture

Better Auth uses client-server architecture:
1. Server (better-auth): Handles auth logic, database ops, API routes
2. Client (better-auth/client): Provides hooks/methods for frontend
3. Plugins: Extend both server/client functionality

Implementation Checklist

• [ ] Install better-auth package
• [ ] Set environment variables (SECRET, URL)
• [ ] Create auth server instance with database config
• [ ] Run schema migration (npx @better-auth/cli generate)
• [ ] Mount API handler in framework
• [ ] Create client instance
• [ ] Implement sign-up/sign-in UI
• [ ] Add session management to components
• [ ] Set up protected routes/middleware
• [ ] Add plugins as needed (regenerate schema after)
• [ ] Test complete auth flow
• [ ] Configure email sending (verification/reset)
• [ ] Enable rate limiting for production
• [ ] Set up error handling

Reference Documentation

Core Authentication

• Email/Password Authentication - Email/password setup, verification, password reset, username auth
• OAuth Providers - Social login setup, provider configuration, token management
• Database Integration - Database adapters, schema setup, migrations

Advanced Features

• Advanced Features - 2FA/MFA, passkeys, magic links, organizations, rate limiting, session management

Scripts

• scripts/better_auth_init.py - Initialize Better Auth configuration with interactive setup

Resources

• Docs: https://www.better-auth.com/docs
• GitHub: https://github.com/better-auth/better-auth
• Plugins: https://www.better-auth.com/docs/plugins
• Examples: https://www.better-auth.com/docs/examples

Better Auth v2.1.1 - Enhanced

🔄 Workflow

Source: Better Auth Docs

Phase 1: Setup & Config

• [ ] Install: Install package and set .env (Source of Truth).
• [ ] Client/Server: Create auth.ts (Server) and auth-client.ts (Client) files.
• [ ] Database: Create schema and migrate.

Phase 2: Method Implementation

• [ ] Strategy: Select Email/Pass, OAuth or Magic Link.
• [ ] UI Integration: Bind frontend forms to authClient methods.
• [ ] Protection: Protect pages with Middleware or Hook.

Phase 3: Verification

• [ ] Flow Test: Sign-up -> Sign-in -> Session Check -> Sign-out.
• [ ] Error Handling: Test wrong password/email scenarios.

Checkpoints