1. If I am using Supabase for DB, should I use Supabase auth or use Better auth which would anyways use Supabase DB for saving data.
2. When using Supabase auth, they don't give access to the auth.users table and for saving additional user details like country we need a seprate profiles table. If I use Better-auth what should be the approach for saving additional details?
3. How Better Auth Infrastructure is different than Clerk or Supabase auth?
bekacru 2 minutes ago [-]
1. Depends on whether you need RLS or not. We're working on improving the Better Auth + Supabase RLS story by collaborating with them, but if you're not relying on RLS for authorization, I’d go with Better Auth. You’ll get more features, and it’ll feel more integrated with your backend rather than your database. Plus, if you ever want to switch database providers you can.
2. Yeah, you’d need to migrate to Better Auth and move your user table to your main schema. We have a migration guide for Supabase.
3. It’s just additional features built on top of the framework, not a 3rd party auth service. You’ll still use the framework, and when you need those features, you can connect it to the infra to enable them.
jamesjulich 1 days ago [-]
A few months ago, I found a security vulnerability for better-auth. Within 24 hours of reporting the vulnerability to the team, it was patched, a notice had been posted, and I had been credited with a CVE. THAT is how you do it, folks!
This team is top notch. The community leadership, responsiveness, and development speed has been incredible. The project itself is also great--this library is so much more flexible than others and requires much less effort to wrap my brain around. I'm so happy that this library is getting the recognition it deserves.
nikcub 1 days ago [-]
Congrats on the launch! Better Auth has a level of universal love from developers that's really seen.
Just one suggestion - remove the F-bombs from the testimonials on your homepage. There are various firewall intel providers that will put you on the bad lists because of this. You usually learn this the hard way :/
bekacru 22 hours ago [-]
Thanks for the kind note! And good suggestion. I was meaning to update that for a while.
macklemoreshair 22 hours ago [-]
One of our devs evaluated you guys and loved it and I do too, but you guys don’t have SCIM support which makes it really hard for us to justify moving to. We moved to an arguably inferior product because telling our product team “you’ll get scim” as part of an auth overhaul is an easier conversation. If you want enterprise customers, I’d recommend nailing down your enterprise feature set~ but the good news is that our devs liked your model the most so it’s just a matter of work for you guys to expand your functionality!
- Automated refreshing of JWT tokens on the client-side? I always end up having to implement my own logic around this. The big problem is if you have multiple API calls going out and they all require JWT auth, you need to check the JWT validity and block the calls until it is refreshed. In next-auth on the server-side, this is impossible to do since that side is generally stateless, and so you end up with multiple refresh calls happening for the same token.
- The ability to have multiple auth sessions at once, like in a SaaS app where you might belong to multiple accounts / organizations (your intro paragraph sounds like it does)
- Handle how multiple auth sessions are managed if the user happens to open up multiple tabs and swaps accounts in another tab
- Account switching using a Google provider? This seems to be a hard ask for providers like FusionAuth and Cognito. You can't use the Google connector directly but instead use a generic OAuth2 connector where you can specify custom parameters when making the initial OAuth2 flow with Google. The use-case is when a user clicks on the Google sign-in button, it should go to the Google account switcher / selector instead of signing in the user immediately if they have an existing signed-in Google session.
bekacru 1 days ago [-]
- Not right now, but there’s already an open issue and a PR in progress.
- We don’t use JWTs directly, and sessions always require state (it’s not stateless). And yeah, both the client and server handles automatic session refresh.
- Yes, that’s possible, you just need to set the `prompt` parameter to `select_account`
theogravity 20 hours ago [-]
As another asked, "why?" on no JWT? It makes interfacing with our API servers so much easier as we don't need to maintain infra for sessions and wouldn't be limited by the 4kb limit for sending cookies.
We dont need it since everything is a single "server" and cookies are good enough.
JWT would be added complexity ( e.g sign out ) that i find it better to not be set as a default.
Evidently they prefer to be less secure by default.
portaouflop 9 hours ago [-]
JWTs aren’t less or more secure by default see the comments posted above
timpetri 20 hours ago [-]
How did you resolve the multiple refresh calls issue? Do you use swr hooks on the front end? Been thinking about how to do this myself.
theogravity 20 hours ago [-]
No hooks on the FE side. We use a global lock via a promise. Our API clients are not tied to react in any way.
For all API calls, if the lock is not set, it checks if the JWT is still valid. If it is not, then the lock is set by assigning a new promise to it and saving the resolve call as an external variable to be called after the refresh is done (which resolves the held promise on the other calls, allowing the latest token to be used).
All calls await the lock; it either waits for the refresh to complete or just moves on and performs validation with the currently set token.
Looks like this:
- await on lock; if the lock has been resolved, will just continue on
- Check for JWT validity via exp check (the API server itself would be responsible for checking signature and other validity factors); if not valid, update lock with a new promise and hold the resolver. Perform refresh. Release lock by resolving the promise.
- Use current / refreshed JWT for API call
primitivesuave 1 days ago [-]
Better Auth is awesome and I didn't even realize they hadn't publicly launched yet - I'm using it in production apps, and have seen it being used in all kinds of real-world use cases. IMO it's the best open-source option for a TypeScript developer who wants to implement authentication.
About the dashboard - would this just be an interface to my existing Better Auth setup (e.g. if I had customized the underlying data storage) or are you hosting credentials yourself?
You have my sincerest gratitude for building this incredibly useful library and documenting it so well.
bekacru 1 days ago [-]
Thanks for the kind words - really appreciate it! And yes, it connects directly to your existing setup (the dashboard is mostly just a UI). What you’re really “buying” from us are the additional features on the dashboard like bot protection, analytics, etc...when you need them. We’re still figuring out the pricing, but most likely, the base dashboard will just be free ;)
primitivesuave 1 days ago [-]
Awesome! I used Better Auth for consulting work helping clients build MVPs, and if I could hand them a beautiful admin dashboard rather than linking it up to Retool or their BI tool of choice, they would instantly go for it - especially with all the bot protection and analytics features that I don't have time to build.
One of the reasons I prefer BA is because I retain a lot of flexibility with designing the rest of the system around the authentication. So for example, if I want to have an additional column per user, it's a lot easier to wrap my head around adding a new Postgres column than using some API for appending data to a user in Cognito/Auth0/Okta/etc in some rigid format.
It's a shame I didn't add more providers there since then!
catapart 1 days ago [-]
Sold!
I've been waiting for something like this for the last year or so. There's so much that's SO CLOSE, but nothing quite as simple as "npm install -> add necessary config -> npm publish". That's what I've been waiting for and that's what it looks like you are offering here.
Very excited to spin up a new Hostinger VPS and slap this on there to provide syncing for local-first apps. If it's as easy as your docs make it seem, this will save a ton of time and headaches!
twodave 23 hours ago [-]
Is there support for dynamic sign in provider urls? One of the deal breakers (in addition to federated sign in/sign out being a pain) for us with next-auth was that we have certain customers whose security requirements include pointing subdomains that they own at our servers. So we would need to be able to use some logic to determine where the sign-in redirect should take a given user.
bekacru 22 hours ago [-]
Yes. You should check the SSO plugin which would allow you to store the config in your db and can retrieve it dynamically.
davedx 1 days ago [-]
Sounds great! I'm interested to hear, how does this solution compare with open source, self-hosted authn components like Keycloak and Ory Kratos? While it's a bit more leg work integrating those, I've found that it's useful that they're self-contained and run in their own environment/container; but I have also sometimes wished that the data was more tightly integrated with my own application, which I guess is what you're aiming for.
bekacru 1 days ago [-]
Yes, that’s exactly what we’re aiming for. I think there are many reasons to tightly couple auth with your app. As you said, self-hosting auth servers and integrating them often isn’t a fun experience and that’s one of the reasons 3rd party auth providers became so popular.
In the JavaScript/TypeScript ecosystem, libraries like NextAuth still have a huge number of users for the same reason: ease of use. And with the rise of full-stack TypeScript apps where both the frontend and backend live together and share a strong type system, it makes even more sense to keep all your context in one place.
That said, if you ever decide to self-host Better Auth in a dedicated container, you still can.
gardnr 1 days ago [-]
Most people will reach for BetterAuth when they would reach for NextAuth. Basically, when you want to integrate OIDC or SSO of some kind.
Back when I was looking at it a couple of months ago, the big thing that popped out was that BetterAuth supports email and password out of the box, where NextAuth seems to have a preachy disclaimer about how email and password is inherently insecure, so they leave you to your own devices to implement password hashing and the like.
That did give a sense that NextAuth was the first to dominate the space and feels as though they can dictate morals.
BetterAuth seems to be a bit more developer-focused.
koakuma-chan 1 days ago [-]
> where NextAuth seems to have a preachy disclaimer about how email and password is inherently insecure
Yeah I needed a login & password auth last friday and I was so frustrated with NextAuth I ended up using nginx to set up http basic auth.
XavierPladevall 1 days ago [-]
Super happy users :) Agree w/ what everyone has said. For us an extra benefit is the ability to host our user data in our own DB so that we can then dig into it w/ Index. Clerk keeps the data locked in and their "analytics" page is very very limited.
darcyrose 18 hours ago [-]
I happened to pick up Clerk for its ease of use and accessible free tier for my SaaS. The data locking was “solvable” but way too much effort as a solo dev. I had to use their webhook tool and set up a separate Inngest service to sync the data.
I’m very curious about Better Auth from what I’ve heard so far. I wish I knew about it sooner!
timsuchanek 1 days ago [-]
Better auth is by far the best option out there.
We've adopted it and couldn't be happier not having to manage 2 sources of truth.
akouri 1 days ago [-]
Have been a proud better auth user for the last 6 months! Loved it so far, especially the fact that it's FOSS. Now that it's a venture-funded YC company, I am worried about using it. Should I be?
bekacru 22 hours ago [-]
As I mentioned in the post, our goal is to help developers own their Auth. And now that we’re funded, it’d help us pursue this goal even more aggressively and give people more confidence.
hyuuu 23 hours ago [-]
i have been your user since the early days, I want to say congrats you guys, I have been recommending your framework to everyone. I appreciate the responsive support you gave me on discord (though in the end, my questions are already on the docs lol)
17 hours ago [-]
clgeoio 1 days ago [-]
Nice work!
I took better-auth for a test a couple of months ago. I enjoyed the experience, but the DX was pretty poor when using edge frameworks (like Cloudflare Workers) as the CLI tools didn't work. For workers for example, environment variables are not known at build time, rather injected in the "fetch()" handler.
Interested to see how the functionality progresses!
yard2010 1 days ago [-]
This looks really exciting. I'm sold. I'm planning to migrate to BetterAuth from Firebase Auth in the next few months, how does the two compare? Personally I'm happy with Firebase (migrated from Workos which was so frustrating and lacking in many aspects, or in other words a huge mistake when picking), not so happy about the vendor lock and the vendor itself.
bekacru 1 days ago [-]
You should be able to get all the features you get from Firebase and much more. The only major downside right now is that we don’t have a Firebase/Firestore adapter yet. So if that’s the database you’re using, you’d need to use a different one for your auth service.
grinich 1 days ago [-]
Hi - I'm the founder of WorkOS. Would love any feedback you can share here or via email (mg@workos.com)
Betterauth and WorkOS are pretty different. For example, WorkOS isn't designed exclusively for TypeScript (we support SDKs for a bunch of languages/platforms) and WorkOS runs as a cloud service. The developer experience will always be different because of this.
We also design the platform to be modular, which enables you to just use WorkOS for SSO or SCIM alongside an existing auth stack. We call these the standalone APIs and lots of customers use it this way.
WorkOS is focused on enterprise features for b2b apps and solving problems that come with growing upmarket. Today we power auth for OpenAI, Anthropic, Perplexity, Cursor, Vercel, Plaid, and hundreds more.
We love getting feedback so please feel free to post here, email, or twitter DMs are open. Thanks!
(I also love open source and am glad to see more innovation happening here in the ecosystem!)
ymir_e 1 days ago [-]
Congratulations on the launch!
Heavily evaluated better-auth when implementing auth at my current company. Ended up with keycloak because of SAML SSO.
One thing I remember having some issues with was customising schemas with the drizzle adapter. Looks like you've cleared up the documentation more now. I think at the time I was confused as to wether custom schemas were specified in the drizzle adapter options, or inside the the organization plugin.
Thanks for all your work, it is a really cool library!
jprokay13 1 days ago [-]
Do you have any recommendations on how to get started with Keycloak or just RTFM?
andrewstuart2 1 days ago [-]
My two cents: Keycloak's UI is pretty self explanatory if you understand OIDC (oauth2 + jwt + specific JWT claims) and, if you have to use it (my condolences, though it's also just interesting to see how crazy specs can get), SAML. I'd strongly suggest reading up on the OpenID Connect spec, including the oauth2 spec, and this will serve you very well in your authn/z journey.
That said, keycloak also does have a great docs site.
sberens 20 hours ago [-]
My experience with auth solutions/libraries is you invariably want to customize some flow/data/functions, but it's impossible because the library isn't flexible enough.
A better solution might be premade auth primitives (oauth providers, db adapters) that you copy paste into your codebase shadcn-style, and modify when necessary.
I feel like "don't roll your own auth" is less true than it was 5-10 years ago as now there is an abundance of good references and core libraries.
Destiner 1 days ago [-]
I’ve just used BetterAuth for my project [0]
I’ve never implemented auth before, and was always thinking that it will take me days to get it right.
I'm very tempted to make the leap from Lucia to Better Auth for a greenfield project, but the thought of jumping yet again from one auth solution to another is making me hesitate. If there are any satisfied (or unsatisfied) devs who have attempted the Lucia -> Better Auth transition, I'd love to hear your thoughts on this!
yhprum 1 days ago [-]
Hey I just converted my 0-user project from Lucia to Better Auth, and I had a few notes.
Better Auth is great - it just works, but there were a few quirks I had to face, like how it handles everything for you using the auth client instead of giving you helper functions to use to handle login/register requests and make it customizable on the server side
The migration was very easy, since I had no users to worry about, I was able to drop my users and sessions table and use the Better Auth cli to generate a migration with all the tables I could need. Even with some initial problems I had with the auth client and having to restructure my login errors to handle what the auth client returns, I'm happy with my migration, and it opens up a whole host of plugins and features I can easily integrate in the future
maenbalja 1 days ago [-]
Thanks for sharing, you've successfully tipped the Better Auth scales for me... Might be too early to tell, but would you say you prefer Lucia or Better Auth at this point? I really like Lucia because of how little magic there is and how I can understand/control everything related to auth. But I wonder if it loses its luster as a project grows.
yhprum 1 days ago [-]
I loved Lucia just because it gives you control over absolutely everything you want to do, but I'm starting to like the bits of magic that com with Better Auth - namely things like email verification, password resets, and rate limiting were thing I was planning to implement but dreaded having to code everything whereas they come built-in or as simple plugins for Better Auth.
maenbalja 1 days ago [-]
Alright I'm sold haha. You basically described the emotions I imagined I would've experienced if I transitioned to Better Auth. Just needed to hear it from someone else. Cheers!
I am building a production grade express API generator that lets people download a full production ready with all tooling setup express API with dependencies like ESLint, Prettier, Husky, Commitlint etc configured. One of the steps lets people choose an authentication provider and I intend to add your library
stevelacy 1 days ago [-]
We have been using better-auth (open source) for a while, it was immediately a better experience compared to the existing (typescript) auth libraries. Plus no Nextjs lock-in, we migrated off Nextjs to Hono and only had to change the router.
zeroq 24 hours ago [-]
I'm super happy that this is getting funding and won't become vaporeware at least for another season, because it's super important to have a stable foundation for homebrew solutions.
However I'm not entierly sold on this being an actual alternative to auth0 and such - at least for now. For a drop-in solution lack of mail and dashboard can be a real deal breaker.
zackify 1 days ago [-]
I thought this was another vercel shill, and cheating up the hackernews ranks LOL
But I tried it today and it’s pretty nice. A few bugs with user creation and custom fields with the beta oauth2 plugin. But overall very solid abstraction that will save lots of time.
Google sign in was a breeze too.
The migrations do not pick up nullable being true for custom fields though, and I see someone else already reported this.
Direct oauth registration works, most everything I need is here!
MarcelOlsz 1 days ago [-]
Been fiending to set up a sideproject that uses this for auth, instantdb for backend, and htmx/web components on the frontend.
vvoyer 1 days ago [-]
Nit pick: change homepage from:
> git(main) x npm add better-auth
to
> npm add better-auth
"git(main) x" looks odd and like an error.
badmonster 1 days ago [-]
How does Better Auth handle multi-tenant authentication across different subdomains or apps within a monorepo setup?
btw i read about your project in x a while ago, nice project!
ayushrodrigues 1 days ago [-]
Better-Auth has changed the game for authentication, developer experience and open source offerings as a whole. Huge fan of the framework agnostic approach. Congrats team!
WorldMaker 1 days ago [-]
It feels wrong in 2025 that Passkey support isn't up-front and first class and is relegated to a plugin.
bekacru 1 days ago [-]
Not many people are implementing passkeys yet, and we don’t want to force that on users. Also, the plugins we provide are still tightly integrated with the framework, you don’t even need to install a separate package, just import them.
WorldMaker 1 days ago [-]
If you want to make a case for tightly integrated plugins, then why aren't Passwords a plugin?
Also, there's a huge gap between "we don't want to force that on users" and "we don't advertise it in our top-level marketing site at all". I can't be the only HN reader that is evaluating all libraries like this for Passkey support. It took me four or five clicks to even realize this library even supported Passkeys at all. If I wasn't curious about other Plugins I probably would have dismissed this entire library as outdated for lacking even basic Passkey support.
vivzkestrel 18 hours ago [-]
nobody i know uses it. Talk with circles outside tech and ask them "how many passkeys they have". They will ask you what is a passkey
WorldMaker 10 hours ago [-]
Passkey is weird to recognize as a "brand", especially for mainstream users. It's more interesting to ask the average/mainstream user how many sites and apps they login to with their Face or their Fingerprint, and the numbers there are shifting rapidly and in interesting ways. You'll get a bunch of "false positives" that think any interaction with the iOS or Android built-in password managers count, but those "false positives" are also what is lifting the tide of larger Passkey adoption. The users comfortable with native password managers are also the users getting the easiest auto-enroll paths into using passkeys in supported places.
At this point the chicken and egg onus is on websites to support Passkeys, and to do it as a first-class and recommended experience, not on explaining to average users what a passkey "is" or arguing over how many they have. It is past time for auth frameworks and vendors to start steering people away from passwords (and towards passkeys, whether you want to "brand it" as passkeys or not).
roes9627 1 days ago [-]
might be dumb q, but does it work well with Supabase Auth?
swyx 1 days ago [-]
not at all dumb, i had same qtn. i assume its a direct replacement, and there should be some pros and cons, so what i'd really want is a knowledgeable person doing comparisons along the 4-5 major axes that people should really care about
axes i care about
0. does betterauth have google/twitter/github oauth? (i assume yes but hey its basic) 2fa support? Activedirectory/Okta/Workos/other team management level auth?
1. does betterauth integrate with postgres RLS? is there a better way to do the same job?
2. (pls autocomplete)
ml914 1 days ago [-]
Different space, but sounds like a similar launch approach to how Triplit works as a sync engine - open-sourced, can use for free, or can upgrade to pay for hosting and the console/dashboard view. Appreciate companies like this taking a developer-first approach
tough 1 days ago [-]
right, what other areas of SE are well suited for such a setup?
ml914 1 days ago [-]
[dead]
sebnun 10 hours ago [-]
Surprised none mentioned OpenAuth yet, how does this compares?
Curious to know why the default approach taken for auth is to use cookie sessions and not JWT, although it is available as plugin, its documentation is not clear.
portaouflop 1 days ago [-]
If I use the commercial option what is the difference to a 3rd party solution ?
It seems to me you would still have a 3rd party to offload Auth to?
bekacru 1 days ago [-]
The commercial offering is essentially a dashboard that connects directly to your existing setup and gives you a way to manage users and view analytics. You can also integrate additional services like bot and fraud protection as needed
blackhaj7 1 days ago [-]
I have been using Better Auth for a while now and it is awesome. Nicest auth DX I have come across
Congrats on getting into YC!
Vinnl 15 hours ago [-]
Sorry to hijack this post, but since people who know are likely to look here... Anyone know what's up with Next-Auth/Auth.js? The main author had a post up [1] stating that they would stop their involvement, but that post appears to have been removed.
Welcome to the auth party! (Full disclosure, I work for FusionAuth, one of those third party auth providers.)
I feel like every ecosystem should have a great auth library, and am glad to see you taking on this challenge. I come from the ruby and java worlds where devise and spring auth are great choices, and have watched as several options have risen and fallen in the JS world (passport.js, nextauth). I've heard good things about your project from colleagues, so hopefully you'll win :).
Sounds like you plan to support this via infrastructure and higher level features. Any plans to offer paid support as well?
Anyway, congrats on your launch!
bekacru 1 days ago [-]
Appreciate the kind words :)) Yeah, it’ll mostly be high-level features. We do plan to offer paid support seems like there’s demand for it, and it helps give teams more confidence when choosing the library.
noleary 1 days ago [-]
+1 to Dan's comment! Excited to see you guys inject some new life into our space.
joseferben 1 days ago [-]
congrats on the launch! better-auth is a joy to use. great dx with the type-safe plugin system.
joseferben 1 days ago [-]
the quality of the lib and the docs is really high, kinda crazy you just launched!
benmccann 1 days ago [-]
NextAuth certainly needs some competition. However, I wish better-auth didn't have so many dependencies. I feel like it shouldn't be necessary to depend on things like kysley and Typescript.
dexterleng 1 days ago [-]
Do you have any plans on launching a Swift framework?
soneca 1 days ago [-]
Tangentially related, but have you thought about a go to market strategy related to AI?
I started a new side project with Cursor to see how it goes, and it suggests a lot of packages for a lot of things (often not even suggests, assume you want it and ask you to install already).
I imagine there will be a “AIO” AI optimization field soon. Have you considered at all?
I mean. If I explicitly ask Cursor models to use Better Auth for authentication, will any of them be able to use it?
A possible thing for you to work on could be to prepare a prompt with links to your documentation that I can copy and paste in Cursor (or whatever) and will successfully implement it in my project.
EDIT: If you want to give it a try at one now and post as a reply here, I’ll gladly try it. It should say to substitute Auth0, as I am already using it, in a NextJS 15 web app that uses Neon serverless Postgres as DB. But I can tweak those myself later too
coolcase 19 hours ago [-]
Ideally assistants will look at your package.json then make web calls to bring in the docs. Maybe a README.AI file that is more token efficient can provide the data.
rafram 1 days ago [-]
> I imagine there will be a “AIO” AI optimization field soon.
Please no.
abhisek 1 days ago [-]
The closest I can think of is Devise for Ruby on Rails ecosystem. While these solution provides great developer experience to get started, IMHO there are solid reasons to have separate identity providers like Auth0 or if you like to self-host, stuff like Keycloak, Dex and more. Consider your business logic backend need multi-region deployments, where will you keep the auth DB?
Personally, if I want my app to be future proof, I would probably keep auth as a separate service while speaking standard protocols like OAuth2 so that I can maintain single source of truth for my user identity and be able to build multiple applications based on it.
asdffdasy 1 days ago [-]
how does the nextjs middleware works since it's impossible to open a db connection from it?
dzonga 1 days ago [-]
in rails there's authentication-zero.
I haven't found the equivalent in the jvm space.
nice work -- maybe I will do a port to jvm
realbrad 20 hours ago [-]
This is great!
dhruv3006 19 hours ago [-]
godspeed dudes.
rvz 1 days ago [-]
Are there any tests for this?
How do I know if this actually works in the long term?
Congrats on the launch of Better Auth! It's great to see a new framework aiming to make rolling your own auth in TypeScript easier. More well-thought-out options for developers in the authentication and authorization landscape are always welcome.
Best of luck with it!
(Disclosure: I'm a co-founder of Zitadel, also building solutions in this space.)
paradox460 1 days ago [-]
Do people still use X25 these days? I thought everything would have moved to TCP/IP
Which personal attack? You mean calling out americans? How is that personal? You also going to ban everyone here who posts disparaging generalizations about europeans? Because so far you haven't been.
As for
> Are you a shill, a troll or just an upset fanboy?
This is a genuine question, not an attack.
dang 4 hours ago [-]
"Grow up", for starters.
> Are you a shill, a troll or just an upset fanboy?
That's a loaded question and easily enough to count as an attack. This is not a close call!
jillyboel3 3 minutes ago [-]
Yeah, americans gotta grow up. "Oh no someone said no-no word!" is hilariously immature. You're reaching to try and take it personally, it was clearly not even aimed at the commenter but at those pearl clutching firewall intel providers.
1. If I am using Supabase for DB, should I use Supabase auth or use Better auth which would anyways use Supabase DB for saving data.
2. When using Supabase auth, they don't give access to the auth.users table and for saving additional user details like country we need a seprate profiles table. If I use Better-auth what should be the approach for saving additional details?
3. How Better Auth Infrastructure is different than Clerk or Supabase auth?
2. Yeah, you’d need to migrate to Better Auth and move your user table to your main schema. We have a migration guide for Supabase.
3. It’s just additional features built on top of the framework, not a 3rd party auth service. You’ll still use the framework, and when you need those features, you can connect it to the infra to enable them.
This team is top notch. The community leadership, responsiveness, and development speed has been incredible. The project itself is also great--this library is so much more flexible than others and requires much less effort to wrap my brain around. I'm so happy that this library is getting the recognition it deserves.
Just one suggestion - remove the F-bombs from the testimonials on your homepage. There are various firewall intel providers that will put you on the bad lists because of this. You usually learn this the hard way :/
- Federated sign-in/out? In next-auth, it is a giant pain to implement: https://github.com/nextauthjs/next-auth/discussions/3938
- Automated refreshing of JWT tokens on the client-side? I always end up having to implement my own logic around this. The big problem is if you have multiple API calls going out and they all require JWT auth, you need to check the JWT validity and block the calls until it is refreshed. In next-auth on the server-side, this is impossible to do since that side is generally stateless, and so you end up with multiple refresh calls happening for the same token.
- The ability to have multiple auth sessions at once, like in a SaaS app where you might belong to multiple accounts / organizations (your intro paragraph sounds like it does)
- Handle how multiple auth sessions are managed if the user happens to open up multiple tabs and swaps accounts in another tab
- Account switching using a Google provider? This seems to be a hard ask for providers like FusionAuth and Cognito. You can't use the Google connector directly but instead use a generic OAuth2 connector where you can specify custom parameters when making the initial OAuth2 flow with Google. The use-case is when a user clicks on the Google sign-in button, it should go to the Google account switcher / selector instead of signing in the user immediately if they have an existing signed-in Google session.
- We don’t use JWTs directly, and sessions always require state (it’s not stateless). And yeah, both the client and server handles automatic session refresh.
- Yes, we support both multiple sessions or having different organizations open in different tab: https://www.better-auth.com/docs/plugins/multi-session
- Yes, that’s possible, you just need to set the `prompt` parameter to `select_account`
There is a plugin provided by better auth for jwt https://www.better-auth.com/docs/plugins/jwt
We dont need it since everything is a single "server" and cookies are good enough. JWT would be added complexity ( e.g sign out ) that i find it better to not be set as a default.
bonus reading http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-fo...
Why?
For all API calls, if the lock is not set, it checks if the JWT is still valid. If it is not, then the lock is set by assigning a new promise to it and saving the resolve call as an external variable to be called after the refresh is done (which resolves the held promise on the other calls, allowing the latest token to be used).
All calls await the lock; it either waits for the refresh to complete or just moves on and performs validation with the currently set token.
Looks like this:
- await on lock; if the lock has been resolved, will just continue on
- Check for JWT validity via exp check (the API server itself would be responsible for checking signature and other validity factors); if not valid, update lock with a new promise and hold the resolver. Perform refresh. Release lock by resolving the promise.
- Use current / refreshed JWT for API call
About the dashboard - would this just be an interface to my existing Better Auth setup (e.g. if I had customized the underlying data storage) or are you hosting credentials yourself?
You have my sincerest gratitude for building this incredibly useful library and documenting it so well.
One of the reasons I prefer BA is because I retain a lot of flexibility with designing the rest of the system around the authentication. So for example, if I want to have an additional column per user, it's a lot easier to wrap my head around adding a new Postgres column than using some API for appending data to a user in Cognito/Auth0/Okta/etc in some rigid format.
https://auth.meetingbaas.com
It's a shame I didn't add more providers there since then!
I've been waiting for something like this for the last year or so. There's so much that's SO CLOSE, but nothing quite as simple as "npm install -> add necessary config -> npm publish". That's what I've been waiting for and that's what it looks like you are offering here.
Very excited to spin up a new Hostinger VPS and slap this on there to provide syncing for local-first apps. If it's as easy as your docs make it seem, this will save a ton of time and headaches!
In the JavaScript/TypeScript ecosystem, libraries like NextAuth still have a huge number of users for the same reason: ease of use. And with the rise of full-stack TypeScript apps where both the frontend and backend live together and share a strong type system, it makes even more sense to keep all your context in one place.
That said, if you ever decide to self-host Better Auth in a dedicated container, you still can.
Back when I was looking at it a couple of months ago, the big thing that popped out was that BetterAuth supports email and password out of the box, where NextAuth seems to have a preachy disclaimer about how email and password is inherently insecure, so they leave you to your own devices to implement password hashing and the like.
That did give a sense that NextAuth was the first to dominate the space and feels as though they can dictate morals.
BetterAuth seems to be a bit more developer-focused.
Yeah I needed a login & password auth last friday and I was so frustrated with NextAuth I ended up using nginx to set up http basic auth.
I’m very curious about Better Auth from what I’ve heard so far. I wish I knew about it sooner!
Interested to see how the functionality progresses!
Betterauth and WorkOS are pretty different. For example, WorkOS isn't designed exclusively for TypeScript (we support SDKs for a bunch of languages/platforms) and WorkOS runs as a cloud service. The developer experience will always be different because of this.
We also design the platform to be modular, which enables you to just use WorkOS for SSO or SCIM alongside an existing auth stack. We call these the standalone APIs and lots of customers use it this way.
WorkOS is focused on enterprise features for b2b apps and solving problems that come with growing upmarket. Today we power auth for OpenAI, Anthropic, Perplexity, Cursor, Vercel, Plaid, and hundreds more.
We love getting feedback so please feel free to post here, email, or twitter DMs are open. Thanks!
(I also love open source and am glad to see more innovation happening here in the ecosystem!)
Heavily evaluated better-auth when implementing auth at my current company. Ended up with keycloak because of SAML SSO.
One thing I remember having some issues with was customising schemas with the drizzle adapter. Looks like you've cleared up the documentation more now. I think at the time I was confused as to wether custom schemas were specified in the drizzle adapter options, or inside the the organization plugin.
Basically mixing up these two: https://www.better-auth.com/docs/plugins/organization#custom... https://www.better-auth.com/docs/adapters/drizzle#additional...
Thanks for all your work, it is a really cool library!
That said, keycloak also does have a great docs site.
A better solution might be premade auth primitives (oauth providers, db adapters) that you copy paste into your codebase shadcn-style, and modify when necessary.
I feel like "don't roll your own auth" is less true than it was 5-10 years ago as now there is an abundance of good references and core libraries.
I’ve never implemented auth before, and was always thinking that it will take me days to get it right.
I’ve done the whole thing in maybe 3 hours.
[0] https://dough.ink/
Better Auth is great - it just works, but there were a few quirks I had to face, like how it handles everything for you using the auth client instead of giving you helper functions to use to handle login/register requests and make it customizable on the server side
The migration was very easy, since I had no users to worry about, I was able to drop my users and sessions table and use the Better Auth cli to generate a migration with all the tables I could need. Even with some initial problems I had with the auth client and having to restructure my login errors to handle what the auth client returns, I'm happy with my migration, and it opens up a whole host of plugins and features I can easily integrate in the future
However I'm not entierly sold on this being an actual alternative to auth0 and such - at least for now. For a drop-in solution lack of mail and dashboard can be a real deal breaker.
But I tried it today and it’s pretty nice. A few bugs with user creation and custom fields with the beta oauth2 plugin. But overall very solid abstraction that will save lots of time.
Google sign in was a breeze too.
The migrations do not pick up nullable being true for custom fields though, and I see someone else already reported this.
Direct oauth registration works, most everything I need is here!
> git(main) x npm add better-auth
to
> npm add better-auth
"git(main) x" looks odd and like an error.
btw i read about your project in x a while ago, nice project!
Also, there's a huge gap between "we don't want to force that on users" and "we don't advertise it in our top-level marketing site at all". I can't be the only HN reader that is evaluating all libraries like this for Passkey support. It took me four or five clicks to even realize this library even supported Passkeys at all. If I wasn't curious about other Plugins I probably would have dismissed this entire library as outdated for lacking even basic Passkey support.
At this point the chicken and egg onus is on websites to support Passkeys, and to do it as a first-class and recommended experience, not on explaining to average users what a passkey "is" or arguing over how many they have. It is past time for auth frameworks and vendors to start steering people away from passwords (and towards passkeys, whether you want to "brand it" as passkeys or not).
axes i care about
0. does betterauth have google/twitter/github oauth? (i assume yes but hey its basic) 2fa support? Activedirectory/Okta/Workos/other team management level auth?
1. does betterauth integrate with postgres RLS? is there a better way to do the same job?
2. (pls autocomplete)
https://openauth.js.org/
Congrats on getting into YC!
[1] https://web.archive.org/web/20250419022421/https://balazsorb...
I feel like every ecosystem should have a great auth library, and am glad to see you taking on this challenge. I come from the ruby and java worlds where devise and spring auth are great choices, and have watched as several options have risen and fallen in the JS world (passport.js, nextauth). I've heard good things about your project from colleagues, so hopefully you'll win :).
Sounds like you plan to support this via infrastructure and higher level features. Any plans to offer paid support as well?
Anyway, congrats on your launch!
I started a new side project with Cursor to see how it goes, and it suggests a lot of packages for a lot of things (often not even suggests, assume you want it and ask you to install already).
I imagine there will be a “AIO” AI optimization field soon. Have you considered at all?
I mean. If I explicitly ask Cursor models to use Better Auth for authentication, will any of them be able to use it?
A possible thing for you to work on could be to prepare a prompt with links to your documentation that I can copy and paste in Cursor (or whatever) and will successfully implement it in my project.
EDIT: If you want to give it a try at one now and post as a reply here, I’ll gladly try it. It should say to substitute Auth0, as I am already using it, in a NextJS 15 web app that uses Neon serverless Postgres as DB. But I can tweak those myself later too
Please no.
Personally, if I want my app to be future proof, I would probably keep auth as a separate service while speaking standard protocols like OAuth2 so that I can maintain single source of truth for my user identity and be able to build multiple applications based on it.
I haven't found the equivalent in the jvm space.
nice work -- maybe I will do a port to jvm
How do I know if this actually works in the long term?
https://github.com/search?q=repo%3Abetter-auth%2Fbetter-auth...
Best of luck with it!
(Disclosure: I'm a co-founder of Zitadel, also building solutions in this space.)
Btw there's no problem with what you were saying about the word fuck*. The problem is with the personal attack/abuse in your comment.
(We detached this comment from https://news.ycombinator.com/item?id=44036364.)
* https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
As for
> Are you a shill, a troll or just an upset fanboy?
This is a genuine question, not an attack.
> Are you a shill, a troll or just an upset fanboy?
That's a loaded question and easily enough to count as an attack. This is not a close call!
https://en.wikipedia.org/wiki/Generic_you