Better Auth Integration Guide

Quick Reference

Environment Variables

• BETTER_AUTH_SECRET

  - Encryption secret (min 32 chars). Generate:

  openssl rand -base64 32

• BETTER_AUTH_URL

  - Base URL (e.g.,

  https://example.com

  )

baseURL

secret

File Location

auth.ts

./

./lib

./utils

./src

--config

CLI Commands

• npx @better-auth/cli@latest migrate

  - Apply schema (built-in adapter)

• npx @better-auth/cli@latest generate

  - Generate schema for Prisma/Drizzle

• npx @better-auth/cli mcp --cursor

  - Add MCP to AI tools

Core Config Options

appName

baseURL

BETTER_AUTH_URL

basePath

/api/auth

/

secret

BETTER_AUTH_SECRET

database

secondaryStorage

emailAndPassword

{ enabled: true }

socialProviders

{ google: { clientId, clientSecret }, ... }

plugins

trustedOrigins

Database

pg.Pool

mysql2

better-sqlite3

bun:sqlite

better-auth/adapters/drizzle

better-auth/adapters/prisma

better-auth/adapters/mongodb

User

users

modelName: "user"

"users"

Session Management

1. If

   secondaryStorage

   defined → sessions go there (not DB)
2. Set

   session.storeSessionInDatabase: true

   to also persist to DB
3. No database +

   cookieCache

   → fully stateless mode

• compact

  (default) - Base64url + HMAC. Smallest.

• jwt

  - Standard JWT. Readable but signed.

• jwe

  - Encrypted. Maximum security.

session.expiresIn

session.updateAge

session.cookieCache.maxAge

session.cookieCache.version

User & Account Config

user.modelName

user.fields

user.additionalFields

user.changeEmail.enabled

user.deleteUser.enabled

account.modelName

account.accountLinking.enabled

account.storeAccountCookie

email

name

Email Flows

• emailVerification.sendVerificationEmail

  - Must be defined for verification to work

• emailVerification.sendOnSignUp

  /

  sendOnSignIn

  - Auto-send triggers

• emailAndPassword.sendResetPassword

  - Password reset email handler

Security

advanced

• useSecureCookies

  - Force HTTPS cookies

• disableCSRFCheck

  - ⚠️ Security risk

• disableOriginCheck

  - ⚠️ Security risk

• crossSubDomainCookies.enabled

  - Share cookies across subdomains

• ipAddress.ipAddressHeaders

  - Custom IP headers for proxies

• database.generateId

  - Custom ID generation or

  "serial"

  /

  "uuid"

  /

  false

rateLimit.enabled

rateLimit.window

rateLimit.max

rateLimit.storage

Hooks

hooks.before

hooks.after

{ matcher, handler }

createAuthMiddleware

ctx.path

ctx.context.returned

ctx.context.session

databaseHooks.user.create.before/after

session

account

ctx.context

session

secret

authCookies

password.hash()

verify()

adapter

internalAdapter

generateId()

tables

baseURL

Plugins

import { twoFactor } from "better-auth/plugins/two-factor"

from "better-auth/plugins"

twoFactor

organization

passkey

magicLink

emailOtp

username

phoneNumber

admin

apiKey

bearer

jwt

multiSession

sso

oauthProvider

oidcProvider

openAPI

genericOAuth

createAuthClient({ plugins: [...] })

Client

better-auth/client

better-auth/react

better-auth/vue

better-auth/svelte

better-auth/solid

signUp.email()

signIn.email()

signIn.social()

signOut()

useSession()

getSession()

revokeSession()

revokeSessions()

Type Safety

typeof auth.$Infer.Session

typeof auth.$Infer.Session.user

createAuthClient<typeof auth>()

Common Gotchas

1. Model vs table name - Config uses ORM model name, not DB table name
2. Plugin schema - Re-run CLI after adding plugins
3. Secondary storage - Sessions go there by default, not DB
4. Cookie cache - Custom session fields NOT cached, always re-fetched
5. Stateless mode - No DB = session in cookie only, logout on cache expiry
6. Change email flow - Sends to current email first, then new email

Resources

• Docs
• Options Reference
• LLMs.txt
• GitHub
• Init Options Source