PromptCreek
Sign up
Back to Skills
Engineering

Better Auth Best Practices

Configure Better Auth server and client, set up database adapters, manage sessions, add plugins, and handle environment variables. Use when users mention Better Auth, betterauth, auth.ts, or need to set up TypeScript authentication with email/password, OAuth, or plugin configuration.

$ npx promptcreek add better-auth-best-practices

Auto-detects your installed agents and installs the skill to each one.

What This Skill Does

This skill provides a quick reference and setup guide for integrating Better Auth into applications. It outlines the necessary environment variables, CLI commands, core configuration options, and database setup for seamless authentication. This is useful for developers looking to quickly implement and configure Better Auth.

When to Use

  • Quickly set up Better Auth in a new project.
  • Troubleshoot common configuration issues.
  • Understand the required environment variables.
  • Use CLI commands for schema migrations.
  • Configure database adapters for different ORMs.
  • Customize authentication flows with plugins.

Key Features

Provides setup workflow steps.
Lists required environment variables.
Details CLI commands for schema management.
Explains core configuration options.
Offers guidance on database adapter setup.
Highlights the use of plugins for customization.

Installation

Run in your project directory:
$ npx promptcreek add better-auth-best-practices

Auto-detects your installed agents (Claude Code, Cursor, Codex, etc.) and installs the skill to each one.

View Full Skill Content

Better Auth Integration Guide

Always consult better-auth.com/docs for code examples and latest API.

Setup Workflow

  • Install: npm install better-auth
  • Set env vars: BETTER_AUTH_SECRET and BETTER_AUTH_URL
  • Create auth.ts with database + config
  • Create route handler for your framework
  • Run npx @better-auth/cli@latest migrate
  • Verify: call GET /api/auth/ok — should return { status: "ok" }

Quick Reference

Environment Variables

  • BETTER_AUTH_SECRET - Encryption secret (min 32 chars). Generate: openssl rand -base64 32
  • BETTER_AUTH_URL - Base URL (e.g., https://example.com)

Only define baseURL/secret in config if env vars are NOT set.

File Location

CLI looks for auth.ts in: ./, ./lib, ./utils, or under ./src. Use --config for custom path.

CLI Commands

  • npx @better-auth/cli@latest migrate - Apply schema (built-in adapter)
  • npx @better-auth/cli@latest generate - Generate schema for Prisma/Drizzle
  • npx @better-auth/cli mcp --cursor - Add MCP to AI tools

Re-run after adding/changing plugins.

Core Config Options

| Option | Notes |

|--------|-------|

| appName | Optional display name |

| baseURL | Only if BETTER_AUTH_URL not set |

| basePath | Default /api/auth. Set / for root. |

| secret | Only if BETTER_AUTH_SECRET not set |

| database | Required for most features. See adapters docs. |

| secondaryStorage | Redis/KV for sessions & rate limits |

| emailAndPassword | { enabled: true } to activate |

| socialProviders | { google: { clientId, clientSecret }, ... } |

| plugins | Array of plugins |

| trustedOrigins | CSRF whitelist |

Database

Direct connections: Pass pg.Pool, mysql2 pool, better-sqlite3, or bun:sqlite instance.

ORM adapters: Import from better-auth/adapters/drizzle, better-auth/adapters/prisma, better-auth/adapters/mongodb.

Critical: Better Auth uses adapter model names, NOT underlying table names. If Prisma model is User mapping to table users, use modelName: "user" (Prisma reference), not "users".

Session Management

Storage priority:

  • If secondaryStorage defined → sessions go there (not DB)
  • Set session.storeSessionInDatabase: true to also persist to DB
  • No database + cookieCache → fully stateless mode

Cookie cache strategies:

  • compact (default) - Base64url + HMAC. Smallest.
  • jwt - Standard JWT. Readable but signed.
  • jwe - Encrypted. Maximum security.

Key options: session.expiresIn (default 7 days), session.updateAge (refresh interval), session.cookieCache.maxAge, session.cookieCache.version (change to invalidate all sessions).

User & Account Config

User: user.modelName, user.fields (column mapping), user.additionalFields, user.changeEmail.enabled (disabled by default), user.deleteUser.enabled (disabled by default).

Account: account.modelName, account.accountLinking.enabled, account.storeAccountCookie (for stateless OAuth).

Required for registration: email and name fields.

Email Flows

  • emailVerification.sendVerificationEmail - Must be defined for verification to work
  • emailVerification.sendOnSignUp / sendOnSignIn - Auto-send triggers
  • emailAndPassword.sendResetPassword - Password reset email handler

Security

In advanced:

  • useSecureCookies - Force HTTPS cookies
  • disableCSRFCheck - ⚠️ Security risk
  • disableOriginCheck - ⚠️ Security risk
  • crossSubDomainCookies.enabled - Share cookies across subdomains
  • ipAddress.ipAddressHeaders - Custom IP headers for proxies
  • database.generateId - Custom ID generation or "serial"/"uuid"/false

Rate limiting: rateLimit.enabled, rateLimit.window, rateLimit.max, rateLimit.storage ("memory" | "database" | "secondary-storage").

Hooks

Endpoint hooks: hooks.before / hooks.after - Array of { matcher, handler }. Use createAuthMiddleware. Access ctx.path, ctx.context.returned (after), ctx.context.session.

Database hooks: databaseHooks.user.create.before/after, same for session, account. Useful for adding default values or post-creation actions.

Hook context (ctx.context): session, secret, authCookies, password.hash()/verify(), adapter, internalAdapter, generateId(), tables, baseURL.

Plugins

Import from dedicated paths for tree-shaking:

import { twoFactor } from "better-auth/plugins/two-factor"

NOT from "better-auth/plugins".

Popular plugins: twoFactor, organization, passkey, magicLink, emailOtp, username, phoneNumber, admin, apiKey, bearer, jwt, multiSession, sso, oauthProvider, oidcProvider, openAPI, genericOAuth.

Client plugins go in createAuthClient({ plugins: [...] }).

Client

Import from: better-auth/client (vanilla), better-auth/react, better-auth/vue, better-auth/svelte, better-auth/solid.

Key methods: signUp.email(), signIn.email(), signIn.social(), signOut(), useSession(), getSession(), revokeSession(), revokeSessions().

Type Safety

Infer types: typeof auth.$Infer.Session, typeof auth.$Infer.Session.user.

For separate client/server projects: createAuthClient().

Common Gotchas

  • Model vs table name - Config uses ORM model name, not DB table name
  • Plugin schema - Re-run CLI after adding plugins
  • Secondary storage - Sessions go there by default, not DB
  • Cookie cache - Custom session fields NOT cached, always re-fetched
  • Stateless mode - No DB = session in cookie only, logout on cache expiry
  • Change email flow - Sends to current email first, then new email

Resources

0Installs
0Views

Supported Agents

Claude CodeCursorCodexGemini CLIAiderWindsurfOpenClaw

Attribution

better-auth
better-auth/skills
MITadmin

Details

License
MIT
Source
admin
Published
3/18/2026

Tags

better auth

Related Skills

Agent Protocol

Inter-agent communication protocol for C-suite agent teams. Defines invocation syntax, loop prevention, isolation rules, and response formats. Use when C-suite agents need to query each other, coordinate cross-functional analysis, or run board meetings with multiple agent roles.

90
Alireza Rezvani
#c-level#c-level advisor

Agent Workflow Designer

Agent Workflow Designer

20
Alireza Rezvani
#engineering

CTO Advisor

Technical leadership guidance for engineering teams, architecture decisions, and technology strategy. Use when assessing technical debt, scaling engineering teams, evaluating technologies, making architecture decisions, establishing engineering metrics, or when user mentions CTO, tech debt, technical debt, team scaling, architecture decisions, technology evaluation, engineering metrics, DORA metrics, or technology strategy.

20
Alireza Rezvani
#c-level#c-level advisor