The most comprehensive authentication framework for TypeScript.
better-auth is a TypeScript-first authentication framework designed to provide production-ready authentication with minimal configuration. It handles the complete authentication lifecycle including credential management, OAuth social sign-on, two-factor authentication, session handling, and organization-level access control. Unlike authentication-as-a-service providers, better-auth runs entirely in your infrastructure, giving you full control over user data and authentication flows.
The framework takes a batteries-included approach while remaining extensible through its plugin system. Core features like automatic database migrations, built-in rate limiting on authentication endpoints, and framework-agnostic design mean you can integrate it with Next.js, Nuxt, SvelteKit, or any Node.js application without vendor lock-in. The library manages schema creation and migrations automatically, supporting multiple database adapters including Prisma, Drizzle, and Kysely.
With over 1.1 million weekly downloads, better-auth has gained traction among developers building SaaS applications, multi-tenant platforms, and applications requiring sophisticated authorization models. Its integration capabilities with ORMs like Prisma and authorization layers like ZenStack enable database-level permission enforcement, making it particularly suitable for complex B2B applications with organization hierarchies and role-based access control.
The MIT license and active maintenance cycle (version 1.4.18 as of early 2025) indicate ongoing development. The plugin ecosystem extends functionality to include API key management, JWT tokens, device authorization flows, and even billing integrations, positioning it as a complete authentication and authorization solution rather than just a credential validator.
import { betterAuth } from 'better-auth';
import { drizzleAdapter } from 'better-auth/adapters/drizzle';
import Database from 'better-sqlite3';
import { drizzle } from 'drizzle-orm/better-sqlite3';
// Initialize database
const sqlite = new Database('auth.db');
const db = drizzle(sqlite);
// Configure better-auth with email/password and OAuth
const auth = betterAuth({
database: drizzleAdapter(db, {
provider: 'sqlite'
}),
emailAndPassword: {
enabled: true,
requireEmailVerification: true
},
socialProviders: {
github: {
clientId: process.env.GITHUB_CLIENT_ID,
clientSecret: process.env.GITHUB_CLIENT_SECRET
},
google: {
clientId: process.env.GOOGLE_CLIENT_ID,
clientSecret: process.env.GOOGLE_CLIENT_SECRET
}
},
session: {
expiresIn: 60 * 60 * 24 * 7, // 7 days
updateAge: 60 * 60 * 24 // Update session every 24 hours
}
});
// Express.js integration
import express from 'express';
const app = express();
// Mount auth routes (handles /api/auth/sign-in, /api/auth/sign-up, etc.)
app.all('/api/auth/*', async (req, res) => {
return auth.handler(req, res);
});
// Protected route example
app.get('/api/protected', async (req, res) => {
const session = await auth.api.getSession({ headers: req.headers });
if (!session) {
return res.status(401).json({ error: 'Unauthorized' });
}
res.json({
message: 'Protected data',
user: session.user
});
});
app.listen(3000);Multi-tenant SaaS platforms — Applications requiring organization-level isolation with members, roles, and team management. better-auth's built-in organization plugin handles invitations, member management, and access control without custom implementation, making it ideal for B2B software with workspace-style architecture.
Social authentication integration — Projects needing multiple OAuth providers (GitHub, Google, Discord, Twitter) with unified session management. The framework normalizes provider-specific implementations and handles token refresh, profile synchronization, and account linking automatically.
API authentication services — Microservices and REST APIs requiring multiple authentication strategies (bearer tokens, API keys, JWT). The plugin system allows combining credential-based auth for web clients with API key auth for integrations and JWT for mobile apps within a single authentication instance.
Compliance-heavy applications — Systems requiring audit trails, rate limiting, and security controls for financial services, healthcare, or government sectors. Automatic rate limiting, session management, and built-in 2FA support reduce the surface area for security vulnerabilities and compliance gaps.
Migration from legacy auth systems — Replacing homegrown authentication or migrating from authentication-as-a-service providers. The database-agnostic approach and customizable schema allow adapting to existing user tables while incrementally adopting features like OAuth or 2FA without rewriting authentication from scratch.
npm install better-authpnpm add better-authbun add better-auth