Authentication with Better Auth in Makerkit Next.js Drizzle
Understand Makerkit's authentication system and add OAuth sign-in. By the end, users can sign in with Google.
In this module, you'll understand how Makerkit's authentication works and add Google OAuth sign-in to TeamPulse.
In this module, I want to walk through all you need to know about authentication in Makerkit using Better Auth - and how to dive in into the internals of the authentication system by linking to the documentation.
Technologies used:
- Better Auth - Authentication framework
- Drizzle ORM - Database tables for auth
What you'll accomplish:
- Understand the existing auth system
- Add Google OAuth sign-in
- Test the complete auth flow
Understanding the Auth System
Makerkit uses Better Auth, a TypeScript-first authentication framework. Before adding features, let's understand what's already configured.
Auth Pages
Navigate through the existing auth pages:
| URL | Purpose |
|---|---|
/auth/sign-up | Create new account |
/auth/sign-in | Sign in to existing account |
/auth/password-reset | Request password reset |
/auth/verify | Two-factor authentication (when enabled) |
Try it: Visit each page in your browser to see the UI.
Key Configuration Files
| File | Purpose |
|---|---|
packages/better-auth/src/auth.ts | Server-side auth configuration |
packages/better-auth/src/auth-client.ts | Client-side auth hooks |
apps/web/config/auth.config.ts | Feature flags (OAuth, MFA, etc.) |
apps/web/app/api/auth/[...all]/route.ts | API route handler |
How It Works
- Sign-up flow:
- User submits email/password
- Account created in
userstable - Verification email sent (check Mailpit at http://localhost:8025)
- User clicks link → signed in
- Organization auto-created (only in B2B mode)
- Sign-in flow:
- User submits credentials
- Session created in
sessionstable - Cookie set for authentication
- Redirected to
/dashboard
- Session access:
// Server-side (in server actions, loaders, pages)import { getSession } from '@kit/better-auth/context';const session = await getSession();const userId = session?.user?.id;Checkpoint: Test the Existing Flow
Before adding OAuth, verify email/password auth works:
- Go to
/auth/sign-up - Create a new account
- Check Mailpit for new emails at http://localhost:8025
- Click the verification link
- Confirm you land on the dashboard
If you seeded test data using pnpm seed, you can also sign in with user1@makerkit.dev / testingpassword.
Adding Google OAuth
Let's add "Sign in with Google" to TeamPulse.
Step 1: Create Google Cloud Credentials
- Go to Google Cloud Console
- Create a new project (or select existing)
- Navigate to APIs & Services → Credentials
- Click Create Credentials → OAuth client ID
- Select Web application
- Add authorized redirect URI:
http://localhost:3000/api/auth/callback/google- Copy the Client ID and Client Secret
Step 2: Configure Environment Variables
Add to apps/web/.env.local:
apps/web/.env.local
# Google OAuthGOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.comGOOGLE_CLIENT_SECRET=your-client-secret# Enable Google in the OAuth providers listNEXT_PUBLIC_AUTH_OAUTH_PROVIDERS=googleNB: when you go to production, please do not use the env file for storing secret environment variables.
Step 3: Test
Now visit /auth/sign-in. You should see a "Sign in with Google" button.
Test the flow:
- Click "Sign in with Google"
- Complete Google's sign-in
- You're redirected back and signed in
How OAuth Works in Makerkit
The Plugin System
Better Auth uses plugins for OAuth providers.
The configuration lives in packages/better-auth/src/plugins/social-providers.ts - and should be modified if you require other Social providers.
When you set GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET, the plugin automatically:
- Handles the OAuth redirect flow
- Creates or links user accounts
- Manages OAuth tokens securely
Adding Other Providers
Please refer to the documentation to add social providers.
What Else Is Possible
The auth system has many more features you can enable. Here's what's available:
Magic Links (Passwordless)
Let users sign in via email link - no password needed.
- Enable:
NEXT_PUBLIC_AUTH_MAGIC_LINK=true
Password Requirements
Enforce stronger passwords with special characters, numbers, uppercase.
- Configure: (all default to
false)
NEXT_PUBLIC_PASSWORD_REQUIRE_SPECIAL_CHARS=trueNEXT_PUBLIC_PASSWORD_REQUIRE_NUMBERS=trueNEXT_PUBLIC_PASSWORD_REQUIRE_UPPERCASE=trueCustom Email Templates
Customize verification, password reset, and invitation emails.
- Templates:
packages/email-templates/src/emails/(React Email components)
Captcha Protection
Add Cloudflare Turnstile to prevent bot sign-ups.
- Configure:
NEXT_PUBLIC_CAPTCHA_SITE_KEY=your-site-keyTURNSTILE_SECRET_KEY=your-secret- Docs: Better Auth Captcha
Module 6 Complete!
You now have:
- [x] Understanding of Makerkit's auth architecture
- [x] Google OAuth sign-in working
- [x] Awareness of advanced auth features (MFA, magic links, captcha, etc.)
Next: In Module 7: Organizations & Teams, you'll apply role-based access control to TeamPulse features.