Authentication Configuration
Configure Better Auth for authentication, session management, MFA, and security settings in your SaaS application.
Ship secure authentication without managing auth infrastructure or paying per-user fees. Better Auth handles sessions, OAuth, MFA, and password flows - all self-hosted in your Next.js app.
The Next.js Drizzle SaaS Kit uses Better Auth for authentication with Drizzle ORM as the database adapter. Better Auth runs entirely on your infrastructure - no external auth service, no per-seat pricing. Configure email/password, magic links, OAuth providers, and MFA through environment variables. The kit includes pre-built sign-in forms, password reset flows, account deletion, and session management out of the box.
Better Auth is a TypeScript-first, self-hosted authentication library that provides session management, OAuth integration, MFA, and multi-tenancy plugins without external dependencies.
Use this documentation when: you're setting up authentication for the first time, adding a new OAuth provider, enabling MFA, or customizing auth behavior.
Avoid modifying auth internals when: the default configuration meets your needs. Better Auth's defaults are secure and production-ready.
If unsure: start with email/password authentication enabled. Add OAuth and MFA after your core app works.
Features
- Email/password authentication
- Magic link (passwordless) authentication
- Multi-factor authentication (MFA/TOTP)
- OAuth providers (Google, GitHub, etc.)
- Secure session management
- Password reset flows
- Account deletion with verification
- Rate limiting and captcha protection
Why Better Auth?
- Self-Hosted - Runs on your infrastructure with no external auth service
- No Per-User Pricing - Unlimited users without SaaS auth costs
- TypeScript-First - Full type safety across client and server
- Database Agnostic - Works with Drizzle ORM and PostgreSQL (or any Drizzle-supported database)
- Plugin Architecture - Add MFA, OAuth, rate limiting as needed
- Production Ready - Industry-standard security practices
Common Pitfalls
- Forgetting to set
BETTER_AUTH_SECRET: Sessions won't work without a 32+ character secret. Generate one withopenssl rand -base64 32. - Mismatched OAuth redirect URLs: Your
NEXT_PUBLIC_SITE_URLmust exactly match what's configured in Google/GitHub OAuth settings. - Skipping email verification in production: Always require email verification to prevent account takeover.
- Not enabling rate limiting: Auth endpoints are prime targets for brute force. Keep rate limiting enabled in production.
- Storing secrets in
.envinstead of.env.local: Auth secrets should never be committed. Use.env.localforBETTER_AUTH_SECRETand OAuth credentials. - Testing MFA with production authenticator apps: Use a separate authenticator entry for development to avoid lockouts.
Documentation Structure
| Page | Purpose |
|---|---|
| Setup | Core configuration and database adapter |
| Auth Methods | Email/password and magic link settings |
| Social Providers | OAuth configuration (Google, GitHub) |
| MFA Configuration | TOTP-based multi-factor authentication |
| Adding Plugins | Extend Better Auth with plugins |
| Captcha Plugin | Bot protection with Cloudflare Turnstile |
| OTP Plugin | Email-based one-time passwords |
| Rate Limiting | Protect against brute force attacks |
| One-Time Token Plugin | Secure verification codes |
| Admin Plugin | User management and impersonation |
Frequently Asked Questions
How is Better Auth different from Auth.js (NextAuth)?
Where is the Better Auth configuration?
Can I use a different database?
How do I add a custom OAuth provider?
Is session data stored in cookies or the database?
How do I customize the sign-in UI?
Next: Better Auth Setup →