Back to Security & Vulnerability Analysis

create-auth-skill

Name: create-auth-skill
Author: Better Auth

authenticationsecuritytypescriptjavascriptbetter authuser managementssopasskey

⭐ 198🕒 2026-03-02Source ↗

Install this skill

npx skills add better-auth/skills

Works across Claude Code, Cursor, Codex, Copilot & Antigravity

Better Auth provides a modular, framework-agnostic authentication library for TypeScript applications. It manages user sessions, identity management, and security protocols by separating server-side logic from client-side state. The architecture relies on core packages paired with optional plugins for specialized needs like passkeys, organizational structures, or enterprise SSO. By centralizing authentication config in an auth.ts file and utilizing framework-specific handlers, the library abstracts complex tasks such as database adapter mapping and token management. It supports major database ORMs including Prisma, Drizzle, and direct SQL drivers, ensuring compatibility with most modern tech stacks. Whether you are bootstrapping a fresh project or migrating an existing backend, this tool offers a standardized approach to handling logins, password resets, and user authentication schemas through an automated migration CLI.

When to Use This Skill

•Building a new SaaS platform requiring multi-tenant organization support
•Adding secure user authentication to a Next.js or Hono application
•Implementing passkey-based passwordless login flow
•Migrating from legacy auth systems to a type-safe TypeScript solution

How to Invoke This Skill

Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:

“setup better-auth for my next.js project
“add social login to my app using better-auth
“how do i configure better-auth with drizzle orm
“add 2fa to my existing better-auth implementation
“generate auth schema for better-auth

Pro Tips

💡Always begin by consulting the official Better Auth documentation (better-auth.com/docs) for the latest syntax and best practices, especially when dealing with specific framework integrations.
💡When migrating existing authentication, plan for incremental adoption. Focus on one part of the auth flow at a time (e.g., login, then registration, then session management) to minimize disruption.
💡Utilize the Better Auth CLI commands for migrations and generation (`npm run better-auth migrate`, `npm run better-auth generate`) to ensure your database schema and configuration files are correctly synchronized.

What this skill does

•Supports multiple database adapters including Prisma, Drizzle, and native SQL clients
•Plugin-based architecture for 2FA, SSO, passkeys, and organization management
•Standardized client-side hooks for React, Vue, Svelte, and Solid
•Automated schema generation and migration CLI tools
•Built-in support for social OAuth providers and email-based authentication

When not to use it

✕Projects requiring deep integration with non-TypeScript/JavaScript backends
✕Environments where zero-dependency or pure-manual authentication logic is mandated
✕Simple static sites that do not require server-side session management

Example workflow

Install the core better-auth package and required database adapter
Define the authentication config inside auth.ts
Initialize the server-side route handler for your specific framework
Run the CLI migration command to sync your database schema
Configure the auth-client in your frontend and hook into session status

Prerequisites

–A TypeScript project environment
–An active database connection string
–Basic understanding of your framework's routing structure

Pitfalls & limitations

!Forgetting to re-run the CLI migration tool after adding new plugins
!Misconfiguring the BETTER_AUTH_URL environment variable across different deployment stages
!Incompatibility issues if using unsupported or custom legacy database adapters

FAQ

Can I use Better Auth with Hono or other non-Next.js frameworks?

Yes, Better Auth is framework-agnostic. It provides specific handlers for Hono, Express, SvelteKit, and others, or can be used via its client package in vanilla environments.

Do I need to manually write SQL for the auth tables?

No, the Better Auth CLI generates the necessary schema files based on your configuration, which can then be applied via your preferred ORM.

How does Better Auth handle secret management?

It requires a 32-character secret set as the BETTER_AUTH_SECRET environment variable, which serves as the salt for session hashing.

How it compares

Unlike manual implementations that require writing custom session state and password hashing, Better Auth provides an abstracted, type-safe standard that syncs with ORMs automatically.

Source & trust

⭐ 198 stars🕒 Updated 2026-03-02

View original skill on GitHub →

📄 Full skill instructions — original source: better-auth/skills

# Create Auth Skill

Guide for adding authentication to TypeScript/JavaScript applications using Better Auth.

**For code examples and syntax, see [better-auth.com/docs](https://better-auth.com/docs).**

---

## Decision Tree

Is this a new/empty project?
├─ YES → New project setup
│   1. Identify framework
│   2. Choose database
│   3. Install better-auth
│   4. Create auth.ts + auth-client.ts
│   5. Set up route handler
│   6. Run CLI migrate/generate
│   7. Add features via plugins
│
└─ NO → Does project have existing auth?
    ├─ YES → Migration/enhancement
    │   • Audit current auth for gaps
    │   • Plan incremental migration
    │   • See migration guides in docs
    │
    └─ NO → Add auth to existing project
        1. Analyze project structure
        2. Install better-auth
        3. Create auth config
        4. Add route handler
        5. Run schema migrations
        6. Integrate into existing pages

---

## Installation

**Core:** npm install better-auth

**Scoped packages (as needed):**
| Package | Use case |
|---------|----------|
| @better-auth/passkey | WebAuthn/Passkey auth |
| @better-auth/sso | SAML/OIDC enterprise SSO |
| @better-auth/stripe | Stripe payments |
| @better-auth/scim | SCIM user provisioning |
| @better-auth/expo | React Native/Expo |

---

## Environment Variables

BETTER_AUTH_SECRET=<32+ chars, generate with: openssl rand -base64 32>
BETTER_AUTH_URL=http://localhost:3000
DATABASE_URL=<your database connection string>

Add OAuth secrets as needed: GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, GOOGLE_CLIENT_ID, etc.

---

## Server Config (auth.ts)

**Location:** lib/auth.ts or src/lib/auth.ts

**Minimal config needs:**
- database - Connection or adapter
- emailAndPassword: { enabled: true } - For email/password auth

**Standard config adds:**
- socialProviders - OAuth providers (google, github, etc.)
- emailVerification.sendVerificationEmail - Email verification handler
- emailAndPassword.sendResetPassword - Password reset handler

**Full config adds:**
- plugins - Array of feature plugins
- session - Expiry, cookie cache settings
- account.accountLinking - Multi-provider linking
- rateLimit - Rate limiting config

**Export types:** export type Session = typeof auth.$Infer.Session

---

## Client Config (auth-client.ts)

**Import by framework:**
| Framework | Import |
|-----------|--------|
| React/Next.js | better-auth/react |
| Vue | better-auth/vue |
| Svelte | better-auth/svelte |
| Solid | better-auth/solid |
| Vanilla JS | better-auth/client |

**Client plugins** go in createAuthClient({ plugins: [...] }).

**Common exports:** signIn, signUp, signOut, useSession, getSession

---

## Route Handler Setup

| Framework | File | Handler |
|-----------|------|---------|
| Next.js App Router | app/api/auth/[...all]/route.ts | toNextJsHandler(auth) → export { GET, POST } |
| Next.js Pages | pages/api/auth/[...all].ts | toNextJsHandler(auth) → default export |
| Express | Any file | app.all("/api/auth/*", toNodeHandler(auth)) |
| SvelteKit | src/hooks.server.ts | svelteKitHandler(auth) |
| SolidStart | Route file | solidStartHandler(auth) |
| Hono | Route file | auth.handler(c.req.raw) |

**Next.js Server Components:** Add nextCookies() plugin to auth config.

---

## Database Migrations

| Adapter | Command |
|---------|---------|
| Built-in Kysely | npx @better-auth/cli@latest migrate (applies directly) |
| Prisma | npx @better-auth/cli@latest generate --output prisma/schema.prisma then npx prisma migrate dev |
| Drizzle | npx @better-auth/cli@latest generate --output src/db/auth-schema.ts then npx drizzle-kit push |

**Re-run after adding plugins.**

---

## Database Adapters

| Database | Setup |
|----------|-------|
| SQLite | Pass better-sqlite3 or bun:sqlite instance directly |
| PostgreSQL | Pass pg.Pool instance directly |
| MySQL | Pass mysql2 pool directly |
| Prisma | prismaAdapter(prisma, { provider: "postgresql" }) from better-auth/adapters/prisma |
| Drizzle | drizzleAdapter(db, { provider: "pg" }) from better-auth/adapters/drizzle |
| MongoDB | mongodbAdapter(db) from better-auth/adapters/mongodb |

---

## Common Plugins

| Plugin | Server Import | Client Import | Purpose |
|--------|---------------|---------------|---------|
| twoFactor | better-auth/plugins | twoFactorClient | 2FA with TOTP/OTP |
| organization | better-auth/plugins | organizationClient | Teams/orgs |
| admin | better-auth/plugins | adminClient | User management |
| bearer | better-auth/plugins | - | API token auth |
| openAPI | better-auth/plugins | - | API docs |
| passkey | @better-auth/passkey | passkeyClient | WebAuthn |
| sso | @better-auth/sso | - | Enterprise SSO |

**Plugin pattern:** Server plugin + client plugin + run migrations.

---

## Auth UI Implementation

**Sign in flow:**
1. signIn.email({ email, password }) or signIn.social({ provider, callbackURL })
2. Handle error in response
3. Redirect on success

**Session check (client):** useSession() hook returns { data: session, isPending }

**Session check (server):** auth.api.getSession({ headers: await headers() })

**Protected routes:** Check session, redirect to /sign-in if null.

---

## Security Checklist

- [ ] BETTER_AUTH_SECRET set (32+ chars)
- [ ] advanced.useSecureCookies: true in production
- [ ] trustedOrigins configured
- [ ] Rate limits enabled
- [ ] Email verification enabled
- [ ] Password reset implemented
- [ ] 2FA for sensitive apps
- [ ] CSRF protection NOT disabled
- [ ] account.accountLinking reviewed

---

## Troubleshooting

| Issue | Fix |
|-------|-----|
| "Secret not set" | Add BETTER_AUTH_SECRET env var |
| "Invalid Origin" | Add domain to trustedOrigins |
| Cookies not setting | Check baseURL matches domain; enable secure cookies in prod |
| OAuth callback errors | Verify redirect URIs in provider dashboard |
| Type errors after adding plugin | Re-run CLI generate/migrate |

---

## Resources

- [Docs](https://better-auth.com/docs)
- [Examples](https://github.com/better-auth/examples)
- [Plugins](https://better-auth.com/docs/concepts/plugins)
- [CLI](https://better-auth.com/docs/concepts/cli)
- [Migration Guides](https://better-auth.com/docs/guides)

By Better Auth

How to Use This Skill Unit

Option A: Project-Specific (Recommended)

Click "Download" above
In your project, create the directory: .agent/skills/create-auth/
Save the file as SKILL.md
The agent will automatically discover the skill based on its description.

Option B: Global Installation (All Agents)

Save the file to these locations to make it available across all projects:

Claude Code: ~/.claude/skills/better-auth/skills/create-auth/SKILL.md
Cursor: ~/.cursor/skills/better-auth/skills/create-auth/SKILL.md
Antigravity: ~/.gemini/antigravity/skills/better-auth/skills/create-auth/SKILL.md

🚀 Install with CLI:
npx skills add better-auth/skills

Read the Master Guide: Mastering Agent Skills →

Recommended Rules

View more rules →

Recommended Workflows

View more workflows →

Security Hardening Checklist

SecurityHeadersCSP

--- description: Essential security headers, CSP, and rate limiting --- 1. **Security Headers (`next.config.js`)**: - Add these headers to prevent...

Supabase Row Level Security (RLS)

SupabaseDatabaseSecurity

--- description: Define secure database policies to protect user data --- 1. **Enable RLS**: - Always enable RLS on every table you create. ```...

Generate TypeScript Types from API

TypeScriptAPICodegen

--- description: Auto-generate type-safe API client from OpenAPI/Swagger spec --- 1. **Get Your API Schema**: - Most APIs expose OpenAPI spec at `...

Recommended MCP Servers

View more MCP servers →

PDFActionInspector

Official

A Model Context Protocol server for extracting and analyzing JavaScript Actions from PDF files. Provides comprehensive security analysis to detect malicious PDF behaviors, hidden scripts, and potential security threats through AI-assisted risk assessment.

AWS Cognito

Community

An MCP server that connects to AWS Cognito for authentication and user management.

NPM Plus

Community

AI-powered JavaScript package management with security scanning, bundle analysis, and intelligent dependency management for MCP-compatible editors.

Take It Further

Maximize your productivity with these powerful resources

📋

Define Your Standards

Set up coding standards to ensure this workflow produces consistent, high-quality results.

Browse Rules Library

📖

Master Workflows

Learn how to create custom workflows, use Turbo Mode, and build your automation library.

Complete Guide