Launch HN: Better Auth (YC X25) – Authentication Framework for TypeScript
To be clear—we’re not building a 3rd party auth service. Our goal is to make rolling your own auth so ridiculously easy that you’ll never need one.
Here are some YouTube videos explaining how it works (we did make our own video but weren’t happy with it and these videos do a great job):
https://www.youtube.com/watch?v=hFtufpaMcLM - a really good overview
https://www.youtube.com/watch?v=QurjwJHCoHQ - also a good overview and dives a little deeper into the code
https://www.youtube.com/watch?v=RKqHrE0KyeE - short and clear
https://www.youtube.com/watch?v=Atev8Nxpw7c - with TanStack framework
https://www.youtube.com/watch?v=n6rP9d3RWo8 - a full-on 2 hour tutorial
Auth has been a pain point for many developers in the TypeScript ecosystem for a while. Not because there aren’t options but because most fall into 2 buckets: (1) Third-party services like Auth0 which own your user data, lock you into a black-box solution and are often super expensive; or (2) open source libraries like NextAuth that cover the basics but leave you stitching your own solution together from there.
For Better Auth. the kick off moment was building a web analytics platform and wanting to add an organization feature - things like workspaces, teams, members, and granular permissions. I assumed there’d be something out there I could plug in to NextAuth (the popular and kind of the only library), but there wasn’t. The only options were to build everything from scratch or switch to a 3rd party auth provider. I even tried hacking together a wrapper around NextAuth to support those features, but it was hacky. That’s when we decided to take a step back and build a proper auth library from the ground up with a plugin ecosystem that lets you start simple and scale as needed. That frustration turned into Better Auth.
Better Auth lets you roll your own auth directly on your backend and database, with support for everything from simple auth flows to enterprise-grade systems without relying on 3rd party services.
It comes with built-in features for common auth flows, and you can extend it as needed through a plugin ecosystem whether that’s 2FA, passkeys, organizations, multi-session, SSO, or even billing integration with Stripe.
Unlike 3rd party auth providers, we’re just a library you install in your own project. It’s free forever, lives entirely in your codebase, and gives you full control. You get all the features you’d expect from something like Auth0 or Clerk plus even more through our plugin system, including things like billing integrations with Stripe or Polar. Most libraries stop at the basics but Better Auth is designed to scale with your needs while keeping things simple when you don’t need all the extras.
We’re currently building an infrastructure layer that works alongside the framework to offer features that are hard to deliver as just a library—e.g. an admin dashboard with user analytics, bot/fraud/abuse detection, secondary session storage, and more. This will be our commercial offering. For this, there’s a waitlist at https://www.better-auth.build. However, this is only optional infrastructure for teams that need these capabilities. The library is free and open source and will remain so.
We’d love your feedback!
This team is top notch. The community leadership, responsiveness, and development speed has been incredible. The project itself is also great--this library is so much more flexible than others and requires much less effort to wrap my brain around. I'm so happy that this library is getting the recognition it deserves.
But I tried it today and it’s pretty nice. A few bugs with user creation and custom fields with the beta oauth2 plugin. But overall very solid abstraction that will save lots of time.
Google sign in was a breeze too.
The migrations do not pick up nullable being true for custom fields though, and I see someone else already reported this.
Direct oauth registration works, most everything I need is here!
- Federated sign-in/out? In next-auth, it is a giant pain to implement: https://github.com/nextauthjs/next-auth/discussions/3938
- Automated refreshing of JWT tokens on the client-side? I always end up having to implement my own logic around this. The big problem is if you have multiple API calls going out and they all require JWT auth, you need to check the JWT validity and block the calls until it is refreshed. In next-auth on the server-side, this is impossible to do since that side is generally stateless, and so you end up with multiple refresh calls happening for the same token.
- The ability to have multiple auth sessions at once, like in a SaaS app where you might belong to multiple accounts / organizations (your intro paragraph sounds like it does)
- Handle how multiple auth sessions are managed if the user happens to open up multiple tabs and swaps accounts in another tab
- Account switching using a Google provider? This seems to be a hard ask for providers like FusionAuth and Cognito. You can't use the Google connector directly but instead use a generic OAuth2 connector where you can specify custom parameters when making the initial OAuth2 flow with Google. The use-case is when a user clicks on the Google sign-in button, it should go to the Google account switcher / selector instead of signing in the user immediately if they have an existing signed-in Google session.
- We don’t use JWTs directly, and sessions always require state (it’s not stateless). And yeah, both the client and server handles automatic session refresh.
- Yes, we support both multiple sessions or having different organizations open in different tab: https://www.better-auth.com/docs/plugins/multi-session
- Yes, that’s possible, you just need to set the `prompt` parameter to `select_account`
Why?
I've been waiting for something like this for the last year or so. There's so much that's SO CLOSE, but nothing quite as simple as "npm install -> add necessary config -> npm publish". That's what I've been waiting for and that's what it looks like you are offering here.
Very excited to spin up a new Hostinger VPS and slap this on there to provide syncing for local-first apps. If it's as easy as your docs make it seem, this will save a ton of time and headaches!
About the dashboard - would this just be an interface to my existing Better Auth setup (e.g. if I had customized the underlying data storage) or are you hosting credentials yourself?
You have my sincerest gratitude for building this incredibly useful library and documenting it so well.
One of the reasons I prefer BA is because I retain a lot of flexibility with designing the rest of the system around the authentication. So for example, if I want to have an additional column per user, it's a lot easier to wrap my head around adding a new Postgres column than using some API for appending data to a user in Cognito/Auth0/Okta/etc in some rigid format.
In the JavaScript/TypeScript ecosystem, libraries like NextAuth still have a huge number of users for the same reason: ease of use. And with the rise of full-stack TypeScript apps where both the frontend and backend live together and share a strong type system, it makes even more sense to keep all your context in one place.
That said, if you ever decide to self-host Better Auth in a dedicated container, you still can.
Back when I was looking at it a couple of months ago, the big thing that popped out was that BetterAuth supports email and password out of the box, where NextAuth seems to have a preachy disclaimer about how email and password is inherently insecure, so they leave you to your own devices to implement password hashing and the like.
That did give a sense that NextAuth was the first to dominate the space and feels as though they can dictate morals.
BetterAuth seems to be a bit more developer-focused.
Yeah I needed a login & password auth last friday and I was so frustrated with NextAuth I ended up using nginx to set up http basic auth.
I’ve never implemented auth before, and was always thinking that it will take me days to get it right.
I’ve done the whole thing in maybe 3 hours.
[0] https://dough.ink/
Interested to see how the functionality progresses!
Heavily evaluated better-auth when implementing auth at my current company. Ended up with keycloak because of SAML SSO.
One thing I remember having some issues with was customising schemas with the drizzle adapter. Looks like you've cleared up the documentation more now. I think at the time I was confused as to wether custom schemas were specified in the drizzle adapter options, or inside the the organization plugin.
Basically mixing up these two: https://www.better-auth.com/docs/plugins/organization#custom... https://www.better-auth.com/docs/adapters/drizzle#additional...
Thanks for all your work, it is a really cool library!
That said, keycloak also does have a great docs site.
btw i read about your project in x a while ago, nice project!
Better Auth is great - it just works, but there were a few quirks I had to face, like how it handles everything for you using the auth client instead of giving you helper functions to use to handle login/register requests and make it customizable on the server side
The migration was very easy, since I had no users to worry about, I was able to drop my users and sessions table and use the Better Auth cli to generate a migration with all the tables I could need. Even with some initial problems I had with the auth client and having to restructure my login errors to handle what the auth client returns, I'm happy with my migration, and it opens up a whole host of plugins and features I can easily integrate in the future
Betterauth and WorkOS are pretty different. For example, WorkOS isn't designed exclusively for TypeScript (we support SDKs for a bunch of languages/platforms) and WorkOS runs as a cloud service. The developer experience will always be different because of this.
We also design the platform to be modular, which enables you to just use WorkOS for SSO or SCIM alongside an existing auth stack. We call these the standalone APIs and lots of customers use it this way.
WorkOS is focused on enterprise features for b2b apps and solving problems that come with growing upmarket. Today we power auth for OpenAI, Anthropic, Perplexity, Cursor, Vercel, Plaid, and hundreds more.
We love getting feedback so please feel free to post here, email, or twitter DMs are open. Thanks!
(I also love open source and am glad to see more innovation happening here in the ecosystem!)
Personally, if I want my app to be future proof, I would probably keep auth as a separate service while speaking standard protocols like OAuth2 so that I can maintain single source of truth for my user identity and be able to build multiple applications based on it.
> git(main) x npm add better-auth
to
> npm add better-auth
"git(main) x" looks odd and like an error.
Also, there's a huge gap between "we don't want to force that on users" and "we don't advertise it in our top-level marketing site at all". I can't be the only HN reader that is evaluating all libraries like this for Passkey support. It took me four or five clicks to even realize this library even supported Passkeys at all. If I wasn't curious about other Plugins I probably would have dismissed this entire library as outdated for lacking even basic Passkey support.
Congrats on getting into YC!
axes i care about
0. does betterauth have google/twitter/github oauth? (i assume yes but hey its basic) 2fa support? Activedirectory/Okta/Workos/other team management level auth?
1. does betterauth integrate with postgres RLS? is there a better way to do the same job?
2. (pls autocomplete)
I feel like every ecosystem should have a great auth library, and am glad to see you taking on this challenge. I come from the ruby and java worlds where devise and spring auth are great choices, and have watched as several options have risen and fallen in the JS world (passport.js, nextauth). I've heard good things about your project from colleagues, so hopefully you'll win :).
Sounds like you plan to support this via infrastructure and higher level features. Any plans to offer paid support as well?
Anyway, congrats on your launch!
I started a new side project with Cursor to see how it goes, and it suggests a lot of packages for a lot of things (often not even suggests, assume you want it and ask you to install already).
I imagine there will be a “AIO” AI optimization field soon. Have you considered at all?
I mean. If I explicitly ask Cursor models to use Better Auth for authentication, will any of them be able to use it?
A possible thing for you to work on could be to prepare a prompt with links to your documentation that I can copy and paste in Cursor (or whatever) and will successfully implement it in my project.
EDIT: If you want to give it a try at one now and post as a reply here, I’ll gladly try it. It should say to substitute Auth0, as I am already using it, in a NextJS 15 web app that uses Neon serverless Postgres as DB. But I can tweak those myself later too
Please no.
I haven't found the equivalent in the jvm space.
nice work -- maybe I will do a port to jvm
How do I know if this actually works in the long term?
Best of luck with it!
(Disclosure: I'm a co-founder of Zitadel, also building solutions in this space.)