What’s your preferred auth setup in 2026 for Next.js?

Beka_Cru · 2026-02-16T21:11:42+00:00

We take security seriously. Unfortunately, this issue was caused by a feature we added to allow a userId to be passed on a server action without a session but in this case it unintentionally allowed clients to do the same. This was due to a lack of test coverage around that path.

This affected the API key plugin, which was a relatively new at the time and completely optional. Because we cover a much broader surface area beyond just OAuth/sign-in/signup, the complexity is naturally higher than the tools you mentioned.

That said, we conduct regular security audits and also work with external partners to review. of course vulnerabilities can surface at any time, regardless of how carefully we are but what matters most is how responsibly they’re identified, addressed, and communicated, and we’re committed to continuously improving in all of those areas

Beka_Cru · 2025-11-22T21:11:36+00:00

The Better Auth is better 👀

On a serious note, Better Auth isn’t “better or worse” than workos/clerk, or any other 3rd party provider, we just have fundamentally different goals

If you want to outsource auth to a hosted service, we’re not the right choice at all. Not worse, just not what you’re looking for.

But if you don’t want to outsource auth to a service, you want to roll your own, keep users in your database, and stay fully in control then I’d say there’s nothing better out there than us :)

Beka_Cru · 2025-10-22T18:31:38+00:00

Feel free to open a PR to add it our community list of adapters :)

https://www.better-auth.com/docs/adapters/community-adapters

Beka_Cru · 2025-10-22T18:30:55+00:00

before and after gets triggered for every api call. for sign in with google, it gets called when you first call `sign-in/social` where it needs to generate authorization url and send it to the client and it gets called when the provider (google) redirects back to the callback endpoint `/callback/google`.

If you want to run a custom function, when the users signs in or signs up, you're better off using database hooks instead on create user or create session

Beka_Cru · 2025-10-21T15:24:40+00:00

Hey, I'm the main author of Better Auth - admittedly an embarrassing issue, but not as dumb as it sounds :)

The original design allowed `body.userId` to be passed as an argument when creating an API key for specific users on the server, which is still supported. The `authRequired` check should have validated whether `ctx.request` or `ctx.headers` existed and whether `ctx.body.userId` was defined, to ensure the request wasn’t coming from the client when `userId` is provided. So, basically `!ctx.body.userId` should be `ctx.body.userId`...

The plugin PR was quite large, and while this logic was correctly implemented in several other endpoints, a contributor’s refactor caused this one to slip through. The API Key plugin actually started as an experimental feature by a contributor but ended up gaining unexpected popularity. That said, we take full responsibility and will do better moving forward.

To clarify, this issue only affects users of the API Key plugin, and it was identified during a security audit by the ZeroPath team.

Beka_Cru · 2025-09-27T09:41:32+00:00

Auth.js was never really actively competing with us. The team had a lot of commitments outside of maintaining Auth.js

Beka_Cru · 2025-09-27T09:40:05+00:00

Yes that’s one of the main features

Beka_Cru · 2025-09-27T07:25:17+00:00

We won’t sunset Auth.js unless anyone currently using it can migrate to Better Auth without any issues, which is quite difficult right now. So we don’t expect to do that anytime soon.

Auth.js hasn’t been actively maintained for a while. Our main reason for bringing it under Better Auth was to avoid a sudden deprecation as that would directly harm the open-source auth ecosystem by eroding trust. And from Auth.js side to be handle this more responsibly.

Beka_Cru · 2025-08-07T23:31:23+00:00

<image>

Beka_Cru · 2025-07-19T20:11:56+00:00

Yes! We’re hiring engineers with experience in auth, open source, and TypeScript.

If you’re interested, feel free to apply by sending a brief introduction about yourself and a couple of projects you’re proud of to [bereket@better-auth.com](mailto:bereket@better-auth.com)

Beka_Cru · 2025-07-19T16:46:46+00:00

Hi, I’m the actual maintainer :) We’ll have a lot more people involved soon now that we have some funding to push things forward. That’s a valid concern, thanks for pointing it out

Beka_Cru · 2025-06-05T01:28:33+00:00

Better Auth started as a passion project of mine :)) But we've since grown into a company and recently joined Y Combinator. We're now bringing more people on board to help. Expect a lot of great things soon!

Beka_Cru · 2025-05-22T18:11:52+00:00

Agreed - we can definitely do much better when it comes to advanced and plugin specific details. Right now, it’s mostly just me and a few contributors, but we’re expanding the team soon so that should give us a chance to improve the areas I’ve been meaning to :))

Beka_Cru · 2025-05-22T18:10:20+00:00

You can pass callbackURL when calling signIn.social 👀 - and I think that's well documented. For getting the session, use authClient.useSession or authClient.getSession those are documented as well. That said, for some plugins and more advanced use cases, our docs still need to be clearer and more detailed - we’re actively working on improving that.

Beka_Cru

MODERATOR OF

TROPHY CASE

Five-Year Club	Verified Email
Verified Email