Launch HN: Better Auth (YC X25) – Authentication Framework for TypeScript
49 comments
·May 19, 2025benmccann
NextAuth certainly needs some competition. However, I wish better-auth didn't have so many dependencies. I feel like it shouldn't be necessary to depend on things like kysley and Typescript.
jamesjulich
A few months ago, I found a security vulnerability for better-auth. Within 24 hours of reporting the vulnerability to the team, it was patched, a notice had been posted, and I had been credited with a CVE. THAT is how you do it, folks!
This team is top notch. The community leadership, responsiveness, and development speed has been incredible. The project itself is also great--this library is so much more flexible than others and requires much less effort to wrap my brain around. I'm so happy that this library is getting the recognition it deserves.
ymir_e
Congratulations on the launch!
Heavily evaluated better-auth when implementing auth at my current company. Ended up with keycloak because of SAML SSO.
One thing I remember having some issues with was customising schemas with the drizzle adapter. Looks like you've cleared up the documentation more now. I think at the time I was confused as to wether custom schemas were specified in the drizzle adapter options, or inside the the organization plugin.
Basically mixing up these two: https://www.better-auth.com/docs/plugins/organization#custom... https://www.better-auth.com/docs/adapters/drizzle#additional...
Thanks for all your work, it is a really cool library!
jprokay13
Do you have any recommendations on how to get started with Keycloak or just RTFM?
theogravity
Does it handle:
- Federated sign-in/out? In next-auth, it is a giant pain to implement: https://github.com/nextauthjs/next-auth/discussions/3938
- Automated refreshing of JWT tokens on the client-side? I always end up having to implement my own logic around this. The big problem is if you have multiple API calls going out and they all require JWT auth, you need to check the JWT validity and block the calls until it is refreshed. In next-auth on the server-side, this is impossible to do since that side is generally stateless, and so you end up with multiple refresh calls happening for the same token.
- The ability to have multiple auth sessions at once, like in a SaaS app where you might belong to multiple accounts / organizations (your intro paragraph sounds like it does)
- Handle how multiple auth sessions are managed if the user happens to open up multiple tabs and swaps accounts in another tab
- Account switching using a Google provider? This seems to be a hard ask for providers like FusionAuth and Cognito. You can't use the Google connector directly but instead use a generic OAuth2 connector where you can specify custom parameters when making the initial OAuth2 flow with Google. The use-case is when a user clicks on the Google sign-in button, it should go to the Google account switcher / selector instead of signing in the user immediately if they have an existing signed-in Google session.
bekacru
- Not right now, but there’s already an open issue and a PR in progress.
- We don’t use JWTs directly, and sessions always require state (it’s not stateless). And yeah, both the client and server handles automatic session refresh.
- Yes, we support both multiple sessions or having different organizations open in different tab: https://www.better-auth.com/docs/plugins/multi-session
- Yes, that’s possible, you just need to set the `prompt` parameter to `select_account`
Destiner
I’ve just used BetterAuth for my project [0]
I’ve never implemented auth before, and was always thinking that it will take me days to get it right.
I’ve done the whole thing in maybe 3 hours.
catapart
Sold!
I've been waiting for something like this for the last year or so. There's so much that's SO CLOSE, but nothing quite as simple as "npm install -> add necessary config -> npm publish". That's what I've been waiting for and that's what it looks like you are offering here.
Very excited to spin up a new Hostinger VPS and slap this on there to provide syncing for local-first apps. If it's as easy as your docs make it seem, this will save a ton of time and headaches!
badmonster
How does Better Auth handle multi-tenant authentication across different subdomains or apps within a monorepo setup?
btw i read about your project in x a while ago, nice project!
primitivesuave
Better Auth is awesome and I didn't even realize they hadn't publicly launched yet - I'm using it in production apps, and have seen it being used in all kinds of real-world use cases. IMO it's the best open-source option for a TypeScript developer who wants to implement authentication.
About the dashboard - would this just be an interface to my existing Better Auth setup (e.g. if I had customized the underlying data storage) or are you hosting credentials yourself?
You have my sincerest gratitude for building this incredibly useful library and documenting it so well.
bekacru
Thanks for the kind words - really appreciate it! And yes, it connects directly to your existing setup (the dashboard is mostly just a UI). What you’re really “buying” from us are the additional features on the dashboard like bot protection, analytics, etc...when you need them. We’re still figuring out the pricing, but most likely, the base dashboard will just be free ;)
primitivesuave
Awesome! I used Better Auth for consulting work helping clients build MVPs, and if I could hand them a beautiful admin dashboard rather than linking it up to Retool or their BI tool of choice, they would instantly go for it - especially with all the bot protection and analytics features that I don't have time to build.
One of the reasons I prefer BA is because I retain a lot of flexibility with designing the rest of the system around the authentication. So for example, if I want to have an additional column per user, it's a lot easier to wrap my head around adding a new Postgres column than using some API for appending data to a user in Cognito/Auth0/Okta/etc in some rigid format.
davedx
Sounds great! I'm interested to hear, how does this solution compare with open source, self-hosted authn components like Keycloak and Ory Kratos? While it's a bit more leg work integrating those, I've found that it's useful that they're self-contained and run in their own environment/container; but I have also sometimes wished that the data was more tightly integrated with my own application, which I guess is what you're aiming for.
gardnr
Most people will reach for BetterAuth when they would reach for NextAuth. Basically, when you want to integrate OIDC or SSO of some kind.
Back when I was looking at it a couple of months ago, the big thing that popped out was that BetterAuth supports email and password out of the box, where NextAuth seems to have a preachy disclaimer about how email and password is inherently insecure, so they leave you to your own devices to implement password hashing and the like.
That did give a sense that NextAuth was the first to dominate the space and feels as though they can dictate morals.
BetterAuth seems to be a bit more developer-focused.
koakuma-chan
> where NextAuth seems to have a preachy disclaimer about how email and password is inherently insecure
Yeah I needed a login & password auth last friday and I was so frustrated with NextAuth I ended up using nginx to set up http basic auth.
bekacru
Yes, that’s exactly what we’re aiming for. I think there are many reasons to tightly couple auth with your app. As you said, self-hosting auth servers and integrating them often isn’t a fun experience and that’s one of the reasons 3rd party auth providers became so popular.
In the JavaScript/TypeScript ecosystem, libraries like NextAuth still have a huge number of users for the same reason: ease of use. And with the rise of full-stack TypeScript apps where both the frontend and backend live together and share a strong type system, it makes even more sense to keep all your context in one place.
That said, if you ever decide to self-host Better Auth in a dedicated container, you still can.
ffo
Congrats on the launch of Better Auth! It's great to see a new framework aiming to make rolling your own auth in TypeScript easier. More well-thought-out options for developers in the authentication and authorization landscape are always welcome.
Best of luck with it!
(Disclosure: I'm a co-founder of Zitadel, also building solutions in this space.)
abhisek
The closest I can think of is Devise for Ruby on Rails ecosystem. While these solution provides great developer experience to get started, IMHO there are solid reasons to have separate identity providers like Auth0 or if you like to self-host, stuff like Keycloak, Dex and more. Consider your business logic backend need multi-region deployments, where will you keep the auth DB?
Personally, if I want my app to be future proof, I would probably keep auth as a separate service while speaking standard protocols like OAuth2 so that I can maintain single source of truth for my user identity and be able to build multiple applications based on it.
clgeoio
Nice work! I took better-auth for a test a couple of months ago. I enjoyed the experience, but the DX was pretty poor when using edge frameworks (like Cloudflare Workers) as the CLI tools didn't work. For workers for example, environment variables are not known at build time, rather injected in the "fetch()" handler.
Interested to see how the functionality progresses!
Hi HN! We’re Bereket and KinfeMichael of Better Auth (https://www.better-auth.com/), a comprehensive authentication framework for TypeScript that lets you implement everything from simple auth flows to enterprise-grade systems directly on your own database, embedded in your backend.
To be clear—we’re not building a 3rd party auth service. Our goal is to make rolling your own auth so ridiculously easy that you’ll never need one.
Here are some YouTube videos explaining how it works (we did make our own video but weren’t happy with it and these videos do a great job):
https://www.youtube.com/watch?v=hFtufpaMcLM - a really good overview
https://www.youtube.com/watch?v=QurjwJHCoHQ - also a good overview and dives a little deeper into the code
https://www.youtube.com/watch?v=RKqHrE0KyeE - short and clear
https://www.youtube.com/watch?v=Atev8Nxpw7c - with TanStack framework
https://www.youtube.com/watch?v=n6rP9d3RWo8 - a full-on 2 hour tutorial
Auth has been a pain point for many developers in the TypeScript ecosystem for a while. Not because there aren’t options but because most fall into 2 buckets: (1) Third-party services like Auth0 which own your user data, lock you into a black-box solution and are often super expensive; or (2) open source libraries like NextAuth that cover the basics but leave you stitching your own solution together from there.
For Better Auth. the kick off moment was building a web analytics platform and wanting to add an organization feature - things like workspaces, teams, members, and granular permissions. I assumed there’d be something out there I could plug in to NextAuth (the popular and kind of the only library), but there wasn’t. The only options were to build everything from scratch or switch to a 3rd party auth provider. I even tried hacking together a wrapper around NextAuth to support those features, but it was hacky. That’s when we decided to take a step back and build a proper auth library from the ground up with a plugin ecosystem that lets you start simple and scale as needed. That frustration turned into Better Auth.
Better Auth lets you roll your own auth directly on your backend and database, with support for everything from simple auth flows to enterprise-grade systems without relying on 3rd party services.
It comes with built-in features for common auth flows, and you can extend it as needed through a plugin ecosystem whether that’s 2FA, passkeys, organizations, multi-session, SSO, or even billing integration with Stripe.
Unlike 3rd party auth providers, we’re just a library you install in your own project. It’s free forever, lives entirely in your codebase, and gives you full control. You get all the features you’d expect from something like Auth0 or Clerk plus even more through our plugin system, including things like billing integrations with Stripe or Polar. Most libraries stop at the basics but Better Auth is designed to scale with your needs while keeping things simple when you don’t need all the extras.
We’re currently building an infrastructure layer that works alongside the framework to offer features that are hard to deliver as just a library—e.g. an admin dashboard with user analytics, bot/fraud/abuse detection, secondary session storage, and more. This will be our commercial offering. For this, there’s a waitlist at https://www.better-auth.build. However, this is only optional infrastructure for teams that need these capabilities. The library is free and open source and will remain so.
We’d love your feedback!