Better Auth with Better Auth

Welcome to Syntax today. We're gonna be talking about authentication and authorization and different platforms, but mostly, my new favorite platform for doing auth on the web. And I will say CJ is gonna be doing a deeper explainer video on this. So if you're the type of person who watches this and is like, I gotta see more code and how to use this, just check back on the channel. CJ is going to be doing a video using better auth here. So I will say, that I personally have a long history with auth, and we will get into that in just a little bit. My name is Scott Tolinski. I'm a developer from Denver. With me, as always, is Wes. Bos, what's up, Wes?

Oh, Node. Excited to to hear about this. I have not dipped into it yet, so I've got lots of questions for you. Yeah. Yeah, man. I'm all hopped up on a steroid. I'm on a, like, prednisone or something, so I'm a I got a lot of energy today. Oh, I can't go in the Olympics now.

No. Yes. Right. No. Not that kind of steroid. I don't think they it's a inflammation steroid. So let me tell you, my history with auth is I frequently rolled my own auth. I wrote my own auth for level up tutorials because in the initial time that the platform was built, it was built in Meteor. And when I moved it to React and just React and, my own database, Mongo, I was like, oh, shoot. I was using Meteor's auth. So now I gotta build an auth that's similar to Meteor's but my own. So I wrote my own. I built it from scratch, and it wasn't impossible. I learned a lot.

Did it take more than a day? No. Absolutely not. But did it take a lot of knowledge and requirements? Yeah.

A lot of times people are like, don't even consider rolling your own auth. It is a treacherous path of demons and Wes it's it's not. You follow a few simple steps. You follow Node Wes practices.

Bingo, bango. You got an auth. But the dialogue for me has changed a little bit in terms of, like, what auth actually is as the years have gone by, and that has led me to actually wanna use other platforms for my auth instead of rolling my own. We'll talk about that as we go. But if you chose to roll your own auth, you're gonna wanna make sure you have some really good knowledge about how your site is working at all times. And to that, you need something like Sanity, s e n t r y Scott I o forward slash syntax is the best place to get total visibility into your site. And Century has a new feature called SEER, which allows you to get to the root cause of issues on your site quickly and easily using AI. And I gotta say, man, Sentry has done such a good job of being like, let's figure out how AI works inside of our application rather than, like, Sentry as a whole as an application, rather than, like, oh, we'll just put a chatbot in the app. Right? Because that's, like, the solution that so many different companies come up with these days. Oh, you need AI. Let's throw a chatbot in the app or an autocomplete or something like that. So Sentry has done such a good job experimenting.

And I gotta say, this is just one of a handful of incredible tools that Sentry is constantly putting out. So check them out at century.io.

So why has my thoughts on auth changed over the years? Because what? Ten years ago? Eight years ago? What was auth? Right? Auth, you might have had login with Google. You might have had login with GitHub if you're a developer.

You had email and password.

Mhmm. That was primarily the main you had two FA on some sites, and that two FA could be text message. It could be, your authenticator app or any of that stuff.

Yep. You you didn't have passkeys.

You didn't have enter your phone number, and we'll send you a text message. And now your account is tied to your phone number or whatever, like you do on TikTok or whatever.

You didn't have that QR code sign in with your phone, and now the TV app is then Yeah. Authenticated. Yeah. Yeah. I Node that, by the way. Man, whenever I have to sign in to something and it says, just pull your phone out and and scan this code, Wes, please. Yeah. Yeah. I got you. No problem.

Yeah. I know. Yeah. That that Wes that's just such a quality of life.

Thank you. Because especially like Yeah.

When you get corporate, man, these, like, OAuth integrations are are unbelievable.

Be it, like, to sign in with your corporate account, and auth is a very, very complicated and deep Wes, and I don't envy anybody that has to work full time on auth, because that seems hard. Yeah. It it it has only gotten harder and more complicated.

And so what are your choices? Your choices are to, one, use, like, a paid service.

Like a paid service, there's several, like, very popular paid services out there to do. Auth that have been around for a while. You have, like, Auth0 has been around for a while. They sponsored Syntax at some point. They're a very reliable

application platform for hosting now. Popular right now as well. Clerk is popular.

The thing that I have a holdup with these is it's like, I like hosting my stuff. I like hosting my stuff where I host all my other stuff. I like it to be part of my database. I don't wanna have to pay for a service. I don't wanna have to rely on another server for my authentication system if my authentication system is a part of my, like, current site. I just don't wanna have that.

There's other ones. Lucia was a really popular one for a little bit of of rolling your own auth. It's deprecated now. I always, like, I always appreciated Lucia existing, but it still felt like you were doing a lot of work to get auth going.

It gave you some of the tools to get off going, but it was still like, I might as well just been rolling my own. And that's the balance I've always found to be a bit tenuous with some of these things. They're either not full featured enough or they're full featured and you gotta do everything yourself. And by that point, like, why am I even using this? Yeah. It's like a little little lower level. Like, I use I use Passport

Yes. Passport. On my website. Classic. But, like, I I have I have to do all the JWT stuff myself and whatnot. I'm sure that's changed since whenever I I've I've actually implemented it, but, yeah, it's it it was more of a lower level primitive where you have to do all of the the heavy lifting yourself.

Yes.

Now we have some choices.

Arctic. I'd never used or heard of Arctic until when I went to research this episode. So if you're using Arctic, let me know how you feel about it. There's a lot of providers here. It's a an OAuth client.

I've never seen it.

The docs, aesthetically, don't don't give me the warm and fuzzies, but it exists, and it was an option. Open auth from the, folks who do SST.

Open auth is great. This is basically a roll your own OAuth.

Gives you a little OAuth server. You can sign in with all the different stuff. You can customize the UI a little bit. There's all these different OAuth providers. I like the idea of this.

I never quite got it. I think there's there's I need to spend a little bit more time with it. If you're out there and you're using Open Auth and really prefer it, Wes. That sounds great. Let me know. But, again, it it feels like it's its own auth client that just kinda stands alone. It's its own thing. Right? There JS NextAuth, which I don't know if you know this, but NextAuth became auth.js.

Or at least, yes, they have, opened it up to be more than just Next. Js. It works with all of the stuff. They have example apps with SvelteKit. This to me seems like a nice option.

This is kind of interesting. Looking for a hosted alternative, use Clerk. You know? I I I don't have anything bad to say about auth. Js.

But when I learned about better auth, this was the first auth platform for me that made me say, I gotta use this thing, because it does everything.

And it does absolutely everything, and it connects very well to the tools that you you know and love. So when you get through it, yeah, like, works with all your frameworks.

Multifactor authentication, you know, has support for OAuth or email and password, members and invitation, has a ton of plug ins, works with all of the good stuff. And Built in rate limiter. That's another thing I had to to rate myself as well. That's nice. So when we go through this, I'll show you a little bit about what's so cool about this. But I I spent some time this past week implementing both JWT based auth flows as well as your standard session based cookie auth flow with this, using Svelte SvelteKit and CloudFlare workers and using, d one.

And it was really, really super painless, really super painless, to the point where I Wes up and running in no time. I I was trying to get a whole live store is another local first platform for, like Yeah. It that's a whole other topic, which we'll talk about some other time. And I I hit some snags getting LiveStore working in SvelteKit since there isn't a an official implementation just yet. But I got this side of things up and running in no time. I was able to

authenticate, log in, all that stuff. So this is to be clear, this is a package for when your server is in JavaScript, and they also provide client stuff when you want your UI to be in I Wes, your UI is always in JavaScript.

Yeah. And and I don't know

specifically There's a a Vue adapter, a Svelte adapter,

Solid, Vanilla, and React. Yeah. And so when I rolled mine, I did make the form myself, and I'm just submitting to an endpoint. And in that endpoint, I'm using auth dot handler as, like, the the endpoints, and that is handling

all of the endpoints for me. Do it yourself. Yeah. I it looks like what they give you is just, like, sign in, sign up, and session functions.

Correct. And that's really how I prefer these things to be, personally, because I like, you know, I don't like it going off somewhere and and opening on another window or something like that. I want my darn auth in my darn app, and I wanna have control over the form. I want it to look like the rest of my app, and I want it to feel nice. In fact, it depends on what you need and want. Right? So, basically, yeah, you got all this dang stuff. There's a CLI to generate your migrations for you. And if you're using the Drizzle adapter, it generates the Drizzle schema, which then you can just use Drizzle's own migrations for you. If you're using Keyesli, it works with all of the ORMs.

So the CLI is really great. You just run a generate command, and it gives you the migration files.

Man, there's just so many, nice things here, that that in terms of, like, when you need to to have a specific style of auth, it can handle it for you. Because some of these platforms are like, we do session based auth, and that's it. With this, it's like, if I wanna do session based auth, I got it. If I wanna do JWT, like I said, I got it. If I wanna connect it to my own database, I got it. There's no problems there. Or if I wanna have a database just for auth, you can do that too.

It even connects directly, to email, and you can add email verification directly from, BetterAuth, which is something when I I was working on an email client for my platform drop in, Wes, this was built into my auth ESLint. Because back in Meteor days, that was built in. And, like, all these that like, sending an email with authentication is something you always gotta do. So, like, it makes so much sense to have emails verification and all that stuff being a part. And and it it's really mostly just like the hooks. Right? Because you're you're writing and bringing in your own email platforms, but it's it's creating the emails for you. It's well, it's you're creating the emails, but it it's it's giving you those hooks to send the verifications.

It's not providing

you with the URL. Reset tokens and expiring and all that. Wes. Yeah. I I wrote all that myself as well.

Yes. Nice. I've written two factor off myself. So I've done all of this stuff, rolled my own, and I gotta say that it's so nice that it, like, here's your token, here's your URL, send reset password, gotta have it. And, you know, it gives you hooks for everything. It lets you tap in here if you wanna tap in. There's, plug ins to add in the whole plug in system, which we'll talk in about a little bit.

Like we mentioned, there's OAuth providers. So if you just want sign in with Google, you don't even have to darn set anything up for that. You're just bringing in your ID. Next thing you know, like, that's the easiest possible way to get up with running with this in no time.

Rate limiting is just a couple of properties when you're configuring your auth. You want a rate limit? You can add a rate limit. Rate limit enabled. True. Done. Bingo. Bango. Like, man, it they it's like, we know exactly what you want with auth and what you do with auth, and we're just going to make it do everything for you. Again, session management can be enabled. And if you have session management, you can choose how long those sessions are. And, again, it generates the database schemas and everything for you. You're not having to ever write a database schema with this thing, which I've written a ton of those for. I'll tell you that. Yeah. Oh, and there's CAPTCHA integration,

which is is key as Wes. Because I was I was, like, thinking about, like, looking at the rate limiting. I was like, yeah. Rate limiting is is one part of it. You know? You don't want people hitting your sign up endpoints too often. But then there's also you have to throw a CAPTCHA in there when people are trying to sign in. There's even, like, update user functions and stuff like that, which

yes. Delete user Node user. Refreshing.

It's very refreshing.

And I've just like you know, so many times when you see things like this, there's a lot of big promises made and underdelivered.

This thing JS flown so far under the radar to me that by the time I'm seeing it, it is a full grown ass man of a package. It JS Scott everything in here.

Social sign ons, you could sign in with Roblox if you wanna sign in with Roblox.

You can do that.

Let's sign in with with any of this stuff, hugging face or any of these things.

The the database integration, it works with MySQL, SQLite, Postgres.

It has adapters for Drizzle, Prisma, MongoDB, everything. I'm telling you, when I got this up and running with, d one, it was as simple as, just using the SQLite adapters and and bingo bango. And I did it with Drizzle, actually, just because Drizzle makes a lot of sense for that. So Drizzle SQLite d Node, you're good to go. Integrations.

There's integrations for all of your stuff. Astro, Remix, NUC, Svelte. Like, who wrote all this code? This this is so much stuff, and it's it's great.

Sanity be known.

Yeah. It it's awesome. It works with everything here. And the plug in ecosystem is wonderful. So let's talk about the plug ins. And, folks, this is not a paid product. This is this is something you can just use. This is not an advertisement. This is me just gushing about something I like.

You got two factor auth that can come with the two FA one time password Node, time based one passwords. You can get all of that. It's a plug in. Standard username and password.

You can get anonymous logins. You can do the whole phone number and send a one time password over the phone. You wanna log in like a pro like TikTok, they got you on that one.

Super nice.

It it is in here. Magic link auth if you're the type of person who likes to go to an email email,

one time password. And hate. I Yeah. Both love and hate MagicLinks so much. There's a time when I like them and a time when I hate them, and it depends on the dial. Yeah. Node don't know what my password is. Send me a link. That's that's fine. But half the time, I'm sitting there waiting, like, I don't know, ten seconds for them to send the email and then another ten, fifteen seconds for my email to refresh. And it's just like, come on. Let me in. Passkeys has been the best experience I've had ever with authentication because it just pops up. You wanna sign with the passkey, you hit the button.

You I don't know. You scan your face or your palm or whatever you need to do, and then boom, you're in. You don't have to do all this dancing. Send me an email. Let me copy this stupid Node, or let me let me use the SMS token. I hate that as Wes. That seems like everybody's everybody's doing SMS right now. Yep. So passkey in here. What is this? One tap allows a single tap using Google's One Tap API. I've Node heard of this. Yeah. One tap is Google, like, sign in with Google.

When they released it, sites were, like, very aggressively popping it up, and that was really annoying because, like, you could just visit a random website and be like, sign in with Google or sign up with Google, and you just have to hit it. It does some weird like, it iframes in the Google thing, so it will show, like, your your face and your icon and your email address and everything, but the site can't access that until you explicitly allow it. Mhmm. But that is a Node, in some cases, it can be a nice experience if you open it up, properly. I think Google fixed that, though, because I haven't had that annoyance in a while.

Yeah.

Even more additional features, admin stuff. Listen to this. Admin provides a set of administrative functions for user management, allow for, creating users, managing roles, banning and unbanning, and impersonating users. This is stuff that every single auth system needs to have in it, and and oftentimes, you're writing that yourself. I've written an impersonation system. I've written, an abandon and unbanning. I called it the ban hammer. And it Wes, it was pretty it was pretty fun to use, but, like, I would have rather not having to rub it myself.

That's for sure.

Wait. So you said there's there's a whole banning system?

Yes.

Yes. Banning and unbanning. So impersonating, creating and managing from an admin side of things.

Wow.

So JS this this doesn't get into, like, roles and and access, does it?

Roles. It gets into setting roles.

Really?

Yes. Setting roles.

Set roles. But it hit access controls built in?

Brother.

I'm telling you. This thing absolutely rules.

And then MCP.

MCP plug in lets you act as an OAuth provider for MCP clients if you need that.

I'll dude, there JS just it's too much stuff in here, in terms of, like it just does it all dang all.

Single support, single sign on, bearer tokens.

Like you said, CAPTCHA. There's a feature in here that, can check for have I been pwned database to know if your password has been involved in any sort of data leaks.

Multi session, active multiple sessions across different accounts from the same browser.

Man, there is just so many things. There's even a a Stripe plug in. Listen what the Stripe plug in does. Process subscription life cycle events so you can probably change roles based on a subscription. Like

Oh, that's a good call. You keep those in in sync.

And and, like yeah. Man And there's guides. The docs are great.

Here, you wanna use it with or wanna migrate from Supabase or Next or Clerk, you can do that.

Man.

I gotta say, better auth folks.

It will this hook up to to your users? Like, this does this also take care of, like, what a user JS? Or Yeah. Or and create new data. What if you have existing, like, users? You probably can

hook that up. Right? I you know, there's there's references on here on how to migrate from other platforms, so I would look into that because I don't know how you would migrate, like, given that, like, the hashing algorithms and stuff depends on what this uses and what that uses.

Mhmm. I don't know. I don't know, exactly.

If you store your passwords as plain text, you don't have that problem. If you store your passwords as plain text, you don't have that problem. But what it does give you, it spits all this stuff out. Like I said, it spits out the schemas that you then use to do the migrations, or it spits out just straight up migration files for you. So, again, like, you tell it what you need, and it's either giving you the session table, the user table, whatever, the admin tables. It's giving you all that stuff. And then if you add features, it's giving you the migrations for those. You can use it with whatever ORM or whatever solution you're doing to manage your migrations, or you can write, those by hands with the SQL files that it pumps out of here for you. So it it lit the the reason I like this so much is it lives a part of your database Wes your data is if you wanted to. If you wanna keep your users with all your other stuff,

it just lives there. Someone I don't I don't think this exists, but someone needs to build this. Is there, like, a a UI? You know how, like, DrizzleKit has or Drizzle has DrizzleKit, which is kind of just a UI for managing the database? Yeah. What I want with this is a UI for all of the user management. You know? Like, see active sessions, look at all the roles, assign new roles, remove roles. Like, the the whole UI around The whole UI around that. User management and, like, access control and sessions and banning and unbanning, all of that is that's a that's a very complex UI. It would be really nice to have, like, some Scott thing you could drop in that allows you to query filter for all of this.

And it feels like that would be relatively easy given that there is all of like, with the admin, the plug in here. Like, you know, you can list users with a specific query, get all those users. You can ban, and you can manage those things really easily from the auth ESLint.

So, like, to me, that, like, the UI part of it would be really nice to have as just, like, an addition to this based on whatever you're using.

Yeah. People out there are probably wondering, what is the effing catch? What's the catch here? Yeah. It says they've raised $5,000,000.

Is is there a rug pull coming?

There is not a rug pulling. One thing that I really appreciate about these folks is that there is a product behind this, but the product does not take away from the open source side of things.

So, like, what does like, where is that product?

You can't even find it. That's good.

Yeah. Which is funny because I I've actually I've signed up for the wow. Interesting. They just have this I've signed up for it at some point to join the wait ESLint.

So the product is a managed Vercel, essentially, like Clerk or something like that if you don't wanna add it into your stack.

But it also includes all of the things that you would need, like, for sending email and SMS.

So it's you're not having to bring your own email. You're not having to bring your own SMS service. Like hook it up to Twilio or whatever.

Right. You're not having to bring all that stuff. It includes all of that. So it's just like, hey.

We we've given you the components. You can hook it up to your own stuff. But now and and here, here's one that you'll notice, a unified dashboard to manage users and user analytics. So it's giving you that analytics dashboard.

And, that's what I was just talking about, that UI component, that's probably gonna be one of their paid features. Yeah. Yes. And it looks good, and it doesn't look like something that I would be paying for because I honestly don't need this.

But I am one of these 4,000 people that have joined the wait ESLint because I do think the product looks good, but it's not removing any of the stuff that I would actually need to wanna use this. So Yeah.

Yeah. Or, like like, what a lot of people do as well with auth is they're you have an idea.

You just want you need to build a product. Yeah. You just throw a a hosted auth in there as quick as possible because you're like, I'm not I'm excited about the product. I'm not excited about, like, hashing JWT tokens and and whatnot. Like, I'm not gonna spend forever on that. So you just slap that in there. So it's nice to know that you'd be able to, like, duck out to this thing if you needed to. And BetterAuth folks,

like, the developers behind this, gosh, you guys are just guys and gals, whoever's doing this, are on it. They even have an l l m's dot t x t of their entire docs, done in markdown, for LLM consumption.

So if you're the type of person who wants to just pass this into Cursor and have it available to reference, you they they they got you on that too. So, llm's.txt JS one of my new favorite things that a lot of folks are doing, to give you just quickly and easily consumable documentation in text form, and, they got that too. So, Dan, if you need if you need if you need a new oil solution in your life that, like, doesn't provide a lot of pain, man, this is not an ad, obviously. They're they're not making any money even yet. There's no product.

But I've I've used it. I've been to the edge and back. I've tried it. It was great. I used it for two different types of offflows. It was easy to change between them. I'd change between them in couple minutes, just ran a migration, changed some code around, save my JWT or whatever, and now I'm in with the JWT based auth if I want it. Docs are very nice and, easily consumable.

And there's just there's just a lot of good stuff here. So I don't I don't have any additional thoughts other than better auth truly is, like, the thing that's That's better. Me reconsider writing my own auth, and I will be using this going forward. And I'm gonna dump I'm gonna dump the auth package that I was writing because this is, like, 10,000 times better and, has wider coverage than anything I could possibly do by my own. So shout out to better auth team.

Awesome. Alright. Thanks so much for tuning in. Thanks for the explanation, Scott, and we will catch you later.