Better Auth in TypeScript — setting up the auth instance, picking adapters, wiring framework route handlers, configuring sessions and cookies, adding plugins (2FA, organization, admin, magicLink, JWT), or porting from NextAuth/Auth.js, Clerk, Auth0, or Supabase Auth. Covers Next.js, SvelteKit, Hono, Express, Nuxt, Astro, and React/Vue/Svelte clients. Trigger when writing, reviewing, or migrating Better Auth code — and even when the user doesn't explicitly mention Better Auth but is working on TypeScript authentication, session cookies, OAuth providers, or auth-library migration. Contains 42 rules organized by impact across 8 categories.
How this skill is triggered — by the user, by Claude, or both
Slash command
/pproenca-dot-skills-1:better-authThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Implementation and migration guide for [Better Auth](https://www.better-auth.com), the framework-agnostic TypeScript authentication and authorization library. This skill contains 42 rules organized by impact across 8 categories, derived from the official documentation and migration guides.
Implementation and migration guide for Better Auth, the framework-agnostic TypeScript authentication and authorization library. This skill contains 42 rules organized by impact across 8 categories, derived from the official documentation and migration guides.
Reference these guidelines when:
lib/auth.ts, auth-client.ts, or /api/auth/ route handlers| Priority | Category | Impact | Prefix |
|---|---|---|---|
| 1 | Setup & Configuration | CRITICAL | setup- |
| 2 | Database Adapters & Schema | CRITICAL | db- |
| 3 | API Route Handlers | CRITICAL | route- |
| 4 | Session & Cookies | HIGH | session- |
| 5 | Auth Methods & Providers | HIGH | auth- |
| 6 | Security & Hardening | HIGH | security- |
| 7 | Plugins & Extensions | MEDIUM | plugins- |
| 8 | Migration from Other Auth | MEDIUM | migrate- |
setup-secret — Set a strong BETTER_AUTH_SECRET per environmentsetup-base-url — Configure an explicit baseURL per environmentsetup-client-base-url — Match the client baseURL to the serversetup-singleton — Export a single auth instance from a server-only modulesetup-trusted-origins — Configure trustedOrigins for all non-baseURL callersdb-adapter-selection — Pick the adapter that matches your ORMdb-schema-generate — Run auth generate then ORM migrate before every deploydb-additional-fields — Extend the user schema via additionalFieldsdb-plugin-schema-customization — Rename plugin tables via the schema optiondb-database-hooks — Use databaseHooks for cross-cutting logicdb-connection-pooling — Share one pooled DB client with the rest of your approute-mount-catchall — Mount the catch-all handler at /api/auth/[...all]route-runtime-selection — Use the Node.js runtime for middleware that calls auth.apiroute-no-body-consumers — Mount auth before any body-parsing middlewaresession-server-vs-client — Use auth.api.getSession on server, authClient.useSession on clientsession-expiry-tuning — Configure expiresIn and updateAge togethersession-cookie-cache — Enable cookieCache to cut session DB lookupssession-cookie-attributes — Set sameSite, secure, partitioned for cross-site flowssession-cross-subdomain — Enable crossSubDomainCookies for multi-subdomain appssession-customsession-fields — Use customSession to add computed fieldsauth-require-email-verification — Enable requireEmailVerification with sendVerificationEmailauth-oauth-redirect-uri — Match OAuth redirectURI exactly with the provider consoleauth-oauth-env-vars — Load OAuth credentials from environment, never inlineauth-magic-link-setup — Implement sendMagicLink before enabling the magicLink pluginauth-client-sign-in-helpers — Use authClient.signIn.social with callbackURLauth-infer-additional-fields — Add inferAdditionalFields to the client for type syncsecurity-rate-limit — Enable rateLimit with persistent storage in productionsecurity-password-hash-interop — Override hash function when migrating from bcrypt/argon2security-revoke-on-password-reset — Enable revokeSessionsOnPasswordResetsecurity-min-password-length — Set minPasswordLength to at least 10security-trusted-origins-strict — Never wildcard trustedOriginsplugins-next-cookies-last — Place nextCookies() as the LAST plugin in Next.jsplugins-two-factor-issuer — Set appName as the 2FA issuerplugins-shared-access-control — Define ac + roles once, share server/clientplugins-pair-client-server — Pair every server plugin with its client counterpartplugins-organization-active-context — Set active organization on sessionplugins-jwt-when-to-use — Use the jwt plugin only for external service consumersplugins-admin-impersonation — Use admin plugin's impersonate method for support accessmigrate-parallel-cutover — Run Better Auth alongside legacy auth during cutovermigrate-oauth-account-mapping — Map legacy OAuth identities to account rowsmigrate-force-allow-id — Use forceAllowId to preserve existing user IDsmigrate-nextauth-schema-mapping — Map NextAuth v5 columns field-by-fieldFor a fresh implementation, read in priority order: start with all setup- rules, then db-, then route- — these CRITICAL categories must be correct or nothing else works. After the foundation, pick the rules that match your scope: session- for cookie/expiry tuning, auth- for provider configuration, security- for production hardening.
For a migration from another auth library, read migrate-parallel-cutover first (strategy), then security-password-hash-interop (preserve user passwords), then migrate-oauth-account-mapping and migrate-nextauth-schema-mapping (data layout).
Read individual reference files for detailed explanations, incorrect vs. correct code examples, and links to the canonical Better Auth documentation.
| File | Description |
|---|---|
| references/_sections.md | Category definitions ordered by impact |
| assets/templates/_template.md | Template for adding new rules |
| metadata.json | Version, references, and discipline metadata |
npx claudepluginhub joshuarweaver/cascade-code-general-misc-1 --plugin pproenca-dot-skills-1Implements Better Auth with 40+ OAuth providers, 20+ plugins, and all adapters/frameworks. Use for authentication, login, OAuth, 2FA, magic links, SSO, Stripe, SCIM, or session management.
Provides knowledge patches for Better Auth 1.6.0 covering authentication, OAuth, sessions, organizations, and more. Use when implementing or upgrading Better Auth.
Integrates Better Auth TypeScript authentication for Cloudflare D1 via Drizzle/Kysely, Next.js, Nuxt, and 15+ frameworks. Use for auth setup, D1 adapter errors, OAuth/2FA/RBAC.