S
saas-scaffold
Better Auth
Last updated December 18, 2025

Overview

Better Auth is the default authentication provider in the scaffold. It handles email/password authentication, OAuth providers (Google, GitHub, etc.), session management, and integrates with your database for user storage.

Generate BETTER_AUTH_SECRET

Generate a secure random secret for Better Auth. This is used to encrypt sessions and tokens.

Option 1: Using OpenSSL (recommended)

openssl rand -base64 32

Option 2: Using Node.js

node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"

Copy the generated secret - you'll add it to your .env.local file in the next step.

Google OAuth Setup

To enable Google sign-in, you need to create OAuth credentials in the Google Cloud Console.

Step 1: Create a Google Cloud Project

  1. Go to Google Cloud Console
  2. Click "Select a project" → "New Project"
  3. Enter a project name and click "Create"

Step 2: Enable Google+ API

  1. Navigate to "APIs & Services" → "Library"
  2. Search for "Google+ API" and click "Enable"

Step 3: Create OAuth Credentials

  1. Go to "APIs & Services" → "Credentials"
  2. Click "Create Credentials" → "OAuth client ID"
  3. If prompted, configure the OAuth consent screen first:
    • Choose "External" user type
    • Fill in app name, support email, developer contact
    • Add scopes: email, profile, openid
    • Add test users if needed
    • Save and continue
  4. Back in "Create OAuth client ID":
    • Application type: "Web application"
    • Name: Your app name
    • Authorized redirect URIs: http://localhost:3000/api/auth/callback/google (for local dev)
    • For production, add: https://yourdomain.com/api/auth/callback/google
  5. Click "Create"
  6. Copy the Client ID and Client Secret

Environment Variables

Add these variables to your .env.local file:

# Better Auth
BETTER_AUTH_SECRET="your-generated-secret-from-step-1"

# Google OAuth (optional, but recommended)
GOOGLE_CLIENT_ID="your-google-client-id.apps.googleusercontent.com"
GOOGLE_CLIENT_SECRET="your-google-client-secret"

# App URL (required for OAuth redirects)
NEXT_PUBLIC_APP_URL="http://localhost:3000"

Important:

  • BETTER_AUTH_SECRET is required - use the secret you generated in step 1
  • GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET are optional but needed for Google sign-in
  • For production, update NEXT_PUBLIC_APP_URL to your production domain

Testing

  1. Restart your dev server: npm run dev
  2. Navigate to http://localhost:3000/sign-up
  3. Try creating an account with email/password
  4. Try signing in with Google (if configured)
  5. Verify you can access protected routes like /dashboard

Troubleshooting:

  • If Google sign-in fails, check that redirect URIs match exactly
  • If sessions don't persist, verify BETTER_AUTH_SECRET is set correctly
  • Check browser console and server logs for detailed error messages