Authentication
Better Auth with 2FA, passkeys, OAuth, and multi-tenancy.
Authentication
SaaS Starter uses Better Auth 1.6 with full multi-tenant organization support.
Features
- Email + password (bcrypt hashed)
- OAuth 2.0 PKCE: GitHub, Google
- TOTP 2FA (QR code enrollment)
- Passkeys (WebAuthn)
- Magic links / passwordless
- Session management (DB-backed, Redis cache)
- Organization invitations
- Role-based access:
owner | admin | member
Configuration
AUTH_SECRET=at-least-32-random-chars
AUTH_PROVIDER=better-auth
# OAuth providers (all optional)
GITHUB_CLIENT_ID=...
GITHUB_CLIENT_SECRET=...
GOOGLE_CLIENT_ID=...
GOOGLE_CLIENT_SECRET=...
Multi-tenancy
Every authenticated request to the API is scoped to an organization:
// Middleware attaches org context automatically
const orgCtx = c.get('org')
// { orgId, plan, role, userId }
Users can belong to multiple organizations and switch between them in the UI.
Admin access
Superadmin accounts are flagged in the admin_user table. Create one:
make admin-create email=admin@yourdomain.com password=YourSecurePassword123
The admin dashboard is available at /admin and protected by requireGlobalAdmin middleware.
Never share your AUTH_SECRET. It signs all session tokens — rotating it invalidates
all active sessions.