Skip to main content
Your app ships with a full authentication system powered by Better Auth. It runs inside your Next.js app and talks directly to your Drizzle database — no external auth service needed.
Recommended path: run pnpm bootstrap. The setup wizard generates BETTER_AUTH_SECRET, writes .env.local, and can prompt for Google OAuth and email-provider settings. The rest of this page is the manual setup path.

What’s Already Built For You

Out of the box, you get:
  • A polished login page at /auth
  • Email/password sign-in and sign-up
  • Google OAuth sign-in (optional)
  • Magic link sign-in (optional)
  • Forgot-password / reset flow
  • Session handling and protected routes
  • Automatic redirects into your app after login
The key routes to know: /auth (sign-in page), /auth/reset-password (password reset), /api/auth/[...all] (Better Auth handler), and /api/auth/callback/google (Google OAuth callback).

Getting Started

1

Run the setup wizard (recommended)

pnpm bootstrap
Choose the auth options you want, and the wizard will write the matching .env.local values for you.
2

Or set your core env vars manually

These three variables are the absolute minimum to get auth working:
NEXT_PUBLIC_APP_URL=http://localhost:3000
BETTER_AUTH_SECRET=...
DATABASE_URL=postgresql://...
BETTER_AUTH_URL is optional. If you skip it, the app automatically falls back to NEXT_PUBLIC_APP_URL.
3

Pick your auth methods

With just the core env vars above, email/password auth works immediately. For Google OAuth or magic links, keep reading — you’ll add a few more env vars depending on what you want.
4

Restart your dev server

After changing any env vars, restart your dev server for the changes to take effect.
pnpm dev

Auth Method Setup

This is the default and requires zero extra configuration beyond the core env vars above.Your users can sign up with an email and password, and sign in the same way. That’s it — you’re done!

What Happens When a User Signs In

Here’s the flow your users go through:
1

User lands on /auth

They see your sign-in page with the auth methods you’ve enabled.
2

Better Auth handles the session

Better Auth creates or reads the user and session directly in your database.
3

Profile sync

The app automatically syncs the matching profile row for the user.
4

Redirect

The user lands on / (or whatever page they originally requested).

Verification Checklist

Run through this list to make sure everything is working:
Email/password sign-in and sign-up works
Magic link emails arrive (if you enabled magic links)
Password reset emails arrive (if you enabled email auth)
Clicking a magic link or reset link signs you in correctly
Google sign-in works (if you enabled it)
/ loads after sign-in without bouncing back to /auth

Troubleshooting

This env var is required. Generate a random string (at least 32 characters) and set it in your .env.local file. Without it, Better Auth can’t encrypt sessions.
The most common cause is a mismatch between your callback URL in Google Cloud and your actual app URL. Make sure your redirect URI is exactly http://localhost:3000/api/auth/callback/google for local dev (or your production domain equivalent).
This variable must match the domain you’re actually testing on. If you’re running locally, it should be http://localhost:3000. In production, it should be your live domain with https://.
You need to restart your dev server after editing .env.local. Kill the running process and run pnpm dev again.