better-auth
Provides a self-hosted authentication solution for TypeScript and Cloudflare Workers, featuring social auth, 2FA, and RBAC.
Install this skill
Security score
The better-auth skill was audited on Feb 9, 2026 and we found 86 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 270 | authorization_endpoint: `${process.env.BETTER_AUTH_URL}/api/auth/oauth2/authorize`, |
Template literal with variable interpolation in command context
| 271 | token_endpoint: `${process.env.BETTER_AUTH_URL}/api/auth/oauth2/token`, |
Template literal with variable interpolation in command context
| 1439 | const callbackURL = `${env.BETTER_AUTH_URL}/api/auth/callback/google`; |
Template literal with variable interpolation in command context
| 1486 | html: ` |
System command execution
| 1221 | - 2FA system (TOTP, backup codes, email OTP): **20 hours** |
Fetch to external URL
| 707 | await fetch("https://api.example.com/data", { |
Access to .env file
| 269 | issuer: process.env.BETTER_AUTH_URL, |
Access to .env file
| 270 | authorization_endpoint: `${process.env.BETTER_AUTH_URL}/api/auth/oauth2/authorize`, |
Access to .env file
| 271 | token_endpoint: `${process.env.BETTER_AUTH_URL}/api/auth/oauth2/token`, |
Access to .env file
| 1154 | const db = createDatabase(c.env.DB); |
Access to .env file
| 1155 | const auth = createAuth(db, c.env); |
External URL reference
| 57 | 📚 **Docs**: https://www.better-auth.com/changelogs |
External URL reference
| 75 | 📚 **Docs**: https://www.better-auth.com/changelogs |
External URL reference
| 87 | 📚 **Docs**: https://www.better-auth.com/blog/1-3 |
External URL reference
| 217 | 📚 **Official Docs**: https://www.better-auth.com/docs/integrations/tanstack |
External URL reference
| 227 | | **OAuth 2.1 Provider** | `better-auth/plugins` | Build OAuth 2.1 provider with PKCE, JWT tokens, consent flows (replaces MCP & OIDC plugins) | [📚](https://www.better-auth.com/docs/plugins/oauth-pro |
External URL reference
| 228 | | **SSO** | `better-auth/plugins` | Enterprise Single Sign-On with OIDC, OAuth2, and SAML 2.0 support | [📚](https://www.better-auth.com/docs/plugins/sso) | |
External URL reference
| 229 | | **Stripe** | `better-auth/plugins` | Payment and subscription management with flexible lifecycle handling | [📚](https://www.better-auth.com/docs/plugins/stripe) | |
External URL reference
| 230 | | **MCP** | `better-auth/plugins` | ⚠️ **Deprecated** - Use OAuth 2.1 Provider instead | [📚](https://www.better-auth.com/docs/plugins/mcp) | |
External URL reference
| 231 | | **Expo** | `better-auth/expo` | React Native/Expo with `webBrowserOptions` and last-login-method tracking | [📚](https://www.better-auth.com/docs/integrations/expo) | |
External URL reference
| 283 | redirectURLs: ["https://claude.ai/callback"], |
External URL reference
| 290 | 📚 **Full Docs**: https://www.better-auth.com/docs/plugins/oauth-provider |
External URL reference
| 300 | | **Bearer** | API token auth (alternative to cookies for APIs) | [📚](https://www.better-auth.com/docs/plugins/bearer) | |
External URL reference
| 301 | | **One Tap** | Google One Tap frictionless sign-in | [📚](https://www.better-auth.com/docs/plugins/one-tap) | |
External URL reference
| 302 | | **SCIM** | Enterprise user provisioning (SCIM 2.0) | [📚](https://www.better-auth.com/docs/plugins/scim) | |
External URL reference
| 303 | | **Anonymous** | Guest user access without PII | [📚](https://www.better-auth.com/docs/plugins/anonymous) | |
External URL reference
| 304 | | **Username** | Username-based sign-in (alternative to email) | [📚](https://www.better-auth.com/docs/plugins/username) | |
External URL reference
| 305 | | **Generic OAuth** | Custom OAuth providers with PKCE | [📚](https://www.better-auth.com/docs/plugins/generic-oauth) | |
External URL reference
| 306 | | **Multi-Session** | Multiple accounts in same browser | [📚](https://www.better-auth.com/docs/plugins/multi-session) | |
External URL reference
| 307 | | **API Key** | Token-based auth with rate limits | [📚](https://www.better-auth.com/docs/plugins/api-key) | |
External URL reference
| 398 | discoveryUrl: "https://linear.app/.well-known/openid-configuration", |
External URL reference
| 686 | baseURL: "https://api.example.com", |
External URL reference
| 707 | await fetch("https://api.example.com/data", { |
External URL reference
| 816 | 📚 **Docs**: https://www.better-auth.com/docs/plugins/2fa |
External URL reference
| 883 | 📚 **Docs**: https://www.better-auth.com/docs/plugins/organization |
External URL reference
| 952 | 📚 **Docs**: https://www.better-auth.com/docs/plugins/admin |
External URL reference
| 956 | **Passkey Plugin** (5 endpoints) - [Docs](https://www.better-auth.com/docs/plugins/passkey): |
External URL reference
| 959 | **Magic Link Plugin** (2 endpoints) - [Docs](https://www.better-auth.com/docs/plugins/magic-link): |
External URL reference
| 962 | **Username Plugin** (2 endpoints) - [Docs](https://www.better-auth.com/docs/plugins/username): |
External URL reference
| 965 | **Phone Number Plugin** (5 endpoints) - [Docs](https://www.better-auth.com/docs/plugins/phone-number): |
External URL reference
| 968 | **Email OTP Plugin** (6 endpoints) - [Docs](https://www.better-auth.com/docs/plugins/email-otp): |
External URL reference
| 971 | **Anonymous Plugin** (1 endpoint) - [Docs](https://www.better-auth.com/docs/plugins/anonymous): |
External URL reference
| 974 | **JWT Plugin** (2 endpoints) - [Docs](https://www.better-auth.com/docs/plugins/jwt): |
External URL reference
| 977 | **OpenAPI Plugin** (2 endpoints) - [Docs](https://www.better-auth.com/docs/plugins/open-api): |
External URL reference
| 1019 | body: { name: "New Name", image: "https://..." }, |
External URL reference
| 1198 | **Interactive documentation**: Visit `http://localhost:8787/api/auth/reference` |
External URL reference
| 1398 | origin: "http://localhost:5173", // Frontend URL (no trailing slash) |
External URL reference
| 1406 | trustedOrigins: ["http://localhost:5173"], // Same as CORS origin |
External URL reference
| 1429 | Provider setting: https://yourdomain.com/api/auth/callback/google |
External URL reference
| 1430 | better-auth URL: https://yourdomain.com/api/auth/callback/google |
External URL reference
| 2030 | - **Homepage**: https://better-auth.com |
External URL reference
| 2031 | - **Introduction**: https://www.better-auth.com/docs/introduction |
External URL reference
| 2032 | - **Installation**: https://www.better-auth.com/docs/installation |
External URL reference
| 2033 | - **Basic Usage**: https://www.better-auth.com/docs/basic-usage |
External URL reference
| 2037 | - **Session Management**: https://www.better-auth.com/docs/concepts/session-management |
External URL reference
| 2038 | - **Users & Accounts**: https://www.better-auth.com/docs/concepts/users-accounts |
External URL reference
| 2039 | - **Client SDK**: https://www.better-auth.com/docs/concepts/client |
External URL reference
| 2040 | - **Plugins System**: https://www.better-auth.com/docs/concepts/plugins |
External URL reference
| 2044 | - **Email & Password**: https://www.better-auth.com/docs/authentication/email-password |
External URL reference
| 2045 | - **OAuth Providers**: https://www.better-auth.com/docs/concepts/oauth |
External URL reference
| 2050 | - **2FA (Two-Factor)**: https://www.better-auth.com/docs/plugins/2fa |
External URL reference
| 2051 | - **Organization**: https://www.better-auth.com/docs/plugins/organization |
External URL reference
| 2052 | - **Admin**: https://www.better-auth.com/docs/plugins/admin |
External URL reference
| 2053 | - **Multi-Session**: https://www.better-auth.com/docs/plugins/multi-session |
External URL reference
| 2054 | - **API Key**: https://www.better-auth.com/docs/plugins/api-key |
External URL reference
| 2055 | - **Generic OAuth**: https://www.better-auth.com/docs/plugins/generic-oauth |
External URL reference
| 2058 | - **Passkey**: https://www.better-auth.com/docs/plugins/passkey |
External URL reference
| 2059 | - **Magic Link**: https://www.better-auth.com/docs/plugins/magic-link |
External URL reference
| 2060 | - **Email OTP**: https://www.better-auth.com/docs/plugins/email-otp |
External URL reference
| 2061 | - **Phone Number**: https://www.better-auth.com/docs/plugins/phone-number |
External URL reference
| 2062 | - **Anonymous**: https://www.better-auth.com/docs/plugins/anonymous |
External URL reference
| 2065 | - **Username**: https://www.better-auth.com/docs/plugins/username |
External URL reference
| 2066 | - **JWT**: https://www.better-auth.com/docs/plugins/jwt |
External URL reference
| 2067 | - **OpenAPI**: https://www.better-auth.com/docs/plugins/open-api |
External URL reference
| 2068 | - **OIDC Provider**: https://www.better-auth.com/docs/plugins/oidc-provider |
External URL reference
| 2069 | - **SSO**: https://www.better-auth.com/docs/plugins/sso |
External URL reference
| 2070 | - **Stripe**: https://www.better-auth.com/docs/plugins/stripe |
External URL reference
| 2071 | - **MCP**: https://www.better-auth.com/docs/plugins/mcp |
External URL reference
| 2075 | - **TanStack Start**: https://www.better-auth.com/docs/integrations/tanstack |
External URL reference
| 2076 | - **Expo (React Native)**: https://www.better-auth.com/docs/integrations/expo |
External URL reference
| 2082 | - **Discord**: https://discord.gg/better-auth |
External URL reference
| 2087 | - **Drizzle ORM**: https://orm.drizzle.team/docs/get-started-sqlite |
External URL reference
| 2088 | - **Kysely**: https://kysely.dev/ |
External URL reference
| 2130 | - [Hono + better-auth on Cloudflare](https://hono.dev/examples/better-auth-on-cloudflare) - Official Hono example |
External URL reference
| 2131 | - [React Router + Cloudflare D1](https://dev.to/atman33/setup-better-auth-with-react-router-cloudflare-d1-2ad4) - React Router v7 guide |
External URL reference
| 2132 | - [SvelteKit + Cloudflare D1](https://medium.com/@dasfacc/sveltekit-better-auth-using-cloudflare-d1-and-drizzle-91d9d9a6d0b4) - SvelteKit guide |