Authentication
Auth is powered by better-auth with the organization plugin. It’s wired and working out of the box. To customize it beyond what’s covered here — new providers, plugins, session options — explore the better-auth documentation .
What’s included
- Email/password sign-up and sign-in with email verification.
- Password reset flow.
- OAuth with Google and/or GitHub (optional — buttons appear only when keys are configured).
- Automatic personal workspace created for every new user.
- Route protection via
proxy.ts— unauthenticated requests to dashboard routes redirect to/login.
Key files
| File | Role |
|---|---|
lib/auth.ts | Server-side better-auth config. |
lib/auth-client.ts | Browser auth client. |
app/api/auth/[...all]/route.ts | Auth request handler. |
lib/db/schema.ts | Auth tables (generated). |
proxy.ts | Cookie-presence route guard (Next.js 16 Proxy). |
Next.js 16 renamed Middleware → Proxy. The file is proxy.ts with
export function proxy(request). It does a cookie-presence check only — no DB
call — so it stays fast on the edge.
Email verification in development
With the default EMAIL_PROVIDER=console, verification and password-reset links
print to the dev console — no external email service needed. Click the link
from your terminal to verify. Switch to Resend for real emails (see
Email).
Regenerating the auth schema
If you change the auth config, regenerate the Drizzle schema:
npm run auth:generate
npm run db:pushAdding OAuth providers
Set both the id and secret in .env.local, register the callback URL with the
provider, and the login button appears automatically:
${BETTER_AUTH_URL}/api/auth/callback/google
${BETTER_AUTH_URL}/api/auth/callback/githubThis template runs a recent better-auth on Next.js 16 — APIs differ from older versions. When customising auth, check the better-auth docs rather than relying on memory.