Authentication, organizations, roles, and sessions powered by Better Auth. This is the starter-saas-betterauth pack. Unlike WorkOS, Better Auth is a self-hosted library, so there's no separate account to create. You bring your own Google OAuth app.
RESEND_API_KEY.http://localhost:3000/api/auth/callback/google
apps/backend/.env as GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET.In production, add your deployed origin as well:
https://yourdomain.com/api/auth/callback/google
The path is fixed: Better Auth owns the handler at /api/auth/*, and the Google callback is always /api/auth/callback/google appended to your BETTER_AUTH_URL.
| Variable | Purpose |
|---|---|
BETTER_AUTH_URL | Origin Better Auth runs on (e.g. http://localhost:3000) |
BETTER_AUTH_SECRET | Auth secret. Generate with openssl rand -base64 32 |
GOOGLE_CLIENT_ID | Google OAuth client ID |
GOOGLE_CLIENT_SECRET | Google OAuth client secret |
RESEND_API_KEY | Transactional email (password reset, verification) |
The pack starts Google sign-in from GET /auth/google/:intent, which calls Better Auth's signInSocial. After Google redirects back to /api/auth/callback/google, Better Auth exchanges the code, creates the session, and sends the browser to / (or /onboarding if the user has no organization).