SaaS Starter (Better Auth)

Authentication, organizations, roles, and sessions powered by Better Auth. This is the starter-saas-betterauth pack. Unlike WorkOS, Better Auth is a self-hosted library, so there's no separate account to create. You bring your own Google OAuth app.

What you need

Register a Google OAuth app

  1. Open Google Cloud Console > APIs & Services > Credentials.
  2. Create an OAuth 2.0 Client ID of type Web application.
  3. Under Authorized redirect URIs, add the Better Auth callback path:
http://localhost:3000/api/auth/callback/google
  1. Copy the Client ID and Client secret into apps/backend/.env as GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET.

In production, add your deployed origin as well:

https://yourdomain.com/api/auth/callback/google

The path is fixed: Better Auth owns the handler at /api/auth/*, and the Google callback is always /api/auth/callback/google appended to your BETTER_AUTH_URL.

Environment variables

VariablePurpose
BETTER_AUTH_URLOrigin Better Auth runs on (e.g. http://localhost:3000)
BETTER_AUTH_SECRETAuth secret. Generate with openssl rand -base64 32
GOOGLE_CLIENT_IDGoogle OAuth client ID
GOOGLE_CLIENT_SECRETGoogle OAuth client secret
RESEND_API_KEYTransactional email (password reset, verification)

Google sign-in flow

The pack starts Google sign-in from GET /auth/google/:intent, which calls Better Auth's signInSocial. After Google redirects back to /api/auth/callback/google, Better Auth exchanges the code, creates the session, and sends the browser to / (or /onboarding if the user has no organization).