Better Auth 身份验证技能指南：为 TypeScript/JavaScript 应用添加认证

create-auth-skill by better-auth/skills

10,600 周安装量

161 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/better-auth/skills --skill create-auth-skill

开发安全

🇨🇳中文介绍

创建身份验证技能

使用 Better Auth 为 TypeScript/JavaScript 应用程序添加身份验证的指南。

有关代码示例和语法，请参阅 better-auth.com/docs。

阶段 1：规划（实施前必需）

在编写任何代码之前，请通过扫描项目并向用户提出结构化问题来收集需求。这可以确保实施符合他们的需求。

步骤 1：扫描项目

分析代码库以自动检测：

框架 — 查找 next.config、svelte.config、nuxt.config、astro.config、vite.config 或 Express/Hono 入口文件。
数据库/ORM — 查找 prisma/schema.prisma、drizzle.config、依赖项（、、、、）。

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

步骤 2：询问规划问题

使用 AskQuestion 工具在一次调用中向用户询问所有适用的问题。跳过任何你通过扫描已经确信有答案的问题。将它们分组在一个标题下，例如“身份验证设置规划”。

要询问的问题：

项目类型（如果已检测到则跳过）
- 提示：“这是什么类型的项目？”
- 选项：从头开始的新项目 | 为现有项目添加身份验证 | 从其他身份验证库迁移
框架（如果已检测到则跳过）
- 提示：“您使用哪个框架？”
- 选项：Next.js (App Router) | Next.js (Pages Router) | SvelteKit | Nuxt | Astro | Express | Hono | SolidStart | 其他
数据库和 ORM（如果已检测到则跳过）
- 提示：“您将使用哪种数据库设置？”
- 选项：PostgreSQL (Prisma) | PostgreSQL (Drizzle) | PostgreSQL (pg 驱动) | MySQL (Prisma) | MySQL (Drizzle) | MySQL (mysql2 驱动) | SQLite (Prisma) | SQLite (Drizzle) | SQLite (better-sqlite3 驱动) | MongoDB (Mongoose) | MongoDB (原生驱动)
身份验证方法（始终询问，允许多选）
- 提示：“您需要哪些登录方法？”
- 选项：邮箱和密码 | 社交 OAuth (Google, GitHub 等) | 魔法链接 (无密码邮箱) | 通行密钥 (WebAuthn) | 手机号码
- allow_multiple: true
社交提供商（仅当他们在上面选择了社交 OAuth 时 — 在后续调用中询问）
- 提示：“您需要哪些社交提供商？”
- 选项：Google | GitHub | Apple | Microsoft | Discord | Twitter/X
- allow_multiple: true
邮箱验证（仅当上面选择了邮箱和密码时 — 在后续调用中询问）
- 提示：“您是否需要邮箱验证？”
- 选项：是 | 否
邮箱提供商（仅当邮箱验证选择是，或者在功能中选择了密码重置时 — 在后续调用中询问）
- 提示：“您希望如何发送邮件？”
- 选项：Resend | 暂时模拟 (console.log)
功能和插件（始终询问，允许多选）
- 提示：“您需要哪些附加功能？”
- 选项：双因素认证 (2FA) | 组织 / 团队 | 管理仪表板 | API 持有者令牌 | 密码重置 | 以上都不需要
- allow_multiple: true
身份验证页面（始终询问，允许多选 — 根据之前的答案预选）
- 提示：“您需要哪些身份验证页面？”
- 选项根据之前的答案而变化：
  - 始终可用：登录 | 注册
  - 如果选择了邮箱和密码：忘记密码 | 重置密码
  - 如果启用了邮箱验证：邮箱验证
- allow_multiple: true
身份验证 UI 样式（始终询问）
- 提示：“您希望身份验证页面采用什么样式？选择一个或描述您自己的样式。”
- 选项：简约干净 | 带背景的居中卡片 | 分屏布局 (表单 + 主图) | 浮动 / 玻璃态 | 其他 (我会描述)

步骤 3：总结规划

收集答案后，以 Markdown 清单的形式呈现简洁的实施计划。例如：

## 身份验证实施计划

- **框架：** Next.js (App Router)
- **数据库：** PostgreSQL via Prisma
- **身份验证方法：** 邮箱/密码, Google OAuth, GitHub OAuth
- **插件：** 2FA, 组织, 邮箱验证
- **UI：** 自定义表单

### 步骤
1. 安装 `better-auth` 和 `@better-auth/cli`
2. 创建 `lib/auth.ts` 并配置服务器
3. 创建 `lib/auth-client.ts` 并配置 React 客户端
4. 在 `app/api/auth/[...all]/route.ts` 设置路由处理器
5. 配置 Prisma 适配器并生成模式
6. 添加 Google 和 GitHub OAuth 提供商
7. 启用 `twoFactor` 和 `organization` 插件
8. 设置邮箱验证处理器
9. 运行迁移
10. 创建登录 / 注册页面

在进入阶段 2 之前，请用户确认该计划。

只有在用户确认了阶段 1 的计划后，才继续此处。

根据上面收集的答案，遵循下面的决策树。

Is this a new/empty project?
├─ YES → 新项目设置
│   1. 安装 better-auth (+ 根据计划安装作用域包)
│   2. 创建包含所有规划配置的 auth.ts
│   3. 创建包含框架客户端的 auth-client.ts
│   4. 设置路由处理器
│   5. 设置环境变量
│   6. 运行 CLI 迁移/生成
│   7. 根据计划添加插件
│   8. 创建身份验证 UI 页面
│
├─ MIGRATING → 从现有身份验证迁移
│   1. 审计当前身份验证的差距
│   2. 规划增量迁移
│   3. 在现有身份验证旁边安装 better-auth
│   4. 迁移路由，然后是会话逻辑，最后是 UI
│   5. 移除旧的身份验证库
│   6. 查看文档中的迁移指南
│
└─ ADDING → 为现有项目添加身份验证
    1. 分析项目结构
    2. 安装 better-auth
    3. 创建符合规划的身份验证配置
    4. 添加路由处理器
    5. 运行模式迁移
    6. 集成到现有页面中
    7. 添加计划的插件和功能

在实施结束时，彻底指导用户完成剩余的后续步骤（例如，设置 OAuth 应用凭据、部署环境变量、测试流程）。

核心： npm install better-auth

作用域包（根据需要）：

包	用例
`@better-auth/passkey`	WebAuthn/通行密钥身份验证
`@better-auth/sso`	SAML/OIDC 企业级 SSO
`@better-auth/stripe`	Stripe 支付
`@better-auth/scim`	SCIM 用户配置
`@better-auth/expo`	React Native/Expo

BETTER_AUTH_SECRET=<32+ 字符，使用以下命令生成：openssl rand -base64 32>
BETTER_AUTH_URL=http://localhost:3000
DATABASE_URL=<您的数据库连接字符串>

根据需要添加 OAuth 密钥：GITHUB_CLIENT_ID、GITHUB_CLIENT_SECRET、GOOGLE_CLIENT_ID 等。

服务器配置 (auth.ts)

位置： lib/auth.ts 或 src/lib/auth.ts

最小配置需求：

database - 连接或适配器
emailAndPassword: { enabled: true } - 用于邮箱/密码身份验证

标准配置添加：

socialProviders - OAuth 提供商 (google, github 等)
emailVerification.sendVerificationEmail - 邮箱验证处理器
emailAndPassword.sendResetPassword - 密码重置处理器

完整配置添加：

plugins - 功能插件数组
session - 过期时间、Cookie 缓存设置
account.accountLinking - 多提供商关联
rateLimit - 速率限制配置

导出类型： export type Session = typeof auth.$Infer.Session

客户端配置 (auth-client.ts)

按框架导入：

框架	导入
React/Next.js	`better-auth/react`
Vue	`better-auth/vue`
Svelte	`better-auth/svelte`
Solid	`better-auth/solid`
Vanilla JS	`better-auth/client`

客户端插件放在 createAuthClient({ plugins: [...] }) 中。

常用导出： signIn、signUp、signOut、useSession、getSession

路由处理器设置

框架	文件	处理器
Next.js App Router	`app/api/auth/[...all]/route.ts`	`toNextJsHandler(auth)` → 导出 `{ GET, POST }`
Next.js Pages	`pages/api/auth/[...all].ts`	`toNextJsHandler(auth)` → 默认导出
Express	任意文件	`app.all("/api/auth/*", toNodeHandler(auth))`
SvelteKit	`src/hooks.server.ts`	`svelteKitHandler(auth)`
SolidStart	路由文件	`solidStartHandler(auth)`
Hono	路由文件	`auth.handler(c.req.raw)`

Next.js 服务器组件： 在身份验证配置中添加 nextCookies() 插件。

适配器	命令
内置 Kysely	`npx @better-auth/cli@latest migrate` (直接应用)
Prisma	`npx @better-auth/cli@latest generate --output prisma/schema.prisma` 然后 `npx prisma migrate dev`
Drizzle	`npx @better-auth/cli@latest generate --output src/db/auth-schema.ts` 然后 `npx drizzle-kit push`

添加插件后重新运行。

数据库	设置
SQLite	直接传递 `better-sqlite3` 或 `bun:sqlite` 实例
PostgreSQL	直接传递 `pg.Pool` 实例
MySQL	直接传递 `mysql2` 连接池
Prisma	`prismaAdapter(prisma, { provider: "postgresql" })` 来自 `better-auth/adapters/prisma`
Drizzle	`drizzleAdapter(db, { provider: "pg" })` 来自 `better-auth/adapters/drizzle`
MongoDB	`mongodbAdapter(db)` 来自 `better-auth/adapters/mongodb`

插件	服务器导入	客户端导入	用途
`twoFactor`	`better-auth/plugins`	`twoFactorClient`	使用 TOTP/OTP 的 2FA
`organization`	`better-auth/plugins`	`organizationClient`	团队/组织
`admin`	`better-auth/plugins`	`adminClient`	用户管理
`bearer`	`better-auth/plugins`	-	API 令牌身份验证
`openAPI`	`better-auth/plugins`	-	API 文档
`passkey`	`@better-auth/passkey`	`passkeyClient`	WebAuthn
`sso`	`@better-auth/sso`	-	企业级 SSO

插件模式： 服务器插件 + 客户端插件 + 运行迁移。

身份验证 UI 实施

signIn.email({ email, password }) 或 signIn.social({ provider, callbackURL })
处理响应中的 error
成功时重定向

会话检查（客户端）： useSession() 钩子返回 { data: session, isPending }

会话检查（服务器）： auth.api.getSession({ headers: await headers() })

受保护路由： 检查会话，如果为 null 则重定向到 /sign-in。

BETTER_AUTH_SECRET 已设置 (32+ 字符)
生产环境中 advanced.useSecureCookies: true
trustedOrigins 已配置
速率限制已启用
邮箱验证已启用
密码重置已实施
敏感应用启用 2FA
CSRF 保护未禁用
account.accountLinking 已审查

问题	修复方法
"Secret not set"	添加 `BETTER_AUTH_SECRET` 环境变量
"Invalid Origin"	将域名添加到 `trustedOrigins`
Cookie 未设置	检查 `baseURL` 是否与域名匹配；生产环境中启用安全 Cookie
OAuth 回调错误	在提供商仪表板中验证重定向 URI
添加插件后出现类型错误	重新运行 CLI 生成/迁移

🇺🇸English

Create Auth Skill

Guide for adding authentication to TypeScript/JavaScript applications using Better Auth.

For code examples and syntax, seebetter-auth.com/docs.

Phase 1: Planning (REQUIRED before implementation)

Before writing any code, gather requirements by scanning the project and asking the user structured questions. This ensures the implementation matches their needs.

Step 1: Scan the project

Analyze the codebase to auto-detect:

Framework — Look for next.config, svelte.config, nuxt.config, astro.config, vite.config, or Express/Hono entry files.
Database/ORM — Look for prisma/schema.prisma, drizzle.config, package.json deps (pg, mysql2, better-sqlite3, mongoose, mongodb).
Existing auth — Look for existing auth libraries (next-auth, lucia, clerk, supabase/auth, firebase/auth) in package.json or imports.
Package manager — Check for pnpm-lock.yaml, yarn.lock, bun.lockb, or package-lock.json.

Use what you find to pre-fill defaults and skip questions you can already answer.

Step 2: Ask planning questions

Use the AskQuestion tool to ask the user all applicable questions in a single call. Skip any question you already have a confident answer for from the scan. Group them under a title like "Auth Setup Planning".

Questions to ask:

Project type (skip if detected)
- Prompt: "What type of project is this?"
- Options: New project from scratch | Adding auth to existing project | Migrating from another auth library
Framework (skip if detected)
- Prompt: "Which framework are you using?"
- Options: Next.js (App Router) | Next.js (Pages Router) | SvelteKit | Nuxt | Astro | Express | Hono | SolidStart | Other
Database & ORM (skip if detected)
- Prompt: "Which database setup will you use?"
- Options: PostgreSQL (Prisma) | PostgreSQL (Drizzle) | PostgreSQL (pg driver) | MySQL (Prisma) | MySQL (Drizzle) | MySQL (mysql2 driver) | SQLite (Prisma) | SQLite (Drizzle) | SQLite (better-sqlite3 driver) | MongoDB (Mongoose) | MongoDB (native driver)
Authentication methods (always ask, allow multiple)
- Prompt: "Which sign-in methods do you need?"
- Options: Email & password | Social OAuth (Google, GitHub, etc.) | Magic link (passwordless email) | Passkey (WebAuthn) | Phone number
- allow_multiple: true
Social providers (only if they selected Social OAuth above — ask in a follow-up call)
- Prompt: "Which social providers do you need?"
- Options: Google | GitHub | Apple | Microsoft | Discord | Twitter/X
- allow_multiple: true

Prompt: "What style do you want for the auth pages? Pick one or describe your own."
Options: Minimal & clean | Centered card with background | Split layout (form + hero image) | Floating / glassmorphism | Other (I'll describe)

Step 3: Summarize the plan

After collecting answers, present a concise implementation plan as a markdown checklist. Example:

## Auth Implementation Plan

- **Framework:** Next.js (App Router)
- **Database:** PostgreSQL via Prisma
- **Auth methods:** Email/password, Google OAuth, GitHub OAuth
- **Plugins:** 2FA, Organizations, Email verification
- **UI:** Custom forms

### Steps
1. Install `better-auth` and `@better-auth/cli`
2. Create `lib/auth.ts` with server config
3. Create `lib/auth-client.ts` with React client
4. Set up route handler at `app/api/auth/[...all]/route.ts`
5. Configure Prisma adapter and generate schema
6. Add Google & GitHub OAuth providers
7. Enable `twoFactor` and `organization` plugins
8. Set up email verification handler
9. Run migrations
10. Create sign-in / sign-up pages

Ask the user to confirm the plan before proceeding to Phase 2.

Phase 2: Implementation

Only proceed here after the user confirms the plan from Phase 1.

Follow the decision tree below, guided by the answers collected above.

Is this a new/empty project?
├─ YES → New project setup
│   1. Install better-auth (+ scoped packages per plan)
│   2. Create auth.ts with all planned config
│   3. Create auth-client.ts with framework client
│   4. Set up route handler
│   5. Set up environment variables
│   6. Run CLI migrate/generate
│   7. Add plugins from plan
│   8. Create auth UI pages
│
├─ MIGRATING → Migration from existing auth
│   1. Audit current auth for gaps
│   2. Plan incremental migration
│   3. Install better-auth alongside existing auth
│   4. Migrate routes, then session logic, then UI
│   5. Remove old auth library
│   6. See migration guides in docs
│
└─ ADDING → Add auth to existing project
    1. Analyze project structure
    2. Install better-auth
    3. Create auth config matching plan
    4. Add route handler
    5. Run schema migrations
    6. Integrate into existing pages
    7. Add planned plugins and features

At the end of implementation, guide users thoroughly on remaining next steps (e.g., setting up OAuth app credentials, deploying env vars, testing flows).

Installation

Core: npm install better-auth

Scoped packages (as needed):

Package	Use case
`@better-auth/passkey`	WebAuthn/Passkey auth
`@better-auth/sso`	SAML/OIDC enterprise SSO
`@better-auth/stripe`	Stripe payments
`@better-auth/scim`	SCIM user provisioning
`@better-auth/expo`	React Native/Expo

Environment Variables

BETTER_AUTH_SECRET=<32+ chars, generate with: openssl rand -base64 32>
BETTER_AUTH_URL=http://localhost:3000
DATABASE_URL=<your database connection string>

Add OAuth secrets as needed: GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, GOOGLE_CLIENT_ID, etc.

Server Config (auth.ts)

Location: lib/auth.ts or src/lib/auth.ts

Minimal config needs:

database - Connection or adapter
emailAndPassword: { enabled: true } - For email/password auth

Standard config adds:

socialProviders - OAuth providers (google, github, etc.)
emailVerification.sendVerificationEmail - Email verification handler
emailAndPassword.sendResetPassword - Password reset handler

Full config adds:

plugins - Array of feature plugins
session - Expiry, cookie cache settings
account.accountLinking - Multi-provider linking
rateLimit - Rate limiting config

Export types: export type Session = typeof auth.$Infer.Session

Client Config (auth-client.ts)

Import by framework:

Framework	Import
React/Next.js	`better-auth/react`
Vue	`better-auth/vue`
Svelte	`better-auth/svelte`
Solid	`better-auth/solid`
Vanilla JS	`better-auth/client`

Client plugins go in createAuthClient({ plugins: [...] }).

Common exports: signIn, signUp, signOut, useSession, getSession

Route Handler Setup

Framework	File	Handler
Next.js App Router	`app/api/auth/[...all]/route.ts`	`toNextJsHandler(auth)` → export `{ GET, POST }`
Next.js Pages	`pages/api/auth/[...all].ts`	`toNextJsHandler(auth)` → default export
Express	Any file	`app.all("/api/auth/*", toNodeHandler(auth))`
SvelteKit

Next.js Server Components: Add nextCookies() plugin to auth config.

Database Migrations

Adapter	Command
Built-in Kysely	`npx @better-auth/cli@latest migrate` (applies directly)
Prisma	`npx @better-auth/cli@latest generate --output prisma/schema.prisma` then `npx prisma migrate dev`
Drizzle	`npx @better-auth/cli@latest generate --output src/db/auth-schema.ts` then `npx drizzle-kit push`

Re-run after adding plugins.

Database Adapters

Database	Setup
SQLite	Pass `better-sqlite3` or `bun:sqlite` instance directly
PostgreSQL	Pass `pg.Pool` instance directly
MySQL	Pass `mysql2` pool directly
Prisma	`prismaAdapter(prisma, { provider: "postgresql" })` from `better-auth/adapters/prisma`
Drizzle	`drizzleAdapter(db, { provider: "pg" })` from

Common Plugins

Plugin	Server Import	Client Import	Purpose
`twoFactor`	`better-auth/plugins`	`twoFactorClient`	2FA with TOTP/OTP
`organization`	`better-auth/plugins`	`organizationClient`	Teams/orgs
`admin`

Plugin pattern: Server plugin + client plugin + run migrations.

Auth UI Implementation

Sign in flow:

signIn.email({ email, password }) or signIn.social({ provider, callbackURL })
Handle error in response
Redirect on success

Session check (client): useSession() hook returns { data: session, isPending }

Session check (server): auth.api.getSession({ headers: await headers() })

Protected routes: Check session, redirect to /sign-in if null.

Security Checklist

BETTER_AUTH_SECRET set (32+ chars)
advanced.useSecureCookies: true in production
trustedOrigins configured
Rate limits enabled
Email verification enabled
Password reset implemented
2FA for sensitive apps
CSRF protection NOT disabled
account.accountLinking reviewed

Troubleshooting

Issue	Fix
"Secret not set"	Add `BETTER_AUTH_SECRET` env var
"Invalid Origin"	Add domain to `trustedOrigins`
Cookies not setting	Check `baseURL` matches domain; enable secure cookies in prod
OAuth callback errors	Verify redirect URIs in provider dashboard
Type errors after adding plugin	Re-run CLI generate/migrate

Resources

Weekly Installs

8.0K

Repository

better-auth/skills

GitHub Stars

147

First Seen

Jan 19, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode6.0K

codex5.7K

gemini-cli5.6K

github-copilot5.6K

cursor4.9K

claude-code4.8K

Email verification (only if Email & password was selected above — ask in a follow-up call)

Prompt: "Do you want to require email verification?"
Options: Yes | No

Email provider (only if email verification is Yes, or if Password reset is selected in features — ask in a follow-up call)

Prompt: "How do you want to send emails?"
Options: Resend | Mock it for now (console.log)

Features & plugins (always ask, allow multiple)

Prompt: "Which additional features do you need?"
Options: Two-factor authentication (2FA) | Organizations / teams | Admin dashboard | API bearer tokens | Password reset | None of these
allow_multiple: true

Auth pages (always ask, allow multiple — pre-select based on earlier answers)

Prompt: "Which auth pages do you need?"
Options vary based on previous answers:
- Always available: Sign in | Sign up
- If Email & password selected: Forgot password | Reset password
- If email verification enabled: Email verification
allow_multiple: true

Auth UI style (always ask)

better-auth/adapters/drizzle