DEV Community: Lutz The latest articles on DEV Community by Lutz (@lutz-grex). https://dev.to/lutz-grex https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3783116%2F00141424-22a8-4711-bd99-30e1db15b3e2.jpg DEV Community: Lutz https://dev.to/lutz-grex en Extending Better Auth with global Rate Limiting Lutz Fri, 20 Feb 2026 20:33:56 +0000 https://dev.to/lutz-grex/extending-better-auth-with-global-rate-limiting-2g98 https://dev.to/lutz-grex/extending-better-auth-with-global-rate-limiting-2g98 <p><strong>TL;DR</strong> - Install <code>better-auth-rate-limiter</code>, add one plugin call, and every route in your app is rate limited — auth endpoints, AI routes, payment APIs, anything. Memory, database, or Redis backend. Full TypeScript end to end.</p> <p>Your API is open to the internet. Anyone can hammer your <code>/api/generate</code>, <code>/api/checkout</code>, or <code>/api/auth/sign-in</code> endpoints thousands of times per minute - brute-forcing credentials, abusing expensive AI calls, or just making your app crawl.</p> <p>Better Auth handles authentication well, but rate limiting is your problem to solve. And it shouldn't apply only to auth routes - your entire API needs protection.</p> <p><a href="https://github.com/lutz-grex/better-auth-rate-limiter" rel="noopener noreferrer"><code>better-auth-rate-limiter</code></a> is a community plugin that adds flexible, production-ready rate limiting to <strong>any route in your app</strong> - not just auth endpoints — in a few lines of config.</p> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>better-auth-rate-limiter <span class="c"># or</span> pnpm add better-auth-rate-limiter </code></pre> </div> <h2> Basic Setup </h2> <p>Add the plugin to your Better Auth instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">betterAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">better-auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">rateLimiter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">better-auth-rate-limiter</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="nf">betterAuth</span><span class="p">({</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span> <span class="nf">rateLimiter</span><span class="p">({</span> <span class="na">window</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="c1">// Time window in seconds</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="c1">// Max requests per window</span> <span class="na">storage</span><span class="p">:</span> <span class="dl">"</span><span class="s2">memory</span><span class="dl">"</span><span class="p">,</span> <span class="na">detection</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ip</span><span class="dl">"</span><span class="p">,</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <p>That's it. Your auth instance is now the central rate limiting authority — for auth routes <strong>and</strong> any other route you point at it.</p> <h2> Three Storage Backends </h2> <h3> Memory (default) </h3> <p>Zero dependencies, works immediately. Best for single-instance apps or development.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">rateLimiter</span><span class="p">({</span> <span class="na">storage</span><span class="p">:</span> <span class="dl">"</span><span class="s2">memory</span><span class="dl">"</span> <span class="p">})</span> </code></pre> </div> <h3> Database </h3> <p>Persists rate limit state across restarts and works across multiple server instances. Uses your existing Better Auth database — no extra setup needed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">rateLimiter</span><span class="p">({</span> <span class="na">storage</span><span class="p">:</span> <span class="dl">"</span><span class="s2">database</span><span class="dl">"</span> <span class="p">})</span> </code></pre> </div> <h3> Redis </h3> <p>Best for high-traffic production apps or horizontally scaled deployments.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Redis</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">ioredis</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">redis</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Redis</span><span class="p">();</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="nf">betterAuth</span><span class="p">({</span> <span class="na">secondaryStorage</span><span class="p">:</span> <span class="p">{</span> <span class="na">get</span><span class="p">:</span> <span class="p">(</span><span class="nx">key</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">key</span><span class="p">),</span> <span class="na">set</span><span class="p">:</span> <span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">,</span> <span class="nx">ttl</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">,</span> <span class="dl">"</span><span class="s2">EX</span><span class="dl">"</span><span class="p">,</span> <span class="nx">ttl</span> <span class="o">??</span> <span class="mi">3600</span><span class="p">),</span> <span class="na">delete</span><span class="p">:</span> <span class="p">(</span><span class="nx">key</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">del</span><span class="p">(</span><span class="nx">key</span><span class="p">),</span> <span class="p">},</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span> <span class="nf">rateLimiter</span><span class="p">({</span> <span class="na">storage</span><span class="p">:</span> <span class="dl">"</span><span class="s2">secondary-storage</span><span class="dl">"</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <h2> Three Detection Modes </h2> <p>Rate limit by <strong>IP address</strong> (default), <strong>authenticated user ID</strong>, or both:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// IP-based (unauthenticated traffic)</span> <span class="nf">rateLimiter</span><span class="p">({</span> <span class="na">detection</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ip</span><span class="dl">"</span> <span class="p">})</span> <span class="c1">// User-based (authenticated users only)</span> <span class="nf">rateLimiter</span><span class="p">({</span> <span class="na">detection</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span> <span class="p">})</span> <span class="c1">// Best of both: user ID when logged in, IP when not</span> <span class="nf">rateLimiter</span><span class="p">({</span> <span class="na">detection</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ip-and-user</span><span class="dl">"</span> <span class="p">})</span> </code></pre> </div> <p><code>"ip-and-user"</code> is great for apps where you want stricter limits for authenticated users without letting anonymous traffic slip through.</p> <h2> Custom Rules Per Route </h2> <p>The global limit is just the baseline. Override it for specific paths using wildcards:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">rateLimiter</span><span class="p">({</span> <span class="na">window</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">customRules</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// Stricter for login (brute-force protection)</span> <span class="dl">"</span><span class="s2">/api/auth/sign-in</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="na">window</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">5</span> <span class="p">},</span> <span class="c1">// Very strict for sign-up (bot protection)</span> <span class="dl">"</span><span class="s2">/api/auth/sign-up</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="na">window</span><span class="p">:</span> <span class="mi">3600</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">3</span> <span class="p">},</span> <span class="c1">// Wildcard: limit all AI endpoints</span> <span class="dl">"</span><span class="s2">/api/ai/*</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="na">window</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">10</span> <span class="p">},</span> <span class="c1">// Disable entirely for health checks</span> <span class="dl">"</span><span class="s2">/api/health</span><span class="dl">"</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> </code></pre> </div> <p>The wildcard support (<code>*</code> for single segment, <code>**</code> for multi-segment) makes it easy to apply rules to entire areas of your API.</p> <h2> Rate Limit Any API Route </h2> <p>This is the main use case beyond auth. Call <code>checkRateLimit()</code> from <strong>any</strong> Next.js route handler — AI endpoints, payment flows, form submissions, whatever you need to protect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/app/api/generate/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">api</span><span class="p">.</span><span class="nf">checkRateLimit</span><span class="p">({</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Too many requests</span><span class="dl">"</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">retryAfter</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">429</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Call your LLM, charge the card, whatever — safely throttled</span> <span class="p">}</span> </code></pre> </div> <p>The path you pass in is matched against your <code>customRules</code>, so you can give <code>/api/generate</code> a much stricter limit than your public endpoints without any extra setup.</p> <h2> Protect Everything at Once with Next.js Middleware </h2> <p>For full-coverage protection, add rate limiting at the middleware level. Every API request gets checked before it hits your route handlers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">;</span> <span class="c1">// Skip Better Auth's own routes — already handled by the plugin</span> <span class="k">if </span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth</span><span class="dl">"</span><span class="p">))</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">api</span><span class="p">.</span><span class="nf">checkRateLimit</span><span class="p">({</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Too many requests</span><span class="dl">"</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">retryAfter</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">429</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="nx">response</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">X-RateLimit-Limit</span><span class="dl">"</span><span class="p">,</span> <span class="nc">String</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">limit</span><span class="p">));</span> <span class="nx">response</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">X-RateLimit-Remaining</span><span class="dl">"</span><span class="p">,</span> <span class="nc">String</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">remaining</span><span class="p">));</span> <span class="k">return</span> <span class="nx">response</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/api/:path*</span><span class="dl">"</span><span class="p">],</span> <span class="p">};</span> </code></pre> </div> <h2> Standard Response Headers </h2> <p>Every response includes <code>X-RateLimit-*</code> headers so clients know their current limit, how many requests are left, and when the window resets — no guessing required.</p> <h2> Wrapping Up </h2> <p><code>better-auth-rate-limiter</code> gives you:</p> <ul> <li> <strong>Three storage backends</strong> — memory, database, Redis</li> <li> <strong>Three detection modes</strong> — IP, user, or both</li> <li> <strong>Per-route custom rules</strong> with wildcard support</li> <li> <strong>Standard rate limit headers</strong> out of the box</li> <li><strong>Full TypeScript support</strong></li> </ul> <p>It's a community plugin, MIT licensed, and takes about 5 minutes to set up.</p> <ul> <li><a href="https://www.npmjs.com/package/better-auth-rate-limiter" rel="noopener noreferrer">npm</a></li> <li><a href="https://github.com/lutz-grex/better-auth-rate-limiter" rel="noopener noreferrer">GitHub</a></li> </ul> <p><em>Have feedback or a use case this doesn't cover? Open an issue on GitHub.</em></p> webdev typescript nextjs auth