The first time I wired auth into a side project, I reached for a hosted vendor because everyone told me not to roll my own. That advice is correct, but it quietly smuggles in a second claim: that the only alternative to rolling your own is renting someone else's. For years that was roughly true in the TypeScript world. You either hand-rolled sessions and prayed, or you handed identity to Clerk or Auth0 and accepted that your users' accounts lived on someone else's servers, behind someone else's pricing page.
Better Auth is the library that finally made me question that binary. It is open source, TypeScript-first, and self-hosted — meaning it runs inside your own application against your own database, and there is no third-party auth service in the request path at all. I have run it across two projects over the past few weeks, one a small Next.js app and one a SvelteKit dashboard, and this review is what I learned about where it shines, where it bites, and who should actually use it.
What "self-hosted, framework-agnostic" actually buys you
The two phrases in that heading are doing a lot of work, so it is worth slowing down on them.
Self-hosted means the auth logic and the user data both live in your stack. Better Auth is a library you install, not an API you call out to. When a user signs up, the row lands in your Postgres or MySQL or SQLite, in tables Better Auth manages through a schema you can inspect and migrate yourself. There is no external dashboard that is the source of truth for your users, and no monthly active user meter ticking in the background. If your app is running and your database is up, auth works — there is no separate vendor whose outage becomes your outage.
Framework-agnostic means the core is not married to any one web framework. Better Auth ships a core that handles the actual auth work — sessions, tokens, password hashing, OAuth flows — and then thin integrations for the framework you happen to use. Next.js, Nuxt, SvelteKit, SolidStart, Astro, plain Node, and others all get adapters that wire the core into that framework's request and response model. In practice this meant the mental model I learned on the Next.js project transferred almost completely to the SvelteKit one. The handler mounting differed, the session-reading helper differed, but the concepts and the configuration object were the same.
That portability is the quiet superpower. If you have ever migrated a codebase off a framework and discovered that your auth was the most deeply entangled, hardest-to-move part of the whole thing, you understand why a framework-agnostic core is worth caring about.
The feature surface: email, OAuth, 2FA, and orgs
Out of the box, the core covers email and password authentication properly — secure password hashing, email verification flows, password reset, and session management with sensible defaults. This is the part people most often get subtly wrong when they hand-roll, and it is reassuring to have it handled by code that many other teams are also exercising in production.
Social OAuth is built in and broad. The usual providers — Google, GitHub, Apple, Discord, and a long list of others — are configured by dropping in a client ID and secret rather than installing a separate package per provider. Linking a social account to an existing email account, and handling the case where someone signs up with Google and later tries email, are handled paths rather than things you discover are broken in production.
Two-factor authentication comes through the plugin system (more on that below) and covers TOTP authenticator apps plus backup codes, with the option to layer in other factors. Setting up TOTP on the Next.js project took me an afternoon including the QR-code rendering on the client, which is about as painless as 2FA gets.
The feature that genuinely surprised me was organizations. Better Auth has first-class support for multi-tenancy: organizations, members, roles, and invitations, with an access-control model you configure. If you are building B2B SaaS where users belong to companies and companies have admins and seats, this is normally where a hosted vendor starts charging real money or where a hand-rolled solution turns into a swamp. Having it as a supported plugin in a self-hosted library is a meaningful differentiator.
The flip side of no vendor in the request path is that there is no vendor on the incident bridge either. If a session-fixation issue or a token-leak class of bug is discovered, a hosted provider patches it server-side and you may never even hear about it. With Better Auth you are responsible for tracking releases, applying security updates, and keeping your database schema migrated. The library does the hard cryptographic and protocol work correctly, but the operational vigilance — patching promptly, rotating secrets, monitoring for abuse — is now your job. Budget for that ongoing attention, not just the initial integration.
The plugin system and database adapters
Two architectural choices make Better Auth feel less like a fixed product and more like a foundation: the plugin system and the adapter layer.
The plugin system is how almost everything beyond core auth is delivered. Two-factor, organizations, passkeys, magic links, rate limiting, and similar capabilities are plugins you enable in your config rather than features baked into a monolith. Each plugin can extend the database schema, add server endpoints, and expose client methods, and many ship a matching client-side plugin so the typed client knows about the new functionality. The result is that you only carry the auth surface area you actually use. A bare email-and-password app stays small; a B2B app with orgs, passkeys, and 2FA opts into exactly those pieces. I appreciated that I never paid in complexity for features I had not turned on.
The adapter layer is the other half. Better Auth does not ship its own ORM or force a particular database client. Instead it talks to your data through an adapter, and the first-class options cover the libraries most TypeScript teams already use: Drizzle, Prisma, and Kysely, plus direct drivers for common databases. On the Next.js project I was already on Drizzle with Postgres, so adoption meant pointing the Drizzle adapter at my existing connection and running the generated migration. Better Auth has a CLI that can generate the schema or the migration for your chosen adapter, which removes most of the tedious wiring. Because the tables live in your database alongside your application tables, you can write your own queries against users and sessions, join them to domain data, and back them up the same way you back up everything else.
This is a real philosophical difference from hosted auth. Your users are rows you own, in a schema you can read, in a database you already operate. There is no export step, no API to page through if you want to run an analytics query on signups, no risk that the vendor's data model and yours drift apart.
How it compares to Clerk, Auth0, and Lucia
Better Auth does not exist in a vacuum, and choosing it is really a choice about who carries which burden. Here is how I would position the main options.
Clerk is the most direct comparison and the one we cover elsewhere on this site. Clerk is hosted: it runs the auth service, stores your users, and — crucially — ships polished, prebuilt UI components for sign-in, sign-up, user profiles, and org management. That last part is the real reason teams pay for Clerk. You can have a production-looking auth flow on screen in well under an hour, and you never think about session security again because Clerk thinks about it for you. The trade is cost that scales with users and a vendor that owns your identity data. Better Auth gives you the ownership and removes the per-user pricing, but you build more of the UI yourself and you own the security posture.
Auth0 is the enterprise incumbent. If your requirements include enterprise SSO connectors, deep compliance certifications, and the kind of identity governance large organizations demand, Auth0 (and its kind) is playing a different and broader game than Better Auth. For a startup or a mid-sized product, Auth0 often feels like a lot of platform — and a lot of invoice — for what you actually need, which is part of why libraries like Better Auth have momentum.
Lucia deserves a mention because many developers found their way to self-hosted auth through it. Lucia was less a batteries-included product and more a way to understand and assemble session-based auth yourself, and its author has signaled a shift toward it being a learning resource rather than a maintained do-everything library. Better Auth occupies the slot a lot of people wanted Lucia to fill: self-hosted and yours, but with the orgs, 2FA, and OAuth already built and maintained.
Who should use Better Auth — and who should pay for Clerk instead
After living with it, my recommendation splits cleanly along one question: do you want to own auth, or do you want it to disappear?
Reach for Better Auth if data ownership is a real requirement — regulatory, contractual, or philosophical — and you cannot have user identity living on a third party's servers. Reach for it if you expect enough users that per-MAU pricing would become a meaningful line item, since a self-hosted library has no such meter. Reach for it if you are already self-hosting your database and want auth to be just another part of the stack you operate, queryable and backed up alongside everything else. And reach for it if framework portability matters, because the agnostic core genuinely travels.
Pay for Clerk instead if your scarcest resource is engineering time and attention. If you are a solo founder or a tiny team racing to validate a product, the hours Better Auth asks you to spend building UI and owning security are hours you might not have. Clerk's prebuilt components and managed security are worth real money precisely because they remove a category of work and worry entirely. There is no shame in renting that — it is often the correct call. As of mid-2026 Clerk's paid tiers start at roughly the low tens of dollars a month after a free allotment, which is trivial next to the cost of a session-handling bug you shipped yourself.
The honest summary is that Better Auth lowers the cost of the self-hosted path enough that "own your auth" is now a reasonable default for many teams, not a heroic undertaking. But lower is not zero. You are trading recurring vendor cost for recurring ownership cost, and the right answer depends entirely on which of those your team can better afford.
FAQ
Originally published at pickuma.com. Subscribe to the RSS or follow @pickuma.bsky.social for new reviews.
Top comments (0)