At our company we use better auth for every product that has any kind of user account logic. It’s great since it’s drop-in, the plugins give so much functionality that you’d have to roll on your own in so little time and the integrations with ORMs like drizzle and prisma mean that your schemas stay the SSOT that they should be, even for auth. It’s extensible where it needs to be and brings defaults that are more than sane. Also the RPC-like TypeScript client that you also get for free is so good I don’t know how I could live without that.
Glazing over, I just wanted to give props and say that whatever good happens to better-auth, it deserves it.
I am also interested on how they plan to monetise it. I love the library and the success story but hope that the weight of this VC money doesn’t impact its awesomeness
Will this be monetized with the classic SSO enterprise subscription play? Would be nice if they are transparent on how they plan to make money.
The DX is quite nice, even though not well suited for existing projects as it is hard to migrate existing users. There is no easy way to keep existing sessions or do a legacy login, then migrate a user to the new better-auth supplied hashing function.
What is your personal framework for determining if a founder is an outlier or not? Given how many people you've seen go through YC, and chatting with most of the batch, what stands out to you?
For folks that are using better-auth: are you using anything to build your frontend with? Or just writing it from scratch?
I was interested in trying this out but was kinda surprised to find this is just an sdk with no components.
I remember how basically better auth got a huge lead because lucia was shutdown by its dev for their own reasons which I admittedly have forgotten but they made sense and the community had accepted it.
But those who hadn't started using better auth more. And now I guess its crazy how I felt as if this would be just a small project like lucia in the sense of its just created for the passion and the art, but now it has raised 5 mill$ , I wonder if the community wanted this to be an artisanal like project like lucia before its end or what the community thinks of this move. Since VC and open source have some inherent compromises with each other and I guess I just wanted to write this to hear more about people who are using better auth in prod and what they think of what this VC funding.
This is why I love Lucia. They took the "teach a man to fish" route when they converted to a docs only approach. Now I've got my own auth system and understand a lot more about security.
I wonder how many users of Better Auth are individuals using it for their hobby projects and how many are companies/freelancers making money. Everyone is expecting great software but almost no one is contributing back in any way. If people were supporting such projects, there would be no need for vc money, right?
As an indie hacker using better auth, I’m somewhat skeptical of there now being VC money in the mix (enshittifcation is a process that starts with VC money).
But from my time working for enterprise, they often prefer OSS products that are well-funded for their stacks so they can rely on them for a longer amount of time. So I’d suppose this would help in that regard. Also having a cloak-like SaaS solution might be nice for those who don’t want to host their own infra, though I‘d advise against relying on third parties for auth.
I hope they will also develop a self-hosted standalone service/node which hosts accounts and can support JWTs which I could verify on my own servers so the BetterAuth node would issue JWTs signed with a secret key I provided as an ENV var, then I could verify the JWTs on my own servers. This would be a neat decoupling. Could be offered as a SaaS service as well.
It's usually best to verify JWTs using an asymmetric keypair, that way the BetterAuth node can sign the JWT, and your servers can use something like JWKS to get the public key.
Lessens where the secret key needs to be.
The exception is if:
* you control all the nodes and are confident in the security of all of them now and going forward AND
* speed is critical (using HMAC to sign JWTs is faster) AND
* you've benchmarked and signing speed is a significant portion of response time
Why does the article’s title state the country of origin of the developer? Does it matter? Is it a surprise that there are smart, business savvy developers across the globe?
It isn't a surprise for many, but my impression is that distribution of VC funds to African counties is highly inequitable. The article mentions that this is the first investment in an African founder for one of the involved VCs (Peak VX).
Aren’t we all self taught? I’m not sure why that part of the story is relevant. In over 15 years of this business, I’ve directly been on a team with probably 5-10 total people with a comp-sci degree — and that includes my time at Apple. Mark Zuckerberg was self-taught.
No, a lot of people go to college or "bootcamps" before entering the field. Given the amount of computer science graduates, I'd say we're not all self-taught.
This is awesome! I literally gave better-auth a spin 2 days ago and I was able to get it up and running within 15 minutes. I'm yet to try the plugins, but looks really easy to set up and work with, safe to say I'll be using it for future projects.
> Engida says Better Auth, currently free to use, will focus on improving its core features and launch a paid enterprise infrastructure that plugs into its open source base. This will give developers the flexibility to self-host or opt for Better Auth’s cloud add-ons as needed.
Kratos and Better Auth are almost orthogonal to one another. Kratos provides a comprehensive back end, but no front end at all - you have to write it yourself.
Better Auth is mostly focused on the front end.
You could use the two together, although I haven't seen anyone do that.
I have wasted so much time on third-party authentication frameworks like Ory Kratos that I wish we'd just written our own internal auth library. With Kratos we ended up customising it so heavily we could have just written our own. Same goes for ones that provided a frontend such as Keycloak.
Just tried to setup auth with it recently. And oh boy, so refreshing. Built auth once for a project years ago. Never again. Here just configured stuff, setup email and social creds and live!
The killer feature is that it's embeddable into your app. You don't have to host anything besides your app and your app's database.
I can't understand why people who aren't Google scale do
it any other way. When you're at the point where you need a separate auth service I'd call that good problems to have.
Lucia has been converted into a kind of tutorial, which is another way of saying the author is going to college now and is busy or interested in other things.
As an aside OpenAuth seems dead. No activity for 2 months.
How does Peak XV compete with YC? Isn't YC just more proof for Peak XV? One could argue it competes with Surge or something, but YC is technically even more early stage than Surge.
[+] [-] chrisldgk|9 months ago|reply
Glazing over, I just wanted to give props and say that whatever good happens to better-auth, it deserves it.
[+] [-] dang|9 months ago|reply
Launch HN: Better Auth (YC X25) – Authentication Framework for TypeScript - https://news.ycombinator.com/item?id=44030492 - May 2025 (106 comments)
Better Auth – Authentication library for TypeScript - https://news.ycombinator.com/item?id=42272707 - Nov 2024 (32 comments)
Show HN: Comprehensive authentication library for TypeScript - https://news.ycombinator.com/item?id=41678652 - Sept 2024 (44 comments)
[+] [-] savrajsingh|9 months ago|reply
[+] [-] blackhaj7|9 months ago|reply
I am also interested on how they plan to monetise it. I love the library and the success story but hope that the weight of this VC money doesn’t impact its awesomeness
[+] [-] m3kw9|9 months ago|reply
[+] [-] burgerzzz|9 months ago|reply
[+] [-] shafyy|9 months ago|reply
It most certainly will at some point.
[+] [-] koakuma-chan|9 months ago|reply
[+] [-] joshdavham|9 months ago|reply
[+] [-] pinoy420|9 months ago|reply
[deleted]
[+] [-] BerlinKebab|9 months ago|reply
[deleted]
[+] [-] arend321|9 months ago|reply
The DX is quite nice, even though not well suited for existing projects as it is hard to migrate existing users. There is no easy way to keep existing sessions or do a legacy login, then migrate a user to the new better-auth supplied hashing function.
[+] [-] arnavsahu336|9 months ago|reply
[+] [-] HPMOR|9 months ago|reply
[+] [-] nickzelei|9 months ago|reply
I found this https://better-auth-ui.com/
[+] [-] Imustaskforhelp|9 months ago|reply
But those who hadn't started using better auth more. And now I guess its crazy how I felt as if this would be just a small project like lucia in the sense of its just created for the passion and the art, but now it has raised 5 mill$ , I wonder if the community wanted this to be an artisanal like project like lucia before its end or what the community thinks of this move. Since VC and open source have some inherent compromises with each other and I guess I just wanted to write this to hear more about people who are using better auth in prod and what they think of what this VC funding.
[+] [-] snide|9 months ago|reply
[+] [-] Jnr|9 months ago|reply
[+] [-] chrisldgk|9 months ago|reply
[+] [-] socketcluster|9 months ago|reply
I hope they will also develop a self-hosted standalone service/node which hosts accounts and can support JWTs which I could verify on my own servers so the BetterAuth node would issue JWTs signed with a secret key I provided as an ENV var, then I could verify the JWTs on my own servers. This would be a neat decoupling. Could be offered as a SaaS service as well.
I'm also keeping tabs on https://github.com/stack-auth/stack-auth
[+] [-] mooreds|9 months ago|reply
It's usually best to verify JWTs using an asymmetric keypair, that way the BetterAuth node can sign the JWT, and your servers can use something like JWKS to get the public key.
Lessens where the secret key needs to be.
The exception is if:
* you control all the nodes and are confident in the security of all of them now and going forward AND * speed is critical (using HMAC to sign JWTs is faster) AND * you've benchmarked and signing speed is a significant portion of response time
[+] [-] voidmain0001|9 months ago|reply
[+] [-] ericyd|9 months ago|reply
[+] [-] revskill|9 months ago|reply
[+] [-] briandear|9 months ago|reply
[+] [-] bapak|9 months ago|reply
[+] [-] arvindparekh|9 months ago|reply
I didn't like the fact that it doesn't have a built-in sign-in ui components, but glady https://github.com/daveyplate/better-auth-ui solves it.
[+] [-] h1fra|9 months ago|reply
[+] [-] mooreds|9 months ago|reply
> Engida says Better Auth, currently free to use, will focus on improving its core features and launch a paid enterprise infrastructure that plugs into its open source base. This will give developers the flexibility to self-host or opt for Better Auth’s cloud add-ons as needed.
So open-core and cloud hosting, it seems.
[+] [-] sebmellen|9 months ago|reply
[+] [-] trollbridge|9 months ago|reply
Better Auth is mostly focused on the front end.
You could use the two together, although I haven't seen anyone do that.
I have wasted so much time on third-party authentication frameworks like Ory Kratos that I wish we'd just written our own internal auth library. With Kratos we ended up customising it so heavily we could have just written our own. Same goes for ones that provided a frontend such as Keycloak.
[+] [-] mooreds|9 months ago|reply
I addressed that here, straight from the article. Basically open-core and hosting.
https://news.ycombinator.com/item?id=44388741
[+] [-] TrySound|9 months ago|reply
[+] [-] exiguus|9 months ago|reply
How does it compare to something mature like keycloak?
And what is the difference to just self-host superbase?
[+] [-] Spivak|9 months ago|reply
I can't understand why people who aren't Google scale do it any other way. When you're at the point where you need a separate auth service I'd call that good problems to have.
[+] [-] yewenjie|9 months ago|reply
[+] [-] vivzkestrel|9 months ago|reply
[+] [-] threatofrain|9 months ago|reply
As an aside OpenAuth seems dead. No activity for 2 months.
[+] [-] dancerofaran|9 months ago|reply
one of the best libraries in the ecosystem. it's basically open-source Clerk without the baggage of needing to trust someone else's security story
[+] [-] alephnerd|9 months ago|reply
[+] [-] fakedang|9 months ago|reply
[+] [-] govindsb|9 months ago|reply