akghosh111/create-auth-skill
.agents/skills/create-auth-skill/SKILL.md
Skill for creating auth layers in TypeScript/JavaScript apps using Better Auth.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add akghosh111/scyra create-auth-skillInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 9:41 PM2.0s1 file scanned
SKILL.md
- name:
- create-auth-skill
- description:
- Skill for creating auth layers in TypeScript/JavaScript apps using Better Auth.
Create Auth Skill
Guide for adding authentication to TypeScript/JavaScript applications using Better Auth.
For code examples and syntax, see better-auth.com/docs.
Decision Tree
Is this a new/empty project?
├─ YES → New project setup
│ 1. Identify framework
│ 2. Choose database
│ 3. Install better-auth
│ 4. Create auth.ts + auth-client.ts
│ 5. Set up route handler
│ 6. Run CLI migrate/generate
│ 7. Add features via plugins
│
└─ NO → Does project have existing auth?
├─ YES → Migration/enhancement
│ • Audit current auth for gaps
│ • Plan incremental migration
│ • See migration guides in docs
│
└─ NO → Add auth to existing project
1. Analyze project structure
2. Install better-auth
3. Create auth config
4. Add route handler
5. Run schema migrations
6. Integrate into existing pages
Installation
Core: npm install better-auth
Scoped packages (as needed):
| Package | Use case |
|---------|----------|
| @better-auth/passkey | WebAuthn/Passkey auth |
| @better-auth/sso | SAML/OIDC enterprise SSO |
| @better-auth/stripe | Stripe payments |
| @better-auth/scim | SCIM user provisioning |
| @better-auth/expo | React Native/Expo |
Environment Variables
BETTER_AUTH_SECRET=<32+ chars, generate with: openssl rand -base64 32>
BETTER_AUTH_URL=http://localhost:3000
DATABASE_URL=<your database connection string>
Add OAuth secrets as needed: GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, GOOGLE_CLIENT_ID, etc.
Server Config (auth.ts)
Location: lib/auth.ts or src/lib/auth.ts
Minimal config needs:
database- Connection or adapteremailAndPassword: { enabled: true }- For email/password auth
Standard config adds:
socialProviders- OAuth providers (google, github, etc.)emailVerification.sendVerificationEmail- Email verification handleremailAndPassword.sendResetPassword- Password reset handler
Full config adds:
plugins- Array of feature pluginssession- Expiry, cookie cache settingsaccount.accountLinking- Multi-provider linkingrateLimit- Rate limiting config
Export types: export type Session = typeof auth.$Infer.Session
Client Config (auth-client.ts)
Import by framework:
| Framework | Import |
|-----------|--------|
| React/Next.js | better-auth/react |
| Vue | better-auth/vue |
| Svelte | better-auth/svelte |
| Solid | better-auth/solid |
| Vanilla JS | better-auth/client |
Client plugins go in createAuthClient({ plugins: [...] }).
Common exports: signIn, signUp, signOut, useSession, getSession
Route Handler Setup
| Framework | File | Handler |
|-----------|------|---------|
| Next.js App Router | app/api/auth/[...all]/route.ts | toNextJsHandler(auth) → export { GET, POST } |
| Next.js Pages | pages/api/auth/[...all].ts | toNextJsHandler(auth) → default export |
| Express | Any file | app.all("/api/auth/*", toNodeHandler(auth)) |
| SvelteKit | src/hooks.server.ts | svelteKitHandler(auth) |
| SolidStart | Route file | solidStartHandler(auth) |
| Hono | Route file | auth.handler(c.req.raw) |
Next.js Server Components: Add nextCookies() plugin to auth config.
Database Migrations
| Adapter | Command |
|---------|---------|
| Built-in Kysely | npx @better-auth/cli@latest migrate (applies directly) |
| Prisma | npx @better-auth/cli@latest generate --output prisma/schema.prisma then npx prisma migrate dev |
| Drizzle | npx @better-auth/cli@latest generate --output src/db/auth-schema.ts then npx drizzle-kit push |
Re-run after adding plugins.
Database Adapters
| Database | Setup |
|----------|-------|
| SQLite | Pass better-sqlite3 or bun:sqlite instance directly |
| PostgreSQL | Pass pg.Pool instance directly |
| MySQL | Pass mysql2 pool directly |
| Prisma | prismaAdapter(prisma, { provider: "postgresql" }) from better-auth/adapters/prisma |
| Drizzle | drizzleAdapter(db, { provider: "pg" }) from better-auth/adapters/drizzle |
| MongoDB | mongodbAdapter(db) from better-auth/adapters/mongodb |
Common Plugins
| Plugin | Server Import | Client Import | Purpose |
|--------|---------------|---------------|---------|
| twoFactor | better-auth/plugins | twoFactorClient | 2FA with TOTP/OTP |
| organization | better-auth/plugins | organizationClient | Teams/orgs |
| admin | better-auth/plugins | adminClient | User management |
| bearer | better-auth/plugins | - | API token auth |
| openAPI | better-auth/plugins | - | API docs |
| passkey | @better-auth/passkey | passkeyClient | WebAuthn |
| sso | @better-auth/sso | - | Enterprise SSO |
Plugin pattern: Server plugin + client plugin + run migrations.
Auth UI Implementation
Sign in flow:
signIn.email({ email, password })orsignIn.social({ provider, callbackURL })- Handle
errorin response - Redirect on success
Session check (client): useSession() hook returns { data: session, isPending }
Session check (server): auth.api.getSession({ headers: await headers() })
Protected routes: Check session, redirect to /sign-in if null.
Security Checklist
- [ ]
BETTER_AUTH_SECRETset (32+ chars) - [ ]
advanced.useSecureCookies: truein production - [ ]
trustedOriginsconfigured - [ ] Rate limits enabled
- [ ] Email verification enabled
- [ ] Password reset implemented
- [ ] 2FA for sensitive apps
- [ ] CSRF protection NOT disabled
- [ ]
account.accountLinkingreviewed
Troubleshooting
| Issue | Fix |
|-------|-----|
| "Secret not set" | Add BETTER_AUTH_SECRET env var |
| "Invalid Origin" | Add domain to trustedOrigins |
| Cookies not setting | Check baseURL matches domain; enable secure cookies in prod |
| OAuth callback errors | Verify redirect URIs in provider dashboard |
| Type errors after adding plugin | Re-run CLI generate/migrate |
Resources
- Docs
- Examples
- Plugins
- CLI
- Migration Guides
Related Skills
akghosh111/webhook-integration
development
VerifiedTrustedCommunity
Complete guide for setting up and handling Dodo Payments webhooks for real-time payment event notifications.
SKILL.mdUpdated Apr 16, 2026
akghosh111/web-design-guidelines
development
VerifiedTrustedCommunity
Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".
SKILL.mdUpdated Apr 16, 2026
akghosh111/two-factor-authentication-best-practices
tools
VerifiedTrustedCommunity
This skill provides guidance and enforcement rules for implementing secure two-factor authentication (2FA) using Better Auth's twoFactor plugin.
SKILL.mdUpdated Apr 16, 2026
akghosh111/subscription-integration
documentation
VerifiedTrustedCommunity
Guide for implementing subscription billing with Dodo Payments - trials, upgrades, downgrades, and on-demand billing.
SKILL.mdUpdated Apr 16, 2026