proofgeist/better-auth-setup
packages/better-auth/skills/better-auth-setup/SKILL.md
Set up self-hosted authentication with better-auth using FileMaker as the database backend. Covers FileMakerAdapter, FMServerConnection, betterAuth config, migration via npx @proofkit/better-auth migrate, OData prerequisites, fmodata privilege, Full Access credentials for schema modification, plugin migration workflow, troubleshooting "filemaker is not supported" errors.
$ install --global
skillsauthnpx skillsauth add proofgeist/proofkit better-auth-setupInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 16, 2026, 5:30 AM139.4s1 file scanned
SKILL.md
- name:
- better-auth-setup
- description:
- >
- type:
- core
- library:
- proofkit
- library_version:
- 0.4.1
- - "proofsh/proofkit:
- apps/docs/content/docs/better-auth/*.mdx
Setup
Prerequisites
- OData enabled on FileMaker Server
- API credentials with
fmodataprivilege enabled - Read/write access to the better-auth tables
- Full Access credentials available for schema migration (can differ from runtime credentials)
Install packages
pnpm add @proofkit/better-auth @proofkit/fmodata
Configure auth.ts
import { betterAuth } from "better-auth";
import { FMServerConnection } from "@proofkit/fmodata";
import { FileMakerAdapter } from "@proofkit/better-auth";
const connection = new FMServerConnection({
serverUrl: process.env.FM_SERVER_URL!,
auth: {
username: process.env.FM_USERNAME!,
password: process.env.FM_PASSWORD!,
},
});
const db = connection.database(process.env.FM_DATABASE!);
export const auth = betterAuth({
database: FileMakerAdapter({ database: db }),
// add plugins, social providers, etc.
});
FileMakerAdapter accepts a FileMakerAdapterConfig:
database(required) -- an fmodataDatabaseinstancedebugLogs(optional) -- enable adapter debug loggingusePlural(optional) -- settrueif table names are plural
The adapter maps Better Auth operations (create, findOne, findMany, update, delete, count) to OData requests via db._makeRequest. It does not support JSON columns, native dates, or native booleans -- all values are stored as strings/numbers.
Alternative: Data API key (OttoFMS 4.11+)
const connection = new FMServerConnection({
serverUrl: process.env.FM_SERVER_URL!,
auth: {
apiKey: process.env.OTTO_API_KEY!,
},
});
OData must be enabled for the key.
Core Patterns
1. Initial migration
After configuring auth.ts, run the migration CLI to create tables and fields in FileMaker:
npx @proofkit/better-auth migrate
The CLI:
- Loads your
auth.tsconfig (auto-detected or via--config <path>) - Calls
getSchema()frombetter-auth/dbto determine required tables/fields - Fetches current OData metadata via
db.getMetadata() - Computes a diff: tables to create, fields to add to existing tables
- Prints the migration plan and prompts for confirmation
- Executes via
db.schema.createTable()anddb.schema.addFields()
Only schema is modified. No layouts or relationships are created.
If your runtime credentials lack Full Access, override for migration only:
npx @proofkit/better-auth migrate --username "admin" --password "admin_pass"
Skip confirmation with -y:
npx @proofkit/better-auth migrate -y
2. Adding plugins and re-migrating
When you add a Better Auth plugin (e.g. twoFactor, organization), it declares additional tables/fields. After updating auth.ts:
import { betterAuth } from "better-auth";
import { twoFactor } from "better-auth/plugins";
import { FMServerConnection } from "@proofkit/fmodata";
import { FileMakerAdapter } from "@proofkit/better-auth";
const connection = new FMServerConnection({
serverUrl: process.env.FM_SERVER_URL!,
auth: {
username: process.env.FM_USERNAME!,
password: process.env.FM_PASSWORD!,
},
});
const db = connection.database(process.env.FM_DATABASE!);
export const auth = betterAuth({
database: FileMakerAdapter({ database: db }),
plugins: [twoFactor()],
});
Re-run migration:
npx @proofkit/better-auth migrate
The planner diffs against existing metadata, so only new tables/fields are added. Existing tables are left untouched.
3. Troubleshooting privilege errors
When migration fails with OData error code 207, the account lacks schema modification privileges. The CLI outputs:
Failed to create table "tableName": Cannot modify schema.
The account used does not have schema modification privileges.
Use --username and --password to provide Full Access credentials.
Fix: provide Full Access credentials via CLI flags. These are only used for migration, not at runtime.
Common Mistakes
[CRITICAL] Using better-auth CLI instead of @proofkit/better-auth
Wrong:
npx better-auth migrate
Correct:
npx @proofkit/better-auth migrate
The standard better-auth CLI does not know about the FileMaker adapter and produces: ERROR [Better Auth]: filemaker is not supported. If it is a custom adapter, please request the maintainer to implement createSchema. The @proofkit/better-auth CLI loads your auth config, extracts the Database instance from the adapter, and handles migration via fmodata's schema API.
Source: apps/docs/content/docs/better-auth/troubleshooting.mdx
[HIGH] Missing Full Access credentials for schema migration
Wrong:
# Using runtime credentials that only have fmodata privilege
npx @proofkit/better-auth migrate
# Fails with OData error 207: Cannot modify schema
Correct:
npx @proofkit/better-auth migrate --username "full_access_user" --password "full_access_pass"
Schema modification (db.schema.createTable, db.schema.addFields) requires [Full Access] privileges. Standard API accounts with fmodata privilege can read/write data but cannot alter schema. The CLI accepts --username and --password flags to override credentials for migration only.
Source: packages/better-auth/src/cli/index.ts, packages/better-auth/src/migrate.ts
[HIGH] Removing fields added by migration
Wrong:
Manually deleting "unused" fields from better-auth tables in FileMaker
Correct:
Keep all fields created by migration, even if you don't plan to use them
Better Auth expects all schema fields to exist at runtime. The adapter issues OData requests that reference these fields. Removing them causes runtime errors when Better Auth attempts to read or write those columns.
Source: apps/docs/content/docs/better-auth/installation.mdx
[HIGH] Forgetting to re-run migration after adding plugins
Wrong:
// Added twoFactor() plugin to auth.ts but did not re-run migration
export const auth = betterAuth({
database: FileMakerAdapter({ database: db }),
plugins: [twoFactor()],
});
// Runtime errors: tables/fields for twoFactor don't exist
Correct:
# After adding any plugin to auth.ts, always re-run:
npx @proofkit/better-auth migrate
Each plugin declares additional tables and fields via getSchema(). The migration planner diffs the full schema (including plugins) against current OData metadata. Without re-running, the new tables/fields don't exist and Better Auth throws at runtime.
Source: apps/docs/content/docs/better-auth/installation.mdx
References
- fmodata-client -- Better Auth uses fmodata
Databaseunder the hood for all OData requests.FMServerConnectionanddatabase()must be configured beforeFileMakerAdaptercan work. The adapter callsdb._makeRequest()for CRUD anddb.schema.*for migrations.
Related Skills
proofgeist/webdirect-runtime
development
VerifiedTrustedCommunity
FileMaker WebDirect ProofKit Web Viewer runtime behavior refresh resilience session state localStorage browser resize reload same deployment embedded bundle avoid separate deployment avoid separate web server @proofkit/webviewer fmFetch callFMScript WebViewerAdapter WebDirect page refresh
14SKILL.mdUpdated May 7, 2026
proofgeist/webviewer-integration
development
VerifiedTrustedCommunity
webviewer fmFetch callFMScript WebViewerAdapter globalSettings setWebViewerName SendCallback window.FileMaker browser-only FileMaker Web Viewer script execution fire-and-forget FMScriptOption PerformScript callback fetchId handleFmWVFetchCallback
14SKILL.mdUpdated Apr 18, 2026
proofgeist/typegen-fmodata
development
VerifiedTrustedCommunity
ENTRY POINT for @proofkit/fmodata projects. Generate TypeScript table schemas with entity IDs from FileMaker OData metadata using @proofkit/typegen. Covers proofkit-typegen-config.jsonc for OData mode, npx @proofkit/typegen setup, fmTableOccurrence generation, entity IDs (FMFID/FMTID), generated output structure, field exclusion, type overrides, InferTableSchema, env var configuration, OData prerequisites, fmodata privilege, and why typegen is required for entity ID correctness.
14SKILL.mdUpdated Apr 18, 2026
proofgeist/odata-query-optimization
development
VerifiedTrustedCommunity
OData performance patterns for @proofkit/fmodata. Covers defaultSelect schema vs all, select() for minimal field fetching, select("all") override, pagination with top/skip, default 1000 record limit, batch operations for reducing round trips, entity IDs FMFID FMTID for rename resilience, null field query performance, getQueryString() debugging, relationship query performance testing, FileMaker OData optimization, avoiding OData service overload during testing.
14SKILL.mdUpdated Apr 18, 2026