Authentication Service
Configure Better Auth, GitHub OAuth, and Google OAuth
Authentication Service
EasyStarter uses Better Auth as its authentication solution. It currently ships with:
- Email and password sign-in
- GitHub OAuth sign-in
- Google OAuth sign-in
The server-side configuration lives in apps/server/src/lib/auth.ts. In that file:
- GitHub callback URL:
{SERVER_URL}/api/auth/callback/github - Google callback URL:
{SERVER_URL}/api/auth/callback/google
If you enable email verification or forgot password, complete the Email Service setup first.
Required Environment Variables
BETTER_AUTH_SECRET=
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=Get BETTER_AUTH_SECRET
BETTER_AUTH_SECRET is used by Better Auth to sign and encrypt session data. It should be a sufficiently long random string.
You can generate one yourself, for example:
openssl rand -base64 32Copy the generated value into:
BETTER_AUTH_SECRET=your-long-random-secretBETTER_AUTH_SECRET=your-long-random-secretCreate a GitHub OAuth App
GitHub OAuth is used for GitHub sign-in on web and native clients.
GitHub developer console: GitHub Developer Settings
- Sign in to GitHub and open
Settings - Go to
Developer settings - Open
OAuth Apps - Click
New OAuth App - Fill in the application details
These fields should typically be set like this:
Application name: your product nameHomepage URL: your website URL, for examplehttps://yourdomain.comAuthorization callback URL:{SERVER_URL}/api/auth/callback/github
For example, if your server URL is:
SERVER_URL=https://server.yourdomain.comThen the callback URL should be:
https://server.yourdomain.com/api/auth/callback/githubIn local development, easystarter uses http://localhost:3001 for the server by default, so this is usually:
http://localhost:3001/api/auth/callback/githubAfter creation, GitHub gives you:
Client ID-> maps toGITHUB_CLIENT_IDClient Secret-> maps toGITHUB_CLIENT_SECRET
Create a Google OAuth Client
Google OAuth is used for Google sign-in on web and native clients.
Google Cloud Console: Google Cloud Console
- Sign in to Google Cloud Console
- Select or create a project
- Go to
APIs & Services > Credentials - Click
Create Credentials - Choose
OAuth client ID - If prompted, complete the
OAuth consent screenfirst - Set the application type to
Web application - Configure the allowed origins and callback URL
These fields should typically be set like this:
Authorized JavaScript origins: your website URL, for examplehttps://yourdomain.comAuthorized redirect URIs:{SERVER_URL}/api/auth/callback/google
For example, if your server URL is:
SERVER_URL=https://server.yourdomain.comThen the redirect URI should be:
https://server.yourdomain.com/api/auth/callback/googleIn local development, easystarter uses http://localhost:3001 for the server by default, so this is usually:
http://localhost:3001/api/auth/callback/googleAfter creation, Google gives you:
Client ID-> maps toGOOGLE_CLIENT_IDClient Secret-> maps toGOOGLE_CLIENT_SECRET
Set the environment variables
For local development, it is simplest to put everything into apps/server/.dev.vars:
BETTER_AUTH_SECRET=your-long-random-secret
GITHUB_CLIENT_ID=your-github-client-id
GITHUB_CLIENT_SECRET=your-github-client-secret
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secretFor production, keep the sensitive values in apps/server/.env.production:
BETTER_AUTH_SECRET=your-long-random-secret
GITHUB_CLIENT_SECRET=your-github-client-secret
GOOGLE_CLIENT_SECRET=your-google-client-secretGITHUB_CLIENT_ID and GOOGLE_CLIENT_ID are not secrets. In the current easystarter setup, they are usually placed in apps/server/wrangler.jsonc under vars:
"vars": {
"GITHUB_CLIENT_ID": "your-github-client-id",
"GOOGLE_CLIENT_ID": "your-google-client-id"
}If you prefer not to split them, you can also keep these two values in .dev.vars during local development.
What Better Auth Handles In This Project
In EasyStarter, Better Auth currently handles:
- Email/password sign-up and sign-in
- Email verification
- Forgot password
- GitHub sign-in
- Google sign-in
- Cookie-based session management
Core config file:
apps/server/src/lib/auth.tsIf you later want to add more providers such as Apple, Discord, or GitLab, this is usually where you extend socialProviders.