FEATURES / AUTH

Production-grade
authentication,
on day one.

Sessions, OAuth, magic-link, TOTP 2FA, backup codes, password reset, account lockouts. All wired to BetterAuth and rate-limited at the edge.

Everything in the box.

Email + password

argon2id hashing with sane defaults, password strength validation, 14-day session cookies signed with HS256.

OAuth providers

Google, GitHub, GitLab. Add more by dropping a config — BetterAuth handles the dance.

Magic-link

One-click email sign-in via React Email templates and your transactional provider of choice (Resend by default).

TOTP 2FA

Authenticator-app codes plus 8 single-use backup codes, encrypted at rest with a server-only secret.

Rate limiting

Per-IP and per-email throttles on login, register, and password reset. Redis-backed, sliding window.

Audit-ready

Every auth event (login, 2FA enable/disable, password change) lands in the audit log with actor + IP + UA.

Wired the way you would have wired it.

BetterAuth is fronted by an IUserRepository port in the application layer. The HTTP controllers are thin. You can swap BetterAuth for a different provider by writing one adapter — no business logic moves.

modules/iam/application/ports.ts

 1  export interface IUserRepository {
 2    findByEmail(email: string): Promise<User | null>;
 3    create(user: NewUser): Promise<User>;
 4    recordLogin(id: UserId, ip: string): Promise<void>;
 5  }
 6  
 7  export interface IAuthProvider {
 8    signIn(creds: Credentials): Promise<Session>;
 9    verify2FA(code: string, userId: UserId): Promise<boolean>;
10  }

Notes on argon2.

argon2id is the default — memory-hard and side-channel-resistant. The parameters live in a single env block so ops can tune memory/time without touching code. Never roll your own hashing; UseDeploy doesn't.

Skip the auth tax.

Six weeks of sessions, OAuth, 2FA, and password resets — already done.

Get Started Read the docs

Production-gradeauthentication,on day one.