BetterAuth
Last verified 2026-05-18 · Reviewed by guptadeepak
Editorial verdict
BetterAuth is the most-discussed code-first OSS auth library in the TypeScript ecosystem in 2026, strict MIT, bring-your-own-database, plugin-architecture extensible, and a DX that feels like a modern framework primitive rather than a SaaS. The trade-off is that without a managed offering, the team owns the operational burden, the compliance story, and the production runtime. For teams that want auth as a library rather than a service, BetterAuth is a strong default; for teams that want managed compliance and SLAs, look elsewhere.
Last verified by @guptadeepak on 2026-05-18.
At a glance
- Best for
- TypeScript / Next.js teams that prefer code-first auth as a library, not a service
- Pricing
- free-open-source
- Free tier
- Unlimited
- Deployment
- self-hosted
- SOC 2 Type II
- No
- Passkeys
- Native
- Self-host
- Yes
- Open source
- Yes
Funding & business
- Funding model
- Venture-backed
- Total raised
- $5M
- Latest round
- Seed · $5M · 2025
- Years in business
- 2 yrs
- Round led by
- Peak XV Partners
- Profitable
- Not disclosed
Open-source TypeScript auth framework built solo by self-taught Ethiopian dev Bereket Engida; $5M seed (2025, YC S25).
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Code-first auth library with strict TypeScript-first DX, feels like a modern framework primitive rather than a hosted SaaS.
- Plugin architecture makes the surface composable, pull in only the auth methods you actually use.
- Strict MIT licensing; bring your own database; no vendor lock-in.
- Rapidly growing community in the TypeScript ecosystem; widely cited as the modern OSS code-first auth pick.
Limitations
- No managed cloud offering, operational responsibility falls entirely on the team.
- No compliance attestations, the library cannot deliver SOC 2 / ISO / HIPAA on its own.
- Enterprise SAML federation is partial; not at Auth0 / WorkOS level.
- Fast-evolving, API stability is improving but breaking changes still occur between minor versions.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Partial |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Partial |
| Passwordless-only flows | Yes |
| Adaptive MFA | No |
| Step-up auth | Partial |
| RBAC | Yes |
|---|---|
| ABAC | No |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Partial |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | No |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, vue, svelte, remix, nuxt, solid |
| CLI | Yes |
| Terraform provider | No |
| Local emulator | Yes |
| Extension model | Plugin architecture (typed) + custom hooks |
| Bot detection | No |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | No |
| Log streams | Partial |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Partial |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | No |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | No |
|---|---|
| ISO 27001 | No |
| ISO 27018 | No |
| HIPAA | No |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | No |
|---|---|
| Preference center | No |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $50/mo |
|---|---|
| 100,000 MAU | $200/mo |
| 500,000 MAU | $800/mo |
| 1,000,000 MAU | $1,600/mo |
- Library is free under MIT, pay only operational cost
- Bring your own database (Postgres / MySQL / SQLite / MongoDB)
- No managed cloud offering as of 2026
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- TypeScript / Next.js teams that prefer code-first auth as a library, not a service
- Self-hosted-only environments without managed-CIAM tolerance
- Greenfield startups that want to own the auth layer architecture
Not for
- Teams without operational capacity to run auth as part of their own infrastructure
- Workloads requiring SOC 2 / HIPAA / ISO 27001 / PCI DSS attestation at the auth layer
- Production B2B SaaS with serious enterprise federation requirements
FAQ
- Is BetterAuth a CIAM platform or an auth library?
- An auth library. There is no managed cloud offering, BetterAuth is installed via npm and runs inside your own application's runtime, backed by your own database. This is materially different from SaaS CIAM and from self-hosted-managed products like Keycloak or FusionAuth.
- How does BetterAuth compare to NextAuth.js (Auth.js)?
- Both are code-first TypeScript auth libraries for Next.js and adjacent frameworks. BetterAuth has gained mindshare in 2024–2025 for cleaner API surface, better TypeScript ergonomics, and a more composable plugin architecture. NextAuth.js / Auth.js has the older, larger ecosystem. For new projects in 2026, BetterAuth is widely cited as the modern pick.
- Should I use BetterAuth or a SaaS CIAM?
- If you want auth as a library you control completely, BetterAuth. If you want managed compliance attestations, hosted Admin Portal UX, vendor SLAs, or to avoid running auth infrastructure yourself, pick a SaaS CIAM (Auth0, Clerk, Stytch, Kinde). The choice is architectural, not feature-based.
Sources
- BetterAuth Documentationaccessed 2026-04-22
- BetterAuth GitHubaccessed 2026-04-22
What BetterAuth is
BetterAuth is an open-source code-first auth library for the TypeScript / Next.js ecosystem, originating in 2024 and gaining significant adoption through 2025–2026 as the modern alternative to NextAuth.js (Auth.js). It is installed via npm, runs inside the application's own runtime, persists to a database the team owns, and exposes a plugin architecture for composing auth methods. There is no managed cloud offering, BetterAuth is library, not service.
Where BetterAuth wins
Code-first DX at the level of modern framework primitives. Strict MIT licensing, bring-your-own-database, no vendor lock-in. Plugin architecture means the auth surface composes cleanly, pull in passkey support, social login, organizations, and rate limiting as separate plugins rather than monolithic configuration. Rapidly growing TypeScript ecosystem mindshare.
Where BetterAuth hurts
No managed offering means the team owns operational and compliance responsibility entirely, there is no SOC 2 attestation BetterAuth can deliver on your behalf. Enterprise federation is partial. Fast-evolving codebase still has breaking changes between minor versions occasionally. For production B2B SaaS with serious compliance or federation requirements, a SaaS CIAM is usually the better answer.
How BetterAuth compares
The most relevant comparisons are BetterAuth vs Auth.js for the code-first library decision, Stack Auth vs BetterAuth for the OSS-Next.js-first call, and Auth0 vs BetterAuth for the library-vs-service architectural decision. For self-hosted-managed alternatives, SuperTokens, Keycloak, and Zitadel are the natural comparisons.
Editorial changelog (1 entry)
Capability matrix and pricing bands re-verified against the vendor's latest documentation and changelog.