

Discussion summary
Better Auth is joining Vercel amid mixed opinions. Some users criticize its codebase, while others suggest building custom auth solutions or using third-party libraries.
What the discussion says
- Some users find Better Auth's codebase problematic.
- Others believe auth can be easily rolled or managed with libraries.
- Concerns about security and complexity in building auth solutions.
“Better auth is an absolute dumpster fire codebase.”
“Auth is not hard to roll yourself. Crypto: don't do it. Auth? Easy peasy.”
Comments
Hacker News
by huflungdung
by zuzululu
by lackoftactics
by slig
by byyll
by whalesalad
by esafak
by djfobbz
by nicce
by sandeepkd
I work in the auth space (for FusionAuth) and we run into plenty of folks that started out rolling auth themselves. Just username and password right? A bit of hashing, salting and leveraging a built-in crypto library.
But then you need to add account recovery. And then MFA. And then registration. And then progressive registration. And then webhook integration. And then passkeys. And then SAML integration. And the delegated SAML setup. And then and then and then.
You're distracted from your core application by feature requests for your login system.
You have lots of options nowadays. Use a library provided by your framework (Rails, Spring, and Django have them), use a tool like Better Auth, use a third party system like FusionAuth or Auth0. But don't build undifferentiated functionality that impacts your user experience.
PS Of course, where I stand depends on where I sit, but I firmly believe that you should not build an auth system the same way you should not build a database.
by mooreds
by mrcwinn
by yesidoagree
by mrcwinn
by electriclove
by ftchd
by Raed667
by hankyone
by slig
by tough
Glad I decided to roll my own auth rather then using some library. I had a feeling that eventually they will join Vercel.
by fnoef
but to me that’s less risk than our auth getting bought by somebody whose business goals don’t necessarily align with mine.
by notatoad
by Suzie121
by ebeirne
by RichardChu
by agrippanux
by __s
by customentity
Anything that makes it easier for developers to build secure applications is a win!
by mooreds
Best of luck over there!
by ndom91
Join the discussion
Write your take first — we'll ask for email only when you're ready to publish.
- Hacker News
- Better auth is an absolute dumpster fire codebase.by huflungdung
- im amused that people are still relying on third party for handling auth when you can roll your own now with LLMsby zuzululu
- It's one of those things you shouldn't trust LLMs to such an extent; that part should be very solid because the consequences of bad practices are getting to front page of hacker news :)by lackoftactics
- It's not third party, it's a library you use and you store the data. Got tired of it? Write your own, the data is there.by slig
- Sucks. Now I have to look for alternatives.by byyll
- Auth is not hard to roll yourself. Crypto: don't do it. Auth? Easy peasy.by whalesalad
- Authentication or authorization? Why do people keep conflating them?by esafak
- Correct! As a Ruby dev, I started using rodauth and never looked back! https://rodauth.jeremyevans.net/by djfobbz
- Rolling auth by yourself is very messy. Storing tokens correctly, rotating and using correct tokens, with correct parameters and so on. Endless footguns.by nicce
- Unfortunately its a common misconception, it feels easy, however auth is a lot more harder to do it right, specially when it comes to recovery. A simple example, protocol like TOTP (time based OTP) uses the concept of shared secret and almost every implementation stores the secret as it is in their databasesby sandeepkd
- Oh man, it really depends(tm). If you are building a small internal app, sure, but you'd often still be better off leveraging a social provider or employee directory.
I work in the auth space (for FusionAuth) and we run into plenty of folks that started out rolling auth themselves. Just username and password right? A bit of hashing, salting and leveraging a built-in crypto library.
But then you need to add account recovery. And then MFA. And then registration. And then progressive registration. And then webhook integration. And then passkeys. And then SAML integration. And the delegated SAML setup. And then and then and then.
You're distracted from your core application by feature requests for your login system.
You have lots of options nowadays. Use a library provided by your framework (Rails, Spring, and Django have them), use a tool like Better Auth, use a third party system like FusionAuth or Auth0. But don't build undifferentiated functionality that impacts your user experience.
PS Of course, where I stand depends on where I sit, but I firmly believe that you should not build an auth system the same way you should not build a database.
by mooreds - Keycloak is excellent.by mrcwinn
- Worse Authby yesidoagree
- I nearly considered using them recently. So glad I dodged the bullet!by mrcwinn
- Umm.. so what did you end up using?by electriclove
- Ain't nobody buying Jose, yetby ftchd
- I was wondering when that would happen, it was meant to be since the beginningby Raed667
- Hmmm so Convex support is going to take even more of a backseat I guessby hankyone
- Love better-auth, and congrats to the team!by slig
- so does anything change or will change for better-auth FOSS consumers? Or not really and that mostly depends on what Vercel imposes as new direction going forward? I guess vercel is a good home for foss projects, at worst they'll make first class adoption on their ecosystem without actively hampering others etcby tough
- Ah, here we go again.
Glad I decided to roll my own auth rather then using some library. I had a feeling that eventually they will join Vercel.
by fnoef - Yeah, we rolled our own auth as well. Everybody says you shouldn’t, it’s a risk, etc etc.
but to me that’s less risk than our auth getting bought by somebody whose business goals don’t necessarily align with mine.
by notatoad - It's not that easy to get back a scammed funds because these scammers are very smart and they will cover their traces but if you manage to find a trustworthy and reliable Recovery company because many scammers are out there disguising as Recovery agents and will only take your money without recovering your funds, I was a victim of such myself after loosing all my funds to cryptocurrency scam. I sort for a help and I met few recovery agents, I was scammed by a particular one again Luckily for me I was referred to these legitimate company and they where able to recover my money back to me. You can as well contact them on RECOVERYDAREK AT gmail DOT com for a help.by Suzie121
- This is amazing although I would really like for them to explore filling the backend gaps. An acquisition of Trigger.dev or Inngest would be the obvious move and nobody would be surprised. Thoughts?by ebeirne
- Better Auth is great, I use it for all my projects. Congrats to the team!by RichardChu
- Uggggg I just implemented Better Auth for our new product - time to start looking for backup plans. I used to be a huge Vercel fanboy but everything they have done in the last few years turns into a complicated mess.by agrippanux
- Silent execution of tremor was a pain in the ass trying to upgrade to nextjs 15 / react 19: https://github.com/tremorlabs/tremor/issues/148by __s
- Congrats to Better Auth !! I can't wait to see what happens nextby customentity
- Congrats to Better Auth. I'm in the auth space and see all kinds of things.
Anything that makes it easier for developers to build secure applications is a win!
by mooreds - Congrats! Better auth still provides a grade A dev experience, even with all the plugins, integrations, and tons of things they support.
Best of luck over there!
by ndom91
Related stories
A better way to tie gym shorts (or any drawstring) [video]
youtube.com · 505 points · 171 comments
Decoding the obfuscated bash script on a Uniqlo t-shirt
tris.sherliker.net · 1072 points · 181 comments
StreetComplete: Fixing OpenStreetMap, one tiny quest at a time
streetcomplete.app · 761 points · 182 comments
Every new car sold in the European Union must include a driver monitoring camera
allaboutcookies.org · 737 points · 969 comments
Chat Control 1.0 and 2.0 Explained
fightchatcontrol.eu · 645 points · 238 comments
Microsoft fire idTech team at Id software
gamefromscratch.com · 597 points · 533 comments