Discussion summary

Better Auth is joining Vercel amid mixed opinions. Some users criticize its codebase, while others suggest building custom auth solutions or using third-party libraries.

What the discussion says

  • Some users find Better Auth's codebase problematic.
  • Others believe auth can be easily rolled or managed with libraries.
  • Concerns about security and complexity in building auth solutions.
Better auth is an absolute dumpster fire codebase.
huflungdung
Auth is not hard to roll yourself. Crypto: don't do it. Auth? Easy peasy.
whalesalad

Comments

Hacker News

Better auth is an absolute dumpster fire codebase.

by huflungdung

im amused that people are still relying on third party for handling auth when you can roll your own now with LLMs

by zuzululu

It's one of those things you shouldn't trust LLMs to such an extent; that part should be very solid because the consequences of bad practices are getting to front page of hacker news :)

by lackoftactics

It's not third party, it's a library you use and you store the data. Got tired of it? Write your own, the data is there.

by slig

Sucks. Now I have to look for alternatives.

by byyll

Auth is not hard to roll yourself. Crypto: don't do it. Auth? Easy peasy.

by whalesalad

Authentication or authorization? Why do people keep conflating them?

by esafak

Rolling auth by yourself is very messy. Storing tokens correctly, rotating and using correct tokens, with correct parameters and so on. Endless footguns.

by nicce

Unfortunately its a common misconception, it feels easy, however auth is a lot more harder to do it right, specially when it comes to recovery. A simple example, protocol like TOTP (time based OTP) uses the concept of shared secret and almost every implementation stores the secret as it is in their databases

by sandeepkd

Oh man, it really depends(tm). If you are building a small internal app, sure, but you'd often still be better off leveraging a social provider or employee directory.

I work in the auth space (for FusionAuth) and we run into plenty of folks that started out rolling auth themselves. Just username and password right? A bit of hashing, salting and leveraging a built-in crypto library.

But then you need to add account recovery. And then MFA. And then registration. And then progressive registration. And then webhook integration. And then passkeys. And then SAML integration. And the delegated SAML setup. And then and then and then.

You're distracted from your core application by feature requests for your login system.

You have lots of options nowadays. Use a library provided by your framework (Rails, Spring, and Django have them), use a tool like Better Auth, use a third party system like FusionAuth or Auth0. But don't build undifferentiated functionality that impacts your user experience.

PS Of course, where I stand depends on where I sit, but I firmly believe that you should not build an auth system the same way you should not build a database.

by mooreds

Keycloak is excellent.

by mrcwinn

Worse Auth

by yesidoagree

I nearly considered using them recently. So glad I dodged the bullet!

by mrcwinn

Umm.. so what did you end up using?

by electriclove

Ain't nobody buying Jose, yet

by ftchd

I was wondering when that would happen, it was meant to be since the beginning

by Raed667

Hmmm so Convex support is going to take even more of a backseat I guess

by hankyone

Love better-auth, and congrats to the team!

by slig

so does anything change or will change for better-auth FOSS consumers? Or not really and that mostly depends on what Vercel imposes as new direction going forward? I guess vercel is a good home for foss projects, at worst they'll make first class adoption on their ecosystem without actively hampering others etc

by tough

Ah, here we go again.

Glad I decided to roll my own auth rather then using some library. I had a feeling that eventually they will join Vercel.

by fnoef

Yeah, we rolled our own auth as well. Everybody says you shouldn’t, it’s a risk, etc etc.

but to me that’s less risk than our auth getting bought by somebody whose business goals don’t necessarily align with mine.

by notatoad

It's not that easy to get back a scammed funds because these scammers are very smart and they will cover their traces but if you manage to find a trustworthy and reliable Recovery company because many scammers are out there disguising as Recovery agents and will only take your money without recovering your funds, I was a victim of such myself after loosing all my funds to cryptocurrency scam. I sort for a help and I met few recovery agents, I was scammed by a particular one again Luckily for me I was referred to these legitimate company and they where able to recover my money back to me. You can as well contact them on RECOVERYDAREK AT gmail DOT com for a help.

by Suzie121

This is amazing although I would really like for them to explore filling the backend gaps. An acquisition of Trigger.dev or Inngest would be the obvious move and nobody would be surprised. Thoughts?

by ebeirne

Better Auth is great, I use it for all my projects. Congrats to the team!

by RichardChu

Uggggg I just implemented Better Auth for our new product - time to start looking for backup plans. I used to be a huge Vercel fanboy but everything they have done in the last few years turns into a complicated mess.

by agrippanux

Congrats to Better Auth !! I can't wait to see what happens next

by customentity

Congrats to Better Auth. I'm in the auth space and see all kinds of things.

Anything that makes it easier for developers to build secure applications is a win!

by mooreds

Congrats! Better auth still provides a grade A dev experience, even with all the plugins, integrations, and tons of things they support.

Best of luck over there!

by ndom91

Join the discussion

Write your take first — we'll ask for email only when you're ready to publish.

  • Hacker News
  • Better auth is an absolute dumpster fire codebase.
    by huflungdung
  • im amused that people are still relying on third party for handling auth when you can roll your own now with LLMs
    by zuzululu
  • It's one of those things you shouldn't trust LLMs to such an extent; that part should be very solid because the consequences of bad practices are getting to front page of hacker news :)
    by lackoftactics
  • It's not third party, it's a library you use and you store the data. Got tired of it? Write your own, the data is there.
    by slig
  • Sucks. Now I have to look for alternatives.
    by byyll
  • Auth is not hard to roll yourself. Crypto: don't do it. Auth? Easy peasy.
    by whalesalad
  • Authentication or authorization? Why do people keep conflating them?
    by esafak
  • Correct! As a Ruby dev, I started using rodauth and never looked back! https://rodauth.jeremyevans.net/
    by djfobbz
  • Rolling auth by yourself is very messy. Storing tokens correctly, rotating and using correct tokens, with correct parameters and so on. Endless footguns.
    by nicce
  • Unfortunately its a common misconception, it feels easy, however auth is a lot more harder to do it right, specially when it comes to recovery. A simple example, protocol like TOTP (time based OTP) uses the concept of shared secret and almost every implementation stores the secret as it is in their databases
    by sandeepkd
  • Oh man, it really depends(tm). If you are building a small internal app, sure, but you'd often still be better off leveraging a social provider or employee directory.

    I work in the auth space (for FusionAuth) and we run into plenty of folks that started out rolling auth themselves. Just username and password right? A bit of hashing, salting and leveraging a built-in crypto library.

    But then you need to add account recovery. And then MFA. And then registration. And then progressive registration. And then webhook integration. And then passkeys. And then SAML integration. And the delegated SAML setup. And then and then and then.

    You're distracted from your core application by feature requests for your login system.

    You have lots of options nowadays. Use a library provided by your framework (Rails, Spring, and Django have them), use a tool like Better Auth, use a third party system like FusionAuth or Auth0. But don't build undifferentiated functionality that impacts your user experience.

    PS Of course, where I stand depends on where I sit, but I firmly believe that you should not build an auth system the same way you should not build a database.

    by mooreds
  • Keycloak is excellent.
    by mrcwinn
  • Worse Auth
    by yesidoagree
  • I nearly considered using them recently. So glad I dodged the bullet!
    by mrcwinn
  • Umm.. so what did you end up using?
    by electriclove
  • Ain't nobody buying Jose, yet
    by ftchd
  • I was wondering when that would happen, it was meant to be since the beginning
    by Raed667
  • Hmmm so Convex support is going to take even more of a backseat I guess
    by hankyone
  • Love better-auth, and congrats to the team!
    by slig
  • so does anything change or will change for better-auth FOSS consumers? Or not really and that mostly depends on what Vercel imposes as new direction going forward? I guess vercel is a good home for foss projects, at worst they'll make first class adoption on their ecosystem without actively hampering others etc
    by tough
  • Ah, here we go again.

    Glad I decided to roll my own auth rather then using some library. I had a feeling that eventually they will join Vercel.

    by fnoef
  • Yeah, we rolled our own auth as well. Everybody says you shouldn’t, it’s a risk, etc etc.

    but to me that’s less risk than our auth getting bought by somebody whose business goals don’t necessarily align with mine.

    by notatoad
  • It's not that easy to get back a scammed funds because these scammers are very smart and they will cover their traces but if you manage to find a trustworthy and reliable Recovery company because many scammers are out there disguising as Recovery agents and will only take your money without recovering your funds, I was a victim of such myself after loosing all my funds to cryptocurrency scam. I sort for a help and I met few recovery agents, I was scammed by a particular one again Luckily for me I was referred to these legitimate company and they where able to recover my money back to me. You can as well contact them on RECOVERYDAREK AT gmail DOT com for a help.
    by Suzie121
  • This is amazing although I would really like for them to explore filling the backend gaps. An acquisition of Trigger.dev or Inngest would be the obvious move and nobody would be surprised. Thoughts?
    by ebeirne
  • Better Auth is great, I use it for all my projects. Congrats to the team!
    by RichardChu
  • Uggggg I just implemented Better Auth for our new product - time to start looking for backup plans. I used to be a huge Vercel fanboy but everything they have done in the last few years turns into a complicated mess.
    by agrippanux
  • Silent execution of tremor was a pain in the ass trying to upgrade to nextjs 15 / react 19: https://github.com/tremorlabs/tremor/issues/148
    by __s
  • Congrats to Better Auth !! I can't wait to see what happens next
    by customentity
  • Congrats to Better Auth. I'm in the auth space and see all kinds of things.

    Anything that makes it easier for developers to build secure applications is a win!

    by mooreds
  • Congrats! Better auth still provides a grade A dev experience, even with all the plugins, integrations, and tons of things they support.

    Best of luck over there!

    by ndom91

Related stories