github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-24 16:11:53 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[Question] Support for external backend flow #1971

New Issue
Closed
opened 2026-03-13 09:18:01 -05:00 by GiteaMirror Ā· 11 comments
GiteaMirror commented 2026-03-13 09:18:01 -05:00
Owner
Copy Link

Originally created by @dennzimm on GitHub (Sep 19, 2025).

Hi šŸ‘‹

We are currently evaluating a migration from next-auth to better-auth and Iā€™m wondering if our use case can be implemented.

According to the docs, ā€œBetter Auth requires a database to store user data.ā€ ā€“ but in our setup we donā€™t want Better Auth to manage credentials or validate passwords internally. Instead, we already have an external backend that handles this logic.

Our current flow looks like this:

Email/password login:
1. User enters email/password
2. We call a GraphQL mutation via Apollo
3. The backend responds with { id, token }

Google login:
1. User signs in with Google
2. We send the Google token to our backend via GraphQL mutation
3. Backend validates and responds with { id, token }

Question:
ā€¢ Can Better Auth be configured to work in this way, i.e. delegating the actual login logic to our backend (via custom API calls) while still handling sessions, middleware, etc.?
ā€¢ Or is the database and internal password/social provider logic mandatory for Better Auth to function?

Thanks in advance for clarifying šŸ™

Originally created by @dennzimm on GitHub (Sep 19, 2025). Hi šŸ‘‹ We are currently evaluating a migration from next-auth to better-auth and Iā€™m wondering if our use case can be implemented. According to the docs, ā€œBetter Auth requires a database to store user data.ā€ ā€“ but in our setup we donā€™t want Better Auth to manage credentials or validate passwords internally. Instead, we already have an external backend that handles this logic. Our current flow looks like this: Email/password login: 1. User enters email/password 2. We call a GraphQL mutation via Apollo 3. The backend responds with { id, token } Google login: 1. User signs in with Google 2. We send the Google token to our backend via GraphQL mutation 3. Backend validates and responds with { id, token } Question: ā€¢ Can Better Auth be configured to work in this way, i.e. delegating the actual login logic to our backend (via custom API calls) while still handling sessions, middleware, etc.? ā€¢ Or is the database and internal password/social provider logic mandatory for Better Auth to function? Thanks in advance for clarifying šŸ™
GiteaMirror added the question label 2026-03-13 09:18:01 -05:00
GiteaMirror commented 2026-03-13 09:18:03 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Sep 19, 2025):

Hi @dennzimm! I'm Dosu and Iā€™m helping the better-auth team.

Better Auth can delegate authentication logic (like email/password or Google login) to your external backend using custom plugins and API forwarding, while still handling sessions and middleware. For example, you can use the customSession plugin to fetch session data from your backend, or configure the generic OAuth plugin to use custom endpoints and user info logic for social providers. This lets you forward login requests and session validation to your backend as needed.

However, Better Auth still requires a database for session and user data managementā€”even if you externalize credential validation. The internal adapter expects to perform CRUD operations on user/session models, and session validation relies on querying this database. Thereā€™s no supported way to run Better Auth in a fully stateless or database-less mode, and minimal user/session records will still be created and managed internallyĀ (source).

You can forward auth-related API calls from your frontend to your backend (for example, via Next.js API routes), and use Better Authā€™s session management and middleware features on top of your external authentication logicĀ (source). Just keep in mind that the database requirement is mandatory for session and user tracking, even if you donā€™t use the built-in credential or provider logic.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report šŸ› | OtherĀ Ā Chat with DosuĀ Join DiscordĀ Share on X

@dosubot[bot] commented on GitHub (Sep 19, 2025): <!-- Greeting --> Hi @dennzimm! I'm [Dosu](https://go.dosu.dev/dosubot) and Iā€™m helping the better-auth team. <!-- Answer --> Better Auth can delegate authentication logic (like email/password or Google login) to your external backend using custom plugins and API forwarding, while still handling sessions and middleware. For example, you can use the `customSession` plugin to fetch session data from your backend, or configure the generic OAuth plugin to use custom endpoints and user info logic for social providers. This lets you forward login requests and session validation to your backend as needed. However, Better Auth still requires a database for session and user data managementā€”even if you externalize credential validation. The internal adapter expects to perform CRUD operations on user/session models, and session validation relies on querying this database. Thereā€™s no supported way to run Better Auth in a fully stateless or database-less mode, and minimal user/session records will still be created and managed internallyĀ ([source](https://github.com/better-auth/better-auth/blob/57510365a393bca2f6a37e50c43571651b121978/packages/better-auth/src/adapters/adapter-factory/index.ts)). You can forward auth-related API calls from your frontend to your backend (for example, via Next.js API routes), and use Better Authā€™s session management and middleware features on top of your external authentication logicĀ ([source](https://github.com/better-auth/better-auth/issues/4044)). Just keep in mind that the database requirement is mandatory for session and user tracking, even if you donā€™t use the built-in credential or provider logic. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/6b848309-f12a-439d-aee7-a68fbc8f17a6?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/6b848309-f12a-439d-aee7-a68fbc8f17a6?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/6b848309-f12a-439d-aee7-a68fbc8f17a6?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/6b848309-f12a-439d-aee7-a68fbc8f17a6?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/6b848309-f12a-439d-aee7-a68fbc8f17a6?feedback_type=hallucination) | [Report šŸ›](https://app.dosu.dev/response-feedback/6b848309-f12a-439d-aee7-a68fbc8f17a6?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/6b848309-f12a-439d-aee7-a68fbc8f17a6?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4771)
GiteaMirror commented 2026-03-13 09:18:05 -05:00
Author
Owner
Copy Link

@ping-maxwell commented on GitHub (Sep 19, 2025):

is the database and internal password/social provider logic mandatory for Better Auth to function?

Yeah sorry these are mandatory. For password logic we do have the ability for you to configure the hashing functions and stuff like that, but nothing to the extend of logic being ran from another service

@ping-maxwell commented on GitHub (Sep 19, 2025): > is the database and internal password/social provider logic mandatory for Better Auth to function? Yeah sorry these are mandatory. For password logic we do have the ability for you to configure the hashing functions and stuff like that, but nothing to the extend of logic being ran from another service
GiteaMirror commented 2026-03-13 09:18:06 -05:00
Author
Owner
Copy Link

@dennzimm commented on GitHub (Sep 19, 2025):

Yeah sorry these are mandatory. For password logic we do have the ability for you to configure the hashing functions and stuff like that, but nothing to the extend of logic being ran from another service

Thanks for clarifying šŸ™‚

Based on your answer, I think for our use case better-auth is not really a fit. Would you agree that in this scenario it makes more sense to stick with next-auth/Auth.js or something lighter like iron-session + arctic?

Maybe I can try out better-auth in another project where the scenario fits. ā˜ŗļø

@dennzimm commented on GitHub (Sep 19, 2025): > Yeah sorry these are mandatory. For password logic we do have the ability for you to configure the hashing functions and stuff like that, but nothing to the extend of logic being ran from another service Thanks for clarifying šŸ™‚ Based on your answer, I think for our use case better-auth is not really a fit. Would you agree that in this scenario it makes more sense to stick with next-auth/Auth.js or something lighter like iron-session + arctic? Maybe I can try out better-auth in another project where the scenario fits. ā˜ŗļø
GiteaMirror commented 2026-03-13 09:18:07 -05:00
Author
Owner
Copy Link

@ping-maxwell commented on GitHub (Sep 19, 2025):

If all you need is sessions & a way to handle oauth then yeah something lighter should do the job for you.

(FYI there are plans to support stateless auth in the future, though the password logic thing will likely remain the same)

@ping-maxwell commented on GitHub (Sep 19, 2025): If all you need is sessions & a way to handle oauth then yeah something lighter should do the job for you. (FYI there are plans to support stateless auth in the future, though the password logic thing will likely remain the same)
GiteaMirror commented 2026-03-13 09:18:07 -05:00
Author
Owner
Copy Link

@dennzimm commented on GitHub (Sep 19, 2025):

If all you need is sessions & a way to handle oauth then yeah something lighter should do the job for you.

(FYI there are plans to support stateless auth in the future, though the password logic thing will likely remain the same)

Thank you šŸ˜Š. Good to know about the future plans for stateless auth. Iā€™ll keep an eye on it.

@dennzimm commented on GitHub (Sep 19, 2025): > If all you need is sessions & a way to handle oauth then yeah something lighter should do the job for you. > > (FYI there are plans to support stateless auth in the future, though the password logic thing will likely remain the same) Thank you šŸ˜Š. Good to know about the future plans for stateless auth. Iā€™ll keep an eye on it.
GiteaMirror commented 2026-03-13 09:18:07 -05:00
Author
Owner
Copy Link

@moiseshp commented on GitHub (Oct 27, 2025):

Hello @dennzimm , Iā€™m in the same dilemma because, according to the Better Auth documentation, Auth.js has practically been left as a legacy library. In that sense, Iā€™m exploring alternatives since Iā€™m facing the same use case. Did you happen to find any alternative?

On the other hand, in the context of Next.js, I came across this library: https://github.com/vvo/iron-session.

@moiseshp commented on GitHub (Oct 27, 2025): Hello @dennzimm , Iā€™m in the same dilemma because, according to the Better Auth documentation, Auth.js has practically been left as a legacy library. In that sense, Iā€™m exploring alternatives since Iā€™m facing the same use case. Did you happen to find any alternative? On the other hand, in the context of Next.js, I came across this library: [https://github.com/vvo/iron-session](https://github.com/vvo/iron-session).
GiteaMirror commented 2026-03-13 09:18:08 -05:00
Author
Owner
Copy Link

@dennzimm commented on GitHub (Oct 28, 2025):

Hello @dennzimm , Iā€™m in the same dilemma because, according to the Better Auth documentation, Auth.js has practically been left as a legacy library. In that sense, Iā€™m exploring alternatives since Iā€™m facing the same use case. Did you happen to find any alternative?

On the other hand, in the context of Next.js, I came across this library: https://github.com/vvo/iron-session.

Hey @moiseshp šŸ™‚

I havenā€™t found a solid alternative yet. For now, weā€™re still using NextAuth v4, but I donā€™t think thatā€™s a long-term solution given its current maintenance status.

I also looked into iron-session, but Iā€™m not entirely sure how much would have to be implemented manually ā€” things like session handling, token validation, refresh logic, and other features that libraries such as Auth.js or Better Auth usually provide out of the box.

Have you tried iron-session yourself? Iā€™m curious if it actually feels like a good alternative in practice.

@dennzimm commented on GitHub (Oct 28, 2025): > Hello @dennzimm , Iā€™m in the same dilemma because, according to the Better Auth documentation, Auth.js has practically been left as a legacy library. In that sense, Iā€™m exploring alternatives since Iā€™m facing the same use case. Did you happen to find any alternative? > > On the other hand, in the context of Next.js, I came across this library: [https://github.com/vvo/iron-session](https://github.com/vvo/iron-session). > Hey @moiseshp šŸ™‚ I havenā€™t found a solid alternative yet. For now, weā€™re still using NextAuth v4, but I donā€™t think thatā€™s a long-term solution given its current maintenance status. I also looked into iron-session, but Iā€™m not entirely sure how much would have to be implemented manually ā€” things like session handling, token validation, refresh logic, and other features that libraries such as Auth.js or Better Auth usually provide out of the box. Have you tried iron-session yourself? Iā€™m curious if it actually feels like a good alternative in practice.
GiteaMirror commented 2026-03-13 09:18:08 -05:00
Author
Owner
Copy Link

@moiseshp commented on GitHub (Oct 30, 2025):

Hello @dennzimm

I havenā€™t tried it yet, but Iā€™m seriously considering using it for several reasons. One of them is that Next.js recommends or suggests it in the documentation as a valid feature for managing sessions ā€” itā€™s not an authentication library per se. Likewise, I havenā€™t found a solution similar to the Auth.js library, but Better-Auth, based on its implementation logic, doesnā€™t yet allow me to integrate it with an external backend.

@moiseshp commented on GitHub (Oct 30, 2025): Hello @dennzimm I havenā€™t tried it yet, but Iā€™m seriously considering using it for several reasons. One of them is that Next.js [recommends](https://nextjs.org/docs/app/guides/authentication#session-management) or suggests it in the documentation as a valid feature for managing sessions ā€” itā€™s not an authentication library per se. Likewise, I havenā€™t found a solution similar to the Auth.js library, but Better-Auth, based on its implementation logic, doesnā€™t yet allow me to integrate it with an external backend.
GiteaMirror commented 2026-03-13 09:18:09 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Oct 30, 2025):

Better Auth is built around the idea of owning both the authentication logic and the session management through its own database-backed approach. That means for production useā€”with proper session persistence and reliable credential handlingā€”a database connection is mandatory. Even though the package does offer some flexibility (for example, you can provide custom password verification or use social providers), there isnā€™t an outā€ofā€theā€box mode that delegates the entire login process completely to an external backend.

In your scenario, even if you write a custom credentials provider that calls your external API (and you could do that), you will still need to have Better Auth manage the resulting session data and user records in its own database. The memory adapter (which might seem like an option to avoid a database) is only recommended for development and is not safe for production environments.

So, in summary:
ā€¢ You can try to integrate with your external API via custom logic (e.g., within a credentials provider), but youā€™ll still need to hook into Better Authā€™s session and account management that relies on a database. [1][2]
ā€¢ Fully bypassing the internal authentication logic (i.e., not using the database at all) isnā€™t supported currently. [3]

For your next steps, consider:

  1. Evaluating if you can adapt your external flow into a custom provider function that calls your backend, then updates the Better Auth sessionā€”keeping in mind that you must supply a production-ready database for session persistence.
  2. Reviewing whether you might relax on having your external backend solely handle authentication, or if youā€™re amenable to a hybrid solution where Better Auth manages sessions while your backend still does credential validation via custom hooks.

This should help guide your troubleshooting and migration strategy.

Diagram ā€¢ Discord ā€¢ GitHub

Diagram Join Star

@better-auth-agent[bot] commented on GitHub (Oct 30, 2025): Better Auth is built around the idea of owning both the authentication logic and the session management through its own database-backed approach. That means for production useā€”with proper session persistence and reliable credential handlingā€”a database connection is mandatory. Even though the package does offer some flexibility (for example, you can provide custom password verification or use social providers), there isnā€™t an outā€ofā€theā€box mode that delegates the entire login process completely to an external backend. In your scenario, even if you write a custom credentials provider that calls your external API (and you could do that), you will still need to have Better Auth manage the resulting session data and user records in its own database. The memory adapter (which might seem like an option to avoid a database) is only recommended for development and is not safe for production environments. So, in summary: ā€¢ You can try to integrate with your external API via custom logic (e.g., within a credentials provider), but youā€™ll still need to hook into Better Authā€™s session and account management that relies on a database. [[1]](https://github.com/better-auth/better-auth/issues/4771)[[2]](https://github.com/better-auth/better-auth/issues/2202) ā€¢ Fully bypassing the internal authentication logic (i.e., not using the database at all) isnā€™t supported currently. [[3]](https://github.com/better-auth/better-auth/issues/1426) For your next steps, consider: 1. Evaluating if you can adapt your external flow into a custom provider function that calls your backend, then updates the Better Auth sessionā€”keeping in mind that you must supply a production-ready database for session persistence. 2. Reviewing whether you might relax on having your external backend solely handle authentication, or if youā€™re amenable to a hybrid solution where Better Auth manages sessions while your backend still does credential validation via custom hooks. This should help guide your troubleshooting and migration strategy. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) ā€¢ [Discord](https://discord.gg/better-auth) ā€¢ [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-03-13 09:18:09 -05:00
Author
Owner
Copy Link

@CanRau commented on GitHub (Oct 30, 2025):

This has been shipped as beta https://github.com/better-auth/better-auth/issues/2202

canary docs

I'm currently trying to implement it in a project

@CanRau commented on GitHub (Oct 30, 2025): This has been shipped as beta https://github.com/better-auth/better-auth/issues/2202 [canary docs](https://canary.better-auth.com/docs/concepts/session-management#stateless-with-secondary-storage) I'm currently trying to implement it in a project
GiteaMirror commented 2026-03-13 09:18:11 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Oct 30, 2025):

Yes, you can implement your external backend flow with Better Auth now. Recent beta work has introduced support for delegating authentication to an external API (your custom GraphQL endpoints) while Better Auth continues to manage sessions and middleware. In this configuration, your external backend handles credential validation and returns an { id, token } payload, and Better Authā€”especially when using stateless mode with secondary storageā€”simply manages session logic.

Your next steps are:

  1. Upgrade to the beta/canary release that supports this flow (as noted in the recent beta announcement).
  2. Follow the canary documentation on stateless session management with secondary storage to configure Better Auth without using its internal credentials or social provider logic.
  3. Configure your custom API endpoints so that they integrate with Better Authā€™s session API accordingly.

This should allow you to use your existing external login logic alongside Better Auth's session management features [1], [2].

Diagram ā€¢ Discord ā€¢ GitHub

Diagram Join Star

@better-auth-agent[bot] commented on GitHub (Oct 30, 2025): Yes, you can implement your external backend flow with Better Auth now. Recent beta work has introduced support for delegating authentication to an external API (your custom GraphQL endpoints) while Better Auth continues to manage sessions and middleware. In this configuration, your external backend handles credential validation and returns an { id, token } payload, and Better Authā€”especially when using stateless mode with secondary storageā€”simply manages session logic. Your next steps are: 1. Upgrade to the beta/canary release that supports this flow (as noted in the recent beta announcement). 2. Follow the canary documentation on stateless session management with secondary storage to configure Better Auth without using its internal credentials or social provider logic. 3. Configure your custom API endpoints so that they integrate with Better Authā€™s session API accordingly. This should allow you to use your existing external login logic alongside Better Auth's session management features [[1]](https://github.com/better-auth/better-auth/issues/4771), [[2]](https://github.com/better-auth/better-auth/issues/2202). <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) ā€¢ [Discord](https://discord.gg/better-auth) ā€¢ [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label question
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#1971
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?