Docs

Email & Password

Email and password authentication is a common method used by many applications. Better Auth provides a built-in email and password authenticator that you can easily integrate into your project.

If you prefer username-based authentication, check out the username plugin. It extends the email and password authenticator with username support.

Enable Email and Password

To enable email and password authentication, you need to set the emailAndPassword.enabled option to true in the auth configuration.

auth.ts
import { betterAuth } from "better-auth";
 
export const auth = betterAuth({
  emailAndPassword: { 
    enabled: true, 
  }, 
});

If it's not enabled, it'll not allow you to sign in or sign up with email and password.

Usage

Sign Up

To sign a user up, you can use the signUp.email function provided by the client. The signUp function takes an object with the following properties:

  • email: The email address of the user.
  • password: The password of the user. It should be at least 8 characters long and max 32 by default.
  • name: The name of the user.
  • image: The image of the user. (optional)
auth-client.ts
const { data, error } = await authClient.signUp.email({
  email: "[email protected]",
  password: "password1234",
  name: "test",
  image: "https://example.com/image.png",
});

Sign In

To sign a user in, you can use the signIn.email function provided by the client. The signIn function takes an object with the following properties:

  • email: The email address of the user.
  • password: The password of the user.
  • rememberMe: If false, the user will be signed out when the browser is closed. (optional) (default: true)
  • callbackURL: The URL to redirect to after the user signs in. (optional)
auth-client.ts
const { data, error } = await authClient.signIn.email({
  email: "[email protected]",
  password: "password1234",
});

Sign Out

To sign a user out, you can use the signOut function provided by the client.

auth-client.ts
await authClient.signOut();

you can pass fetchOptions to redirect onSuccess

auth-client.ts
await authClient.signOut({
  fetchOptions: {
    onSuccess: () => {
      router.push("/login"); // redirect to login page
    },
  },
});

Email Verification

To enable email verification, you need to pass a function that sends a verification email with a link. The sendVerificationEmail function takes a data object with the following properties:

  • user: The user object.
  • url: The url to send to the user which contains the token.
  • token: A verification token used to complete the email verification.

and a request object as the second parameter.

auth.ts
import { betterAuth } from "better-auth";
import { sendEmail } from "./email"; // your email sending function
 
export const auth = betterAuth({
  emailVerification: {
    sendVerificationEmail: async ( { user, url, token }, request) => {
      await sendEmail({
        to: user.email,
        subject: "Verify your email address",
        text: `Click the link to verify your email: ${url}`,
      });
    },
  },
});

On the client side you can use sendVerificationEmail function to send verification link to user. This will trigger the sendVerificationEmail function you provided in the auth configuration.

Once the user clicks on the link in the email, if the token is valid, the user will be redirected to the URL provided in the callbackURL parameter. If the token is invalid, the user will be redirected to the URL provided in the callbackURL parameter with an error message in the query string ?error=invalid_token.

Require Email Verification

If you enable require email verification, users must verify their email before they can log in. And every time a user tries to sign in, sendVerificationEmail is called.

This only works if you have sendVerificationEmail implemented and if the user is trying to sign in with email and password.

auth.ts
export const auth = betterAuth({
  emailAndPassword: {
    requireEmailVerification: true,
  },
});

If a user tries to sign in without verifying their email, you can handle the error and show a message to the user.

auth-client.ts
await authClient.signIn.emailAndPassword(
  {
    email: "[email protected]",
    password: "password",
  },
  {
    onError: (ctx) => {
      // Handle the error
      if (ctx.error.status === 403) {
        alert("Please verify your email address");
      }
      //you can also show the original error message
      alert(ctx.error.message);
    },
  }
);

Triggering manually Email Verification

You can trigger the email verification manually by calling the sendVerificationEmail function.

await authClient.sendVerificationEmail({
  email: "[email protected]",
  callbackURL: "/", // The redirect URL after verification
});

Forget Password

To allow users to reset a password first you need to provide sendResetPassword function to the email and password authenticator. The sendResetPassword function takes a data object with the following properties:

  • user: The user object.
  • url: The url to send to the user which contains the token.
  • token: A verification token used to complete the password reset.

and a request object as the second parameter.

auth.ts
import { betterAuth } from "better-auth";
import { sendEmail } from "./email"; // your email sending function
 
export const auth = betterAuth({
  emailAndPassword: {
    enabled: true,
    sendResetPassword: async ({user, url, token}, request) => {
      await sendEmail({
        to: user.email,
        subject: "Reset your password",
        text: `Click the link to reset your password: ${url}`,
      });
    },
  },
});

Once you configured your server you can call forgetPassword function to send reset password link to user. If the user exists, it will trigger the sendResetPassword function you provided in the auth config.

It takes an object with the following properties:

  • email: The email address of the user.
  • redirectTo: The URL to redirect to after the user clicks on the link in the email. If the token is valid, the user will be redirected to this URL with the token in the query string. If the token is invalid, the user will be redirected to this URL with an error message in the query string ?error=invalid_token.
auth-client.ts
const { data, error } = await authClient.forgetPassword({
  email: "[email protected]",
  redirectTo: "/reset-password",
});

When a user clicks on the link in the email, they will be redirected to the reset password page. You can add the reset password page to your app. Then you can use resetPassword function to reset the password. It takes an object with the following properties:

  • newPassword: The new password of the user.
auth-client.ts
const { data, error } = await authClient.resetPassword({
  newPassword: "password1234",
});

Configuration

Password

Better Auth stores passwords inside the account table with providerId set to credential.

Password Hashing: Better Auth uses scrypt to hash passwords. The scrypt algorithm is designed to be slow and memory-intensive to make it difficult for attackers to brute force passwords. OWSAP recommends using scrypt if argon2id is not available. We decided to use scrypt because it's natively supported by Node.js.

You can pass custom password hashing algorithm by setting passwordHasher option in the auth configuration.

auth.ts
import { betterAuth } from "better-auth"
import { scrypt } from "scrypt"
 
export const auth = betterAuth({
    //...rest of the options
    emailAndPassword: {
        password: {
            hash: // your custom password hashing function
            verify: // your custom password verification function
        }
    }
})
PropTypeDefault
enabled
boolean
false
minPasswordLength
number
8
maxPasswordLength
number
32
sendResetPassword
function
-
password
object
-
Edit on GitHub

On this page