ARCHE
FamiliesDocsExamplesBlogGitHub ↗
Documentation

Start

  • Getting started
  • Philosophy

Guides

  • First hour
  • Agent context
  • Verification
  • Package managers
  • Scaffold lifecycle
  • Showcase & portfolio

Walkthroughs

  • TypeScript fullstack
  • Convex product
  • Rust API & fullstack
  • Solana family
  • Customize & experiments
  • Automation (JSON/MCP)

CLI

  • Overview
  • Flags
  • Subcommands
  • Generated output

Presets

  • Preset catalog

Stack

  • TypeScript architecture
  • Convex
  • Rust
  • Solana
  • Authentication
  • Prisma store
  • tRPC

Operations

  • Deployment
  • Environment variables
  • Workers & queues
  • CI & testing
  • Scaling
  • Security
  • Troubleshooting

Reference

  • Stack links
  • Capabilities
  • This source repo
  • Code examples
← Documentation

Authentication

Better Auth in packages/auth and how web + server share sessions.

1 min read

The TypeScript fullstack preset uses Better Auth—sessions, plugins, and env validation wired the same way on Express and Next.js.

Session flow

Loading diagram…

Layout

PiecePath
Server auth instancepackages/auth (consumed by apps/server)
HTTP routesapps/server mounts Better Auth under /api/auth/*
Web clientapps/web uses the shared client helpers from packages/auth

Environment variables

Generated .env.example files document the required URLs and secrets. Typical production set:

  • BETTER_AUTH_SECRET
  • BETTER_AUTH_URL (API public URL)
  • FRONTEND_URL (web origin for CORS/cookies)

See the template repo deployment env matrix — paths may differ if your remote URL changes.

Rust presets

rust-fullstack documents a Clerk/JWT boundary instead of Better Auth in-process. TypeScript auth docs do not automatically apply—read generated AGENTS.md for the Rust route.

Security notes

  • Validate env at boot (packages/backend-common)
  • Keep cookies/session config aligned between web and API hosts
  • Do not expose admin routes without procedure-level auth checks

Related: Security