Docs

Email & Password

Email and password authentication is a common method used by many applications. Better Auth provides a built-in email and password authenticator that you can easily integrate into your project.

If you prefer username-based authentication, check out the username plugin. It extends the email and password authenticator with username support.

Enable Email and Password

To enable email and password authentication, you need to set the emailAndPassword.enabled option to true in the auth configuration.

auth.ts
import { betterAuth } from "better-auth";
 
export const auth = betterAuth({
  emailAndPassword: {

    enabled: true, 
  }, 
});

If it's not enabled, it'll not allow you to sign in or sign up with email and password.

Usage

Signup

To signup a user, you can use the signUp.email function provided by the client. The signUp function takes an object with the following properties:

  • email: The email address of the user.
  • password: The password of the user. It should be at least 8 characters long and max 32 by default.
  • name: The name of the user.
  • image: The image of the user. (optional)
  • callbackURL: The url to redirect to after the user has signed up. (optional)
  • dontRememberMe: If true, the user will be signed out when the browser session is closed. (optional)
client.ts
const { data, error } = await authClient.signUp.email({
  email: "test@example.com",
  password: "password1234",
  name: "test",
  image: "https://example.com/image.png",
  callbackURL: "/",
});

Signin

To signin a user, you can use the signIn.email function provided by the client. The signIn function takes an object with the following properties:

  • email: The email address of the user.
  • password: The password of the user.
  • callbackURL: The url to redirect to after the user has signed in. (optional)
  • dontRememberMe: If true, the user will be signed out when the browser is closed. (optional)
client.ts
const { data, error } = await authClient.signIn.email({
  email: "test@example.com",
  password: "password1234",
  callbackURL: "/",
});

Signout

To signout a user, you can use the signOut function provided by the client.

client.ts
await client.signOut();

Email Verification

To enable email verification, you need to pass a function that sends a verification email with a link. The sendVerificationEmail function takes an object with the following properties:

  • user: The user object.
  • url: The url to send to the user which contains the token.
  • token: A verification token used to complete the email verification.
auth.ts
import { betterAuth } from "better-auth";
import { sendEmail } from "./email"; // your email sending function
 
export const auth = betterAuth({
  emailVerification: {
    sendVerificationEmail: async (user, url, token) => {
      await sendEmail({
        to: user.email,
        subject: "Verify your email address",
        text: `Click the link to verify your email: ${url}`,
      });
    },
  },
});

On the client side you can use sendVerificationEmail function to send verification link to user. This will trigger the sendVerificationEmail function you provided in the auth configuration.

Once the user clicks on the link in the email, if the token is valid, the user will be redirected to the URL provided in the callbackURL parameter. If the token is invalid, the user will be redirected to the URL provided in the callbackURL parameter with an error message in the query string ?error=invalid_token.

Require Email Verification

If you enable require email verification, users must verify their email before they can log in. And every time a user tries to sign in, sendVerificationEmail is called.

This only works if you have sendVerificationEmail implemented and if the user is trying to sign in with email and password.

auth.ts
export const auth = betterAuth({
  emailAndPassword: {
    requireEmailVerification: true,
  },
});

If a user tries to sign in without verifying their email, you can handle the error and show a message to the user.

client.ts
await authClient.signIn.emailAndPassword(
  {
    email: "email@example.com",
    password: "password",
  },
  {
    onError: (ctx) => {
      // Handle the error
      if (ctx.error.status === 403) {
        alert("Please verify your email address");
      }
      //you can also show the original error message
      alert(ctx.error.message);
    },
  }
);

Triggering manually Email Verification

You can trigger the email verification manually by calling the sendVerificationEmail function.

await authClient.sendVerificationEmail({
  email: "user@email.com",
  callbackURL: "/", // The redirect URL after verification
});

Forget Password

To allow users to reset a password first you need to provide sendResetPassword function to the email and password authenticator. The sendResetPassword function takes an object with the following properties:

  • user: The user object.
  • url: The url to send to the user which contains the token.
  • token: A verification token used to complete the password reset.
auth.ts
import { betterAuth } from "better-auth";
import { sendEmail } from "./email"; // your email sending function
 
export const auth = betterAuth({
  emailAndPassword: {
    enabled: true,
    sendResetPassword: async (user, url, token) => {
      await sendEmail({
        to: user.email,
        subject: "Reset your password",
        text: `Click the link to reset your password: ${url}`,
      });
    },
  },
});

Once you configured your server you can call forgetPassword function to send reset password link to user. If the user exists, it will trigger the sendResetPassword function you provided intheauth` configuration.

It takes an object with the following properties:

  • email: The email address of the user.
  • redirectTo: The URL to redirect to after the user clicks on the link in the email. If the token is valid, the user will be redirected to this URL with the token in the query string. If the token is invalid, the user will be redirected to this URL with an error message in the query string ?error=invalid_token.
client.ts
const { data, error } = await client.forgetPassword({
  email: "test@example.com",
  redirectTo: "/reset-password",
});

When user click on the link in the email he will be redirected to the reset password page. You can add the reset password page to your app. Then you can use resetPassword function to reset the password. It takes an object with the following properties:

  • newPassword: The new password of the user.
client.ts
const { data, error } = await client.resetPassword({
  newPassword: "password1234",
});

Configuration

Password

Better Auth stores passwords inside the account table with providerId set to credential.

Password Hashing: Better Auth uses scrypt to hash passwords. The scrypt algorithm is designed to be slow and memory-intensive to make it difficult for attackers to brute force passwords. OWSAP recommends using scrypt if argon2id is not available. We decided to use scrypt because it's natively supported by Node.js.

You can pass custom password hashing algothim by setting passwordHasher option in the auth configuration.

auth.ts
import { betterAuth } from "better-auth"
import { scrypt } from "scrypt"
 
export const auth = betterAuth({
    //...rest of the options
    emailAndPassword: {
        password: {
            hash: // your custom password hashing function
            verify: // your custom password verification function
        }
    }
})
PropTypeDefault
enabled
boolean
-
minPasswordLength
number
8
maxPasswordLength
number
32
sendResetPassword
function
-
sendVerificationEmail
function
-
password
object
-

On this page

Enable Email and Password
Usage
Signup
Signin
Signout
Email Verification
Require Email Verification
Triggering manually Email Verification
Forget Password
Configuration
Edit on GitHub