---
description: Better Auth conventions
globs: ["**/auth.ts", "**/auth-client.ts", "**/api/auth/**"]
alwaysApply: false
---

- One server instance: `export const auth = betterAuth({ … })` in `lib/auth.ts`. Server-only — never import it into client code.
- Secrets from env (`BETTER_AUTH_SECRET`, `BETTER_AUTH_URL`); never hardcode them.
- Persist via a database adapter (`drizzleAdapter` / `prismaAdapter`) matching your DB. Generate the schema with `npx @better-auth/cli generate`, then apply it with your migration tool — don't hand-edit auth tables.
- Mount once: Next App Router `app/api/auth/[...all]/route.ts` → `toNextJsHandler(auth)`.
- Client: `createAuthClient()` from `better-auth/react`; for every server plugin add its matching client plugin.
- In Next, `nextCookies()` must be the **last** plugin so server actions set cookies.
- Read sessions server-side with `auth.api.getSession({ headers: await headers() })` — pass headers; don't parse cookies by hand.
- Add features (twoFactor, passkey, organization, magicLink, admin) via official plugins rather than rolling your own.