# AGENTS.md — Better Auth

## Setup

- One server instance: `export const auth = betterAuth({ … })` in `lib/auth.ts` (server-only).
- Secrets from env: `BETTER_AUTH_SECRET`, `BETTER_AUTH_URL`.
- Persist via a database adapter (`drizzleAdapter` / `prismaAdapter`); generate schema with `npx @better-auth/cli generate`.

## Conventions

- Mount the handler once (Next App Router: `app/api/auth/[...all]/route.ts` → `toNextJsHandler(auth)`).
- Client via `createAuthClient()` from `better-auth/react`; mirror each server plugin with its client plugin.
- In Next, `nextCookies()` is the **last** plugin.
- Server session: `auth.api.getSession({ headers: await headers() })`.
- Add features through official plugins (twoFactor, passkey, organization, magicLink, admin).

## Banned

- Importing the server `auth` instance into client bundles.
- Hardcoded secrets instead of env.
- Manually parsing the session cookie instead of `auth.api.getSession`.
- `nextCookies()` not placed last; hand-edited auth tables.