LogoLaunchSaaS

Authentication

Configure Better Auth, social login, and role-based access control

Authentication

LaunchSaaS uses Better Auth for authentication, providing a flexible and secure system with multiple authentication methods, session management, and role-based access control.

Setup

1. Generate Better Auth Secret

The BETTER_AUTH_SECRET is a random string used for encryption and generating hashes. Generate one using VictoryHub or run:

openssl rand -base64 32

Add it to your .env file:

BETTER_AUTH_SECRET="your-generated-secret-key"

To enable passwordless magic link authentication:

NEXT_PUBLIC_MAGIC_LINK_ENABLED=true

Magic link requires email configuration. See the Email Setup guide.

3. Configure GitHub OAuth (Optional)

  1. Go to GitHub Developer Settings
  2. Click on "OAuth Apps" → "New OAuth App"
  3. Fill in the registration form:
    • Application name: Your app name
    • Homepage URL: http://localhost:3000 (or your production URL)
    • Authorization callback URL: http://localhost:3000/api/auth/callback/github
  4. Click "Register application"
  5. Generate a client secret
  6. Add to your .env file:
NEXT_PUBLIC_GITHUB_CLIENT_ID="your-client-id"
GITHUB_CLIENT_SECRET="your-client-secret"

Create separate OAuth apps for development and production environments. They require different callback URLs.

4. Configure Google OAuth (Optional)

  1. Go to Google Cloud Console
  2. Create a new project or select an existing one
  3. Go to CredentialsCreate CredentialsOAuth client ID
  4. Configure OAuth consent screen if prompted
  5. Create OAuth Client ID:
    • Application type: Web application
    • Authorized JavaScript origins: http://localhost:3000
    • Authorized redirect URIs: http://localhost:3000/api/auth/callback/google
  6. Add to your .env file:
NEXT_PUBLIC_GOOGLE_CLIENT_ID="your-client-id.apps.googleusercontent.com"
GOOGLE_CLIENT_SECRET="your-client-secret"

If you are setting up the environment, now you can go back to the Environment Setup guide and continue.

Features

LaunchSaaS authentication includes:

  • Email/Password - Traditional signup and login with email verification
  • Social Login - Google and GitHub OAuth
  • Magic Links - Passwordless authentication
  • Password Reset - Secure password recovery
  • Session Management - Server-side session handling
  • Role-Based Access - User and admin roles
  • Stripe Integration - Automatic customer creation

User Roles

User Role

Default role for all registered users. Has access to:

  • User dashboard (/dashboard)
  • Profile management
  • Subscription management

Admin Role

Elevated privileges for administrators. Has access to:

  • Admin panel (/admin)
  • User management
  • All user features

Production Checklist

Before going to production, ensure:

  • BETTER_AUTH_SECRET is a strong, unique secret
  • NEXT_PUBLIC_APP_URL is set to your production domain
  • Social OAuth apps are configured with production callback URLs
  • Email service is configured and domain verified

References

Next Steps

Email

Configure email services

Payment

Set up Stripe integration

Deployment

Deploy to production

Database

Configure PostgreSQL database for your LaunchSaaS application

Email

Configure Resend email service for transactional emails and newsletters

On this page

AuthenticationSetup1. Generate Better Auth Secret2. Configure Magic Link (Optional)3. Configure GitHub OAuth (Optional)4. Configure Google OAuth (Optional)FeaturesUser RolesUser RoleAdmin RoleProduction ChecklistReferencesNext Steps