Configuration
Better Auth config
The Better Auth config file (config/better-auth.ts) is the central place for configuring authentication behaviour. It is a factory function that returns a configured Better Auth instance so Strapi can initialise it after the plugin system is ready.
import { betterAuth } from 'better-auth';
import { strapiAdapter } from '@strapi-community/plugin-better-auth';
const auth = () =>
betterAuth({
database: strapiAdapter(),
trustedOrigins: ['http://localhost:3000'],
advanced: {
database: {
generateId: 'serial',
},
},
emailAndPassword: {
enabled: true,
},
});
export default auth;
Required options
The following options are fixed and must not be changed:
advanced.database.generateId: 'serial'— Tells Better Auth to use auto-incremented integer IDs, which aligns with Strapi's default ID strategy. Changing this will break the Strapi adapter.
Accessing the Better Auth instance
The configured Better Auth instance is stored on Strapi's internal config and can be accessed anywhere in your Strapi code:
const auth = strapi.internal_config['better-auth'];
Trusted origins
Better Auth protects against CSRF attacks by validating that requests come from a known origin. In a typical Strapi setup, your front-end app runs on a different origin than Strapi (e.g. http://localhost:3000 vs http://localhost:1337). Without listing your front-end URL in trustedOrigins, Better Auth will reject those cross-origin requests.
Add the URL of your front-end to trustedOrigins:
const auth = () =>
betterAuth({
// ...
trustedOrigins: ['http://localhost:3000'],
});
In production set this to the public URL of your deployed front-end. Multiple origins can be listed if needed.
Base path
By default, Better Auth exposes its endpoints under /api/auth. If you need to change this — for example to avoid a conflict with an existing route or to match a client SDK configured with a custom path — set basePath in the Better Auth config:
const auth = () =>
betterAuth({
// ...
basePath: '/api/better-auth',
});
The path must start with the API prefix (default /api). If you have customized api.rest.prefix in your Strapi config, make sure the basePath starts with that prefix instead.
Cookie settings
In production you typically want secure, cross-site cookies. Set the defaultCookieAttributes option based on your environment:
const auth = () =>
betterAuth({
// ...
trustedOrigins: ['http://localhost:3000'],
advanced: {
database: {
generateId: 'serial',
},
defaultCookieAttributes: {
secure: process.env.NODE_ENV === 'production',
sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
},
},
});
This is required when your front-end and Strapi are on different origins (e.g. a separate Vercel deployment talking to Strapi Cloud).
Environment variables
Set the following in your .env file:
# Required in production — used to sign sessions
BETTER_AUTH_SECRET=your-secret-here
# The public URL your Strapi instance is reachable at
BETTER_AUTH_URL=http://localhost:1337
Pass them to the config:
import { betterAuth } from 'better-auth';
import { strapiAdapter } from '@strapi-community/plugin-better-auth';
const auth = () =>
betterAuth({
database: strapiAdapter(),
secret: process.env.BETTER_AUTH_SECRET,
baseURL: process.env.BETTER_AUTH_URL,
trustedOrigins: ['http://localhost:3000'],
advanced: {
database: {
generateId: 'serial',
},
},
});
export default auth;