Security

Manage security at /account/security. Authentication is powered by Better Auth with optional TOTP 2FA, email OTP, and OAuth account linking.

Minimum complexity enforced by Better Auth email/password plugin
Forgot password flow sends a reset link via the mailer (/forgot-password in the app)
Email must be verified before sign-in when requireEmailVerification is enabled

Enable two-factor authentication (2FA)

Go to Account → Security.

Enable Two-factor authentication.

Scan the QR code with an authenticator app (Google Authenticator, 1Password, etc.).

Enter the TOTP code to confirm.

Download and store backup codes offline — required if you lose the authenticator device.

The backend uses Better Auth's twoFactor plugin with backup codes stored encrypted in Postgres.

OAuth accounts

Google and GitHub sign-in link to the same user via account linking (trustedProviders: google, github, credential). You can sign in with OAuth while keeping email/password recovery if configured.

OAuth redirect URIs must match:

http://localhost:8000/api/auth/callback/google
http://localhost:8000/api/auth/callback/github

(Use your production API host in deployed environments.)

Sessions

Sessions stored in Postgres with Redis secondary storage for performance
Default expiry: SESSION_EXPIRES_IN_SECONDS=604800 (7 days)
Revoke unknown sessions from the security page when available

Cross-site cookies (local dev)

Local stack uses:

AUTH_COOKIE_DOMAIN=localhost
AUTH_CROSS_SITE_COOKIES=true

This allows the Next.js app on :3000 to send cookies to the API on :8000. Production should use HTTPS and matching trusted origins.

Losing your password, authenticator, and backup codes requires administrator recovery. Treat backup codes like production secrets.

Implementation reference: Authentication.

Password sign-in

Enable two-factor authentication (2FA)

OAuth accounts

Sessions

Cross-site cookies (local dev)

On this page