configuring-better-auth_skill

This skill helps you configure centralized authentication with Better Auth using MCP, enabling secure OAuth2/OIDC setups for SSO clients.
  • Python

19

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill mjunaidca/mjs-agent-skills --skill configuring-better-auth

  • SKILL.md7.4 KB

Overview

This skill shows how to implement OAuth 2.1 / OIDC authentication using Better Auth with MCP-assisted setup. It covers setting up a centralized auth server, registering SSO clients, PKCE flows for public clients, and validating tokens with JWKS. The guidance is practical and focused on secure defaults for Next.js apps and server-side verification.

How this skill works

Use the Better Auth library to run an auth server or to add an OIDC provider plugin to an existing service. The MCP server provides guided configuration, generates correct plugin configuration, and helps troubleshoot flows. SSO clients implement PKCE: generate a code verifier/challenge, redirect to authorize, exchange the authorization code for tokens, then store tokens in httpOnly cookies and verify access tokens using JWKS.

When to use it

  • Setting up a centralized SSO provider for multiple applications
  • Integrating SSO clients in Next.js with secure server-side token handling
  • Implementing PKCE for public clients (mobile or single-page apps)
  • Needing JWKS-based verification of JWT access tokens
  • Troubleshooting or generating correct OIDC provider configs via MCP

Best practices

  • Use MCP for initial Better Auth configuration and when adding OIDC plugins
  • Store tokens in httpOnly cookies and set SameSite=Lax for CSRF protection
  • Require PKCE for public clients and persist the verifier in a cookie before redirect
  • Validate access tokens with a remote JWKS and enforce issuer/audience checks
  • Implement refresh-token rotation and server-side token exchange on callback

Example use cases

  • Run Better Auth as the central auth-server for company-wide SSO and register multiple apps
  • Add OIDC provider plugin to Better Auth to support openid profile email scopes
  • Integrate a Next.js app: start PKCE login, exchange code in an API route, and set httpOnly cookies
  • Use createRemoteJWKSet and jwtVerify to validate incoming API requests with bearer tokens
  • Perform global logout across apps by redirecting users to the auth server's logout endpoint

FAQ

Use MCP for initial setup, adding OIDC provider plugins, and troubleshooting. For custom middleware or advanced patterns, configure manually using the provided patterns.

Where should I store the PKCE verifier?

Store the PKCE verifier in a cookie before redirect (httpOnly preferred when possible) so it is available during the token exchange after redirect.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational