home / skills / sstobo / convex-skills / betterauth-tanstack-convex
This skill guides you through setting up Better Auth with Convex and TanStack Start, enabling secure SSR, routes, and sign in flows.
npx playbooks add skill sstobo/convex-skills --skill betterauth-tanstack-convexReview the files below or copy the command above to add this skill to your agents.
---
name: betterauth-tanstack-convex
description: Step-by-step guide for setting up Better Auth authentication with Convex and TanStack Start. This skill should be used when configuring authentication in a Convex + TanStack Start project, troubleshooting auth issues, or implementing sign up/sign in/sign out flows. Covers installation, environment variables, SSR authentication, route handlers, and the expectAuth pattern.
---
# Better Auth + Convex + TanStack Start
## Overview
This skill provides guidance for integrating Better Auth authentication with Convex backend and TanStack Start framework. It covers the complete setup process from installation to SSR-compatible authentication flows.
## When to Use This Skill
- Setting up authentication in a new Convex + TanStack Start project
- Troubleshooting Better Auth configuration issues
- Implementing sign up, sign in, or sign out flows
- Configuring SSR authentication with `expectAuth: true`
- Adding authenticated server functions
- Understanding the auth provider hierarchy
## Quick Reference
### Required Packages
```bash
npm install convex@latest @convex-dev/better-auth
npm install [email protected] --save-exact
npm install @types/node --save-dev
```
### Environment Variables
**Convex deployment** (via CLI):
```bash
npx convex env set BETTER_AUTH_SECRET=$(openssl rand -base64 32)
npx convex env set SITE_URL http://localhost:3000
```
**.env.local**:
```bash
CONVEX_DEPLOYMENT=dev:adjective-animal-123
VITE_CONVEX_URL=https://adjective-animal-123.convex.cloud
VITE_CONVEX_SITE_URL=https://adjective-animal-123.convex.site
VITE_SITE_URL=http://localhost:3000
```
### File Structure
| File | Purpose |
|------|---------|
| `convex/convex.config.ts` | Register Better Auth component |
| `convex/auth.config.ts` | Configure auth provider |
| `convex/auth.ts` | Create Better Auth instance + `authComponent` |
| `convex/http.ts` | Register auth HTTP routes |
| `src/lib/auth-client.ts` | Client-side auth utilities |
| `src/lib/auth-server.ts` | Server-side auth utilities |
| `src/routes/api/auth/$.ts` | Proxy auth requests to Convex |
| `src/routes/__root.tsx` | Auth provider wrapper + SSR token |
### Essential Imports
```typescript
// Client-side
import { authClient } from '~/lib/auth-client'
// Server-side
import { getToken, fetchAuthQuery, fetchAuthMutation } from '~/lib/auth-server'
// Backend
import { authComponent, createAuth } from './auth'
```
### Auth Check (Backend)
```typescript
const user = await authComponent.getAuthUser(ctx)
if (!user) throw new Error("Not authenticated")
```
### Sign Out with expectAuth
When using `expectAuth: true`, reload the page after sign out:
```typescript
await authClient.signOut({
fetchOptions: {
onSuccess: () => location.reload(),
},
})
```
## Critical Configuration
### Vite SSR Bundle
Required in `vite.config.ts` to avoid module resolution issues:
```typescript
ssr: {
noExternal: ['@convex-dev/better-auth'],
}
```
### ConvexQueryClient with expectAuth
Required for seamless SSR authentication:
```typescript
const convexQueryClient = new ConvexQueryClient(convexUrl, {
expectAuth: true,
})
```
### Provider Hierarchy
The root component must wrap children in this order:
1. `ConvexBetterAuthProvider` (outermost)
2. `QueryClientProvider`
3. `RootDocument` with `<Outlet />`
## Reference Files
Load the detailed setup guide when implementing authentication:
| File | Use When |
|------|----------|
| `references/setup-guide.md` | Full step-by-step installation and configuration |
This skill documents a step-by-step guide to integrate Better Auth with a Convex backend and the TanStack Start framework. It focuses on installation, environment configuration, SSR-compatible auth flows, and required file wiring to support sign up, sign in, and sign out. Use it to implement or troubleshoot authenticated routes and server functions with expectAuth.
The guide walks through installing packages, setting environment variables for both local and Convex deployments, and registering Better Auth in Convex config files. It shows client and server helper files, how to proxy auth requests, and how to wrap the app with the required provider hierarchy for SSR. It also covers critical runtime settings such as Vite SSR noExternal and using ConvexQueryClient with expectAuth for server-side rendering.
What environment variables are required?
Set BETTER_AUTH_SECRET and SITE_URL in your Convex deployment. In .env.local mirror CONVEX_DEPLOYMENT, VITE_CONVEX_URL, VITE_CONVEX_SITE_URL, and VITE_SITE_URL for local development.
How do I ensure SSR works with Better Auth?
Use ConvexQueryClient with expectAuth: true, add @convex-dev/better-auth to ssr.noExternal in vite.config.ts, and wrap the app with ConvexBetterAuthProvider at the root.
How do I protect a backend function?
Call authComponent.getAuthUser(ctx) inside the function and throw or return an error if no user is returned.