home / skills / sstobo / convex-skills / betterauth-tanstack-convex

betterauth-tanstack-convex skill

/betterauth-tanstack-convex

This skill guides you through setting up Better Auth with Convex and TanStack Start, enabling secure SSR, routes, and sign in flows.

npx playbooks add skill sstobo/convex-skills --skill betterauth-tanstack-convex

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
3.5 KB
---
name: betterauth-tanstack-convex
description: Step-by-step guide for setting up Better Auth authentication with Convex and TanStack Start. This skill should be used when configuring authentication in a Convex + TanStack Start project, troubleshooting auth issues, or implementing sign up/sign in/sign out flows. Covers installation, environment variables, SSR authentication, route handlers, and the expectAuth pattern.
---

# Better Auth + Convex + TanStack Start

## Overview

This skill provides guidance for integrating Better Auth authentication with Convex backend and TanStack Start framework. It covers the complete setup process from installation to SSR-compatible authentication flows.

## When to Use This Skill

- Setting up authentication in a new Convex + TanStack Start project
- Troubleshooting Better Auth configuration issues
- Implementing sign up, sign in, or sign out flows
- Configuring SSR authentication with `expectAuth: true`
- Adding authenticated server functions
- Understanding the auth provider hierarchy

## Quick Reference

### Required Packages

```bash
npm install convex@latest @convex-dev/better-auth
npm install [email protected] --save-exact
npm install @types/node --save-dev
```

### Environment Variables

**Convex deployment** (via CLI):
```bash
npx convex env set BETTER_AUTH_SECRET=$(openssl rand -base64 32)
npx convex env set SITE_URL http://localhost:3000
```

**.env.local**:
```bash
CONVEX_DEPLOYMENT=dev:adjective-animal-123
VITE_CONVEX_URL=https://adjective-animal-123.convex.cloud
VITE_CONVEX_SITE_URL=https://adjective-animal-123.convex.site
VITE_SITE_URL=http://localhost:3000
```

### File Structure

| File | Purpose |
|------|---------|
| `convex/convex.config.ts` | Register Better Auth component |
| `convex/auth.config.ts` | Configure auth provider |
| `convex/auth.ts` | Create Better Auth instance + `authComponent` |
| `convex/http.ts` | Register auth HTTP routes |
| `src/lib/auth-client.ts` | Client-side auth utilities |
| `src/lib/auth-server.ts` | Server-side auth utilities |
| `src/routes/api/auth/$.ts` | Proxy auth requests to Convex |
| `src/routes/__root.tsx` | Auth provider wrapper + SSR token |

### Essential Imports

```typescript
// Client-side
import { authClient } from '~/lib/auth-client'

// Server-side
import { getToken, fetchAuthQuery, fetchAuthMutation } from '~/lib/auth-server'

// Backend
import { authComponent, createAuth } from './auth'
```

### Auth Check (Backend)

```typescript
const user = await authComponent.getAuthUser(ctx)
if (!user) throw new Error("Not authenticated")
```

### Sign Out with expectAuth

When using `expectAuth: true`, reload the page after sign out:

```typescript
await authClient.signOut({
  fetchOptions: {
    onSuccess: () => location.reload(),
  },
})
```

## Critical Configuration

### Vite SSR Bundle

Required in `vite.config.ts` to avoid module resolution issues:

```typescript
ssr: {
  noExternal: ['@convex-dev/better-auth'],
}
```

### ConvexQueryClient with expectAuth

Required for seamless SSR authentication:

```typescript
const convexQueryClient = new ConvexQueryClient(convexUrl, {
  expectAuth: true,
})
```

### Provider Hierarchy

The root component must wrap children in this order:
1. `ConvexBetterAuthProvider` (outermost)
2. `QueryClientProvider`
3. `RootDocument` with `<Outlet />`

## Reference Files

Load the detailed setup guide when implementing authentication:

| File | Use When |
|------|----------|
| `references/setup-guide.md` | Full step-by-step installation and configuration |

Overview

This skill documents a step-by-step guide to integrate Better Auth with a Convex backend and the TanStack Start framework. It focuses on installation, environment configuration, SSR-compatible auth flows, and required file wiring to support sign up, sign in, and sign out. Use it to implement or troubleshoot authenticated routes and server functions with expectAuth.

How this skill works

The guide walks through installing packages, setting environment variables for both local and Convex deployments, and registering Better Auth in Convex config files. It shows client and server helper files, how to proxy auth requests, and how to wrap the app with the required provider hierarchy for SSR. It also covers critical runtime settings such as Vite SSR noExternal and using ConvexQueryClient with expectAuth for server-side rendering.

When to use it

  • Setting up authentication in a new Convex + TanStack Start project
  • Adding sign up, sign in, or sign out flows
  • Configuring SSR authentication with expectAuth: true
  • Troubleshooting Better Auth or Convex auth configuration issues
  • Adding authenticated Convex server functions or middleware

Best practices

  • Install exact Better Auth package version and latest convex packages to avoid runtime mismatches
  • Set BETTER_AUTH_SECRET and SITE_URL in Convex deployment env and mirror site URLs in .env.local
  • Add ssr.noExternal for @convex-dev/better-auth in vite.config.ts to prevent SSR module resolution errors
  • Use ConvexQueryClient with expectAuth: true for SSR requests that require user context
  • Wrap the app in ConvexBetterAuthProvider outermost, then QueryClientProvider, then your RootDocument/Outlet

Example use cases

  • Full project setup: install packages, set env vars, register auth component in convex/convex.config.ts
  • SSR-protected page: use ConvexQueryClient with expectAuth to fetch user-specific data on the server
  • Sign-out flow: call authClient.signOut and reload the page when using expectAuth to clear server SSR state
  • Server function requiring auth: call authComponent.getAuthUser(ctx) and throw when no user to protect endpoints
  • Proxy route: implement src/routes/api/auth/$.ts to forward auth HTTP requests to Convex

FAQ

What environment variables are required?

Set BETTER_AUTH_SECRET and SITE_URL in your Convex deployment. In .env.local mirror CONVEX_DEPLOYMENT, VITE_CONVEX_URL, VITE_CONVEX_SITE_URL, and VITE_SITE_URL for local development.

How do I ensure SSR works with Better Auth?

Use ConvexQueryClient with expectAuth: true, add @convex-dev/better-auth to ssr.noExternal in vite.config.ts, and wrap the app with ConvexBetterAuthProvider at the root.

How do I protect a backend function?

Call authComponent.getAuthUser(ctx) inside the function and throw or return an error if no user is returned.