Better Auth v1 Stable: What Changed for SaaS Boilerplate Adopters in 2026

Q: What Better Auth Still Doesn't Do Well?

Honest limits as of the 1.0 line: Hosted dashboard. No Clerk-style user admin UI. You build it or use the database directly. Bot defense. No CAPTCHA, no risk scoring. Pair with Cloudflare Turnstile or Arcjet. Webhook-based user management. Provisioning from external IDPs (SCIM) is community-maintained and not v1 stable. Audit log. No first-party audit table. Drop a custom plugin or use database triggers. If those are dealbreakers for your enterprise reviewer, Clerk or WorkOS is still the call.

Q: Should Your Boilerplate Switch?

A simple test: Greenfield SaaS boilerplate? Start on Better Auth v1. Existing boilerplate on Auth.js v5 with no org features? Migrate when you have a quiet week. Existing boilerplate on Clerk free tier? Don't switch. Existing boilerplate on Clerk paid? Run the cost comparison; switch if the savings cover a week of engineering time. Existing boilerplate on Supabase Auth? Stay if you're using Supabase RLS heavily — moving auth out of Supabase weakens RLS guarantees.

Quick Verdict

Better Auth's stable 1.0 line removed most of the reasons people stayed on Auth.js v5 or Clerk in 2025. If you're starting a new SaaS boilerplate today, Better Auth is the default recommendation for self-hosted auth. If you're already on Auth.js v5 with no organization features, the migration is mechanical. If you're on Clerk and not paying for it, stay; if you're on Clerk and paying $99+/mo for organizations, Better Auth is now the credible escape.

Key Takeaways

Stable v1 means no more breaking releases every minor — boilerplate authors can finally pin a version without dread.
The Organizations plugin covers the 80% B2B case (teams, members, invites, roles) without writing your own.
Two-factor, passkeys, magic links, OAuth, and email/password are first-party plugins, not third-party.
Drizzle and Prisma adapters are first-class; Postgres, MySQL, SQLite, MongoDB all supported.
The bearer-token mode unlocks mobile and CLI use cases that Auth.js never handled cleanly.

What Actually Shipped in 1.0

The 0.x line moved fast and sometimes painfully — boilerplate authors who shipped Better Auth in early 2025 had to chase rapid breaking changes through plugin renames, session shape changes, and adapter rewrites. The 1.0 line froze the public API and committed to semantic versioning. Practical effects:

Session shape (session.user, session.session) is locked in.
Plugin contract (plugin(), client.plugin()) is locked in.
Adapter interface is locked in.
Cookie names, header names, and route paths are stable.

For boilerplates already using Better Auth, this turns "auth library that needs a sprint to upgrade" into a normal dependency.

Decision Table

Coming from	Migrate to Better Auth v1 when
Auth.js v5	You want B2B organizations, passkeys, or 2FA without bolting on libraries
Lucia v3 (sunsetting)	Already; Lucia author endorsed migration paths
NextAuth v4	You're already planning a v5 jump — go straight to Better Auth
Clerk free tier	Stay on Clerk unless you've hit the MAU cap
Clerk paid tier	Re-evaluate — Better Auth + Resend is often 1/10th the cost
Supabase Auth	Stay if you're deeply on Supabase; consider Better Auth if you're moving DB

Headline Plugins You Get for Free

Better Auth v1's plugin set is the practical upgrade story for SaaS boilerplates.

Organizations

Teams, members, invitations, role-based access, multi-tenant scoping. This is the feature that previously pushed teams toward Clerk Organizations or WorkOS at $99–299/mo.

import { betterAuth } from 'better-auth';
import { organization } from 'better-auth/plugins';

export const auth = betterAuth({
  database: drizzleAdapter(db, { provider: 'pg' }),
  plugins: [
    organization({
      allowUserToCreateOrganization: true,
      organizationLimit: 5,
    }),
  ],
});

The client gets typed methods: authClient.organization.create(), inviteMember(), acceptInvitation(), setActiveOrganization(). The session carries the active org id, which you read in middleware to scope every database query.

Two-Factor Auth

TOTP, backup codes, and OTP-via-email. No separate library, no Speakeasy + custom UI.

Passkeys (WebAuthn)

First-party plugin covering registration, authentication, and account-link flows. Sites that previously shipped passwords-only because passkey libraries were rough can now ship passkey-first auth in a weekend.

Magic Links

Email link sign-in. Pairs with Resend or any email provider — see react-email vs resend vs loops.

Bearer Mode

Header-based auth (Authorization: Bearer <token>) instead of cookies. Unlocks mobile apps and CLI tools without an additional auth strategy.

What Boilerplates Have Adopted It

Boilerplate	Status
Makerkit	Better Auth optional alongside Supabase Auth
Indie Kit	Default to Better Auth + Drizzle
Open SaaS	Migration documented
ShipFast	Still NextAuth-default, Better Auth available as a swap
Supastarter	Supabase Auth default, Better Auth swap path documented

The split is roughly: opinionated B2B starters lean Better Auth, mass-market launch-fast starters still default to NextAuth/Supabase Auth for familiarity. Compare in Better Auth vs Clerk vs NextAuth.

Migrating from Auth.js v5

The mechanical steps for a typical Next.js boilerplate:

Install: bun add better-auth and the matching client (better-auth/client).
Wire the handler: Replace app/api/auth/[...nextauth]/route.ts with app/api/auth/[...all]/route.ts exporting auth.handler.
Adapter: Drop the Auth.js adapter; configure the Better Auth Drizzle/Prisma adapter pointing at the same database. The required tables differ — run the included migration to create user, session, account, verification tables.
Backfill users: A one-time SQL script to copy existing users and accounts into the new schema. The shape is close but not identical.
Update client calls: signIn('google') becomes authClient.signIn.social({ provider: 'google' }).
Middleware: Replace auth() with auth.api.getSession({ headers: await headers() }).

Budget half a day for a typical SaaS boilerplate that hasn't customized auth heavily. A weekend if you've forked NextAuth callbacks for custom JWT shape.

Migrating from Clerk

Harder, because Clerk owns the user model, organizations, and sessions. The pragmatic path:

Export users via Clerk's Backup API or webhooks.
Stand up Better Auth with the Organizations plugin pointed at your existing database.
Force a password-reset / magic-link flow on first login post-cutover (Clerk passwords are hashed and not exportable).
Re-link OAuth accounts on next sign-in.

This is a project, not a chore. Don't do it unless the bill or the lock-in is actually painful. The right time is usually when your B2B plan with Clerk Organizations would jump a tier.

What Better Auth Still Doesn't Do Well

Honest limits as of the 1.0 line:

Hosted dashboard. No Clerk-style user admin UI. You build it or use the database directly.
Bot defense. No CAPTCHA, no risk scoring. Pair with Cloudflare Turnstile or Arcjet.
Webhook-based user management. Provisioning from external IDPs (SCIM) is community-maintained and not v1 stable.
Audit log. No first-party audit table. Drop a custom plugin or use database triggers.

If those are dealbreakers for your enterprise reviewer, Clerk or WorkOS is still the call.

Cost Comparison Over 12 Months

A rough comparison for a B2B SaaS at 5,000 monthly active users with team features:

Stack	Annual cost	Notes
Clerk Pro + Organizations	$1,800–3,600	Scales with MAU and org features
WorkOS AuthKit	$0 up to 1M MAU + add-ons	SSO/SCIM cost extra
Auth0 B2B	$4,000+	Older but mature
Better Auth + your DB	$0 license + ~$15/mo Postgres	Plus your engineering time

Better Auth wins on cost. It loses on hosted UX and battle-tested enterprise polish. For most indie B2B SaaS in 2026, the cost difference funds the engineering time many times over.

Should Your Boilerplate Switch?

A simple test:

Greenfield SaaS boilerplate? Start on Better Auth v1.
Existing boilerplate on Auth.js v5 with no org features? Migrate when you have a quiet week.
Existing boilerplate on Clerk free tier? Don't switch.
Existing boilerplate on Clerk paid? Run the cost comparison; switch if the savings cover a week of engineering time.
Existing boilerplate on Supabase Auth? Stay if you're using Supabase RLS heavily — moving auth out of Supabase weakens RLS guarantees.

FAQ

Is Better Auth Edge-runtime safe? Yes. The core runs on Web standards (Request/Response, Web Crypto). Some database adapters require Node — pair with Neon HTTP, Drizzle's HTTP driver, or run the auth handler on Node runtime.

Does it work with React Native? Yes — bearer mode plus the expo-secure-store integration covers a typical RN flow.

Does it support social-only login? Yes. Disable email/password and only enable the OAuth providers you want. Magic link can be used as the password-reset path.

Will the v1 API really stay stable? The maintainers committed to semantic versioning. New plugins ship in additive minors; breaking changes are reserved for 2.0. The 0.x volatility is over.

Compare auth choices in the Better Auth vs Clerk vs NextAuth showdown and the broader authjs v5 vs Lucia v3 vs Better Auth analysis.

If you're picking auth for a brand-new project, start with the Next.js boilerplate Stripe + auth roundup.

The SaaS Boilerplate Matrix (Free PDF)