Cookies

Learn how cookies are used in Better Auth.

Cookies are used to store data such as session tokens, OAuth state, and more. All cookies are signed using the secret key provided in the auth options.

Better Auth cookies will follow ${prefix}.${cookie_name} format by default. The prefix will be "better-auth" by default. You can change the prefix by setting cookiePrefix in the advanced object of the auth options.

auth.ts
import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    advanced: {
        cookiePrefix: "my-app"
    }
})

Custom Cookies

All cookies are httpOnly and secure if the server is running in production mode.

If you want to set custom cookie names and attributes, you can do so by setting cookieOptions in the advanced object of the auth options.

By default, Better Auth uses the following cookies:

  • session_token to store the session token
  • session_data to store the session data if cookie cache is enabled
  • dont_remember to store the dont_remember flag if remember me is disabled

Plugins may also use cookies to store data. For example, the Two Factor Authentication plugin uses the two_factor cookie to store the two-factor authentication state.

auth.ts
import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    advanced: {
        cookies: {
            session_token: {
                name: "custom_session_token",
                attributes: {
                    // Set custom cookie attributes
                }
            },
        }
    }
})

Cross Subdomain Cookies

Sometimes you may need to share cookies across subdomains. For example, if you have app.example.com and example.com, and if you authenticate on example.com, you may want to access the same session on app.example.com.

By default, cookies are not shared between subdomains. However, if you need to access the same session across different subdomains, you can enable cross-subdomain cookies by configuring crossSubDomainCookies and defaultCookieAttributes in the advanced object of the auth options.

The leading period of the domain attribute broadens the cookie's scope beyond your main domain, making it accessible across all subdomains.
auth.ts
import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    advanced: {
        crossSubDomainCookies: {
            enabled: true,
            domain: ".example.com", // Domain with a leading period
        },
        defaultCookieAttributes: {
            secure: true,
            httpOnly: true,
            sameSite: "none",  // Allows CORS-based cookie sharing across subdomains
            partitioned: true, // New browser standards will mandate this for foreign cookies
        },
    },
    trustedOrigins: [
        'https://example.com',
        'https://app1.example.com',
        'https://app2.example.com',
    ],
})
Setting your sameSite cookie attribute to none makes you vulnerable to CSRF attacks. To mitigate risks, configure trustedOrigins with an array of authorized origins to allow.

Secure Cookies

By default, cookies are secure only when the server is running in production mode. You can force cookies to be always secure by setting useSecureCookies to true in the advanced object in the auth options.

auth.ts
import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    advanced: {
        useSecureCookies: true
    }
})

Client

Better Auth client library for authentication.

Database

Learn how to use a database with Better Auth.

Edit on GitHub

On this page