> I don’t think it’s great to see a truly free project get absorbed into a commercial venture.
Auth.js and NextAuth.js didn't seem to be in a healthy state. Work on NextAuth.js v5 began way back in May 2023.[1][2] NextAuth.js v5 was renamed to Auth.js in August 2023.[3] v5.0.0-beta.0 was released in October 2023.[4] Balázs Orbán, the main contributor to Auth.js and NextAuth.js, quit in January 2025.[5][6] v5 is still in beta after all this time. It never had a stable release.
That may be true but doesn't contradict the point of the parent commenter.
If Auth.js wanted to give up, that would be fine (although disappointing, since multiple options is always healthy, especially for something as critical as auth)
but this deal where they are "becoming part of BetterAuth" and recommending that new users use BetterAuth on the project README is concerning to me
Fair concern but I don’t think Auth.js was ever “truly free,” considering it was supported by many companies (big or small) including someone like Clerk even running ads on the docs site.
We started Better Auth with the vision of making high-quality auth (with simple abstractions, great docs, extensive set of features...) and make it accessible to everyone . It didn’t start as a commercial venture, at first it was a purely oss project I created. The reason it evolved into a commercial venture is that we saw new ways to make owning your auth even more accessible and scalable for companies.
The reason we’re bringing Auth.js under Better Auth is that the Auth.js team is moving on, and we don’t want the project to be abandoned, that would hurt trust in open-source auth as a whole. We’ve already seen that happen at smaller scaller with Lucia. If that weren’t the case, we’d actually benefit from Auth.js being deprecated, since we’re effectively the next most people would go for and we wouldn't have to take this risk and responsibilities.
Full disclosure, I work for FusionAuth, a commercial auth vendor which sponsored NextAuth.
People gotta eat. It's not like NextAuth didn't have commercial support from sponsors. I'm not privy to the details of how much money was involved, but you can read other comments about Clerk and Vercel and how they influenced the project.
Which will invariably lead to that open source project to become less and less useful if implemented separately from the SaaS platform. I’ve seen this game plan often enough.
I don’t know the story, but I’m not surprised. I led an effort to switch my company to Auth0 recently and they’re… bad. They have very poor support for anything even barely outside of normal, and when things are working correctly they not very good.
But when you have a requirement to move to a third party SaaS service, I suppose Auth0 is maybe the best of a bad bunch.
Same, I felt like I was writing my own auth. They don’t seem to understand that we’re trying to get away from the complexity of auth. I’ve talked with their sales people but may as well be talking to a wall.
I interviewed for an SRE position at Auth0 years ago. My interviewer told me it was all held together by duct tape and prayers. I'm glad I didn't end up taking that position.
I’ve seen a lot of talk about Auth0 but I want to put a callout to get a check on how folks feel about AWS cognito. I am Cognito vs Auth0 and I’d love to hear some real world experiences
This framework has made auth such a non-issue for me. The setup is easy and the usage is consistent framework to framework. So glad to see that they’re continuing to do well.
There are solutions out there for golang (FusionAuth, my employer, is one) but I think you are looking for one that integrates directly into an application the way that better-auth does (just like devise for rails, or Django's user model).
I'm working on something[0]. It actually supports Go, JS, and Rust (through the power of server-side WASM). Python and others are planned. It's unlikely to ever have all the features and polish of BetterAuth/OpenAuth, but I've been absolutely loving the DX for my projects that need auth.
I've seen this, and the fact that it's written in Go is kind of irrelevant if I have to manage an external service. I just want it to be simple like what other languages have.
Extremely complex and requires running another multiple services. I just want auth, I don't want to set up kubernetes to orchestrate all the components of Ory.
Rauch got a heck of a deal: hire NextAuth/Auth.js lead developer, use zombified Auth.js as a funnel to Clerk (a portco) with prominent CTAs on every page.
Then a replacement to zombified Auth.js pops up, but this time he's early so I would take bets on him having a slice. Use your closeness (via having hired the lead dev) to facilitate "absorbing" (read: erasing) the last dregs of Auth.js, successfully replacing it with a duopoly you've invested in both sides of!
Bonus: Having raised (which you helped with) they can't undercut Clerk on some shoestring budget.. they'll fail!
I am bummed by this, basically sounds like they’re sunsetting future development into Auth.js.
I tried Better Auth and it was not usable for what I wanted to do - I manage my own database schema and expose it through a permissioned GraphQL API. With Auth.js I just needed to implement a documented set of functions with specified input and output types, like creating users, storing tokens, etc. - however I wanted to - and then it all just worked with my own custom GraphQL API as the backend.
But with Better Auth it’s all insanely general, where the data types are “whatever a particular plugin wants” meaning the any type in TypeScript; and the only thing you can do is delegate responsibility for design of database schemas and execution of data migrations to whatever plugin developers decide you need for the particular authentication methods you support.
Way beyond the pale for an auth library in my opinion, I thought I was dumb and just didn’t understand the library but when I asked the community about it, they told me that’s by design - plugins determine their own data model. This isn’t a matter of me having a weird use case with the whole GraphQL thing, I can’t imagine anyone who takes their data modeling/security seriously would be fine with delegating that kind of control to plugin developers.
(Yes I know you can make your own adapters, but the interface for that is literally “implement a general purpose SQL-like query executor” where the models that you’re querying/mutating are arbitrary strings - so basically no control over your schema. It literally just takes in a code: string value for eval’ing your migrations! Insane! [1])
When I saw the announcements before about Better Auth, emphasizing not that it was innovative nor technically good in any way, but instead focusing on the fact that its developer was self-taught and has only been coding for a few years [2], I tried to restrain myself from assuming anything about how it might be designed, especially since it seems everyone was hyping it up… but I’m not so confident my prejudices were totally wrong.
I guess this is marginally better than the status quo where Auth.js was basically unmaintained and not being developed further at all. Which is to say, the state of open source auth libraries in JS is surprisingly poor.
1. We won’t sunset Auth.js unless we’re confident that anyone currently using it can migrate to Better Auth without any issues, which is quite difficult right now. So we don’t expect to do that anytime soon and chances are we will never require everyone to migrate.
2. The features we offer through plugins don’t exist in NextAuth, so that shouldn’t be a problem. You can use the core library for almost all of NextAuth’s features, and we provide most plugins first-party. Of course, you can choose not to use a plugin, write your own, copy and modify one, or only use the first-party ones we provide. We handle the database so you can own your auth without writing the logic yourself.
3. Auth.js hasn’t been actively maintained for a while. Our main reason for bringing it under Better Auth was to avoid a sudden deprecation, as that would directly harm the open-source auth ecosystem by eroding trust. Something we’ve already seen happen on a smaller scale with Lucia Auth.
I guess what I’m saying is that I think the part about delegating databases to Better Auth relegates it to being only useful for throwaway projects and companies with low quality technical vision, and there is no actively developed alternative that can do any better.
Patches are better than nothing but I am disappointed with the state of auth in JS.
Readit News
Auth.js and NextAuth.js didn't seem to be in a healthy state. Work on NextAuth.js v5 began way back in May 2023.[1][2] NextAuth.js v5 was renamed to Auth.js in August 2023.[3] v5.0.0-beta.0 was released in October 2023.[4] Balázs Orbán, the main contributor to Auth.js and NextAuth.js, quit in January 2025.[5][6] v5 is still in beta after all this time. It never had a stable release.
[1] https://github.com/nextauthjs/next-auth/pull/7443
[2] https://github.com/nextauthjs/next-auth/discussions/8487
[3] https://github.com/nextauthjs/next-auth/commit/a996ab57e8ffc...
[4] https://www.npmjs.com/package/next-auth/v/5.0.0-beta.0
[5] https://github.com/nextauthjs/next-auth/commits?author=balaz...
[6] https://x.com/balazsorban44/status/1943635445235040488
If Auth.js wanted to give up, that would be fine (although disappointing, since multiple options is always healthy, especially for something as critical as auth)
but this deal where they are "becoming part of BetterAuth" and recommending that new users use BetterAuth on the project README is concerning to me
Deleted Comment
We started Better Auth with the vision of making high-quality auth (with simple abstractions, great docs, extensive set of features...) and make it accessible to everyone . It didn’t start as a commercial venture, at first it was a purely oss project I created. The reason it evolved into a commercial venture is that we saw new ways to make owning your auth even more accessible and scalable for companies.
The reason we’re bringing Auth.js under Better Auth is that the Auth.js team is moving on, and we don’t want the project to be abandoned, that would hurt trust in open-source auth as a whole. We’ve already seen that happen at smaller scaller with Lucia. If that weren’t the case, we’d actually benefit from Auth.js being deprecated, since we’re effectively the next most people would go for and we wouldn't have to take this risk and responsibilities.
People gotta eat. It's not like NextAuth didn't have commercial support from sponsors. I'm not privy to the details of how much money was involved, but you can read other comments about Clerk and Vercel and how they influenced the project.
I wrote more about the difficulties of OSS business models here a few years ago: https://www.mooreds.com/wordpress/archives/3438
Good for them, bad for the rest of us.
Dead Comment
I missed OpenAI migrating away from auth0. They must have been one of their largest customers - anybody know the story?
But when you have a requirement to move to a third party SaaS service, I suppose Auth0 is maybe the best of a bad bunch.
Deleted Comment
what story??? chance are if you are planet scale enterprise, you are big enough to maintain or create or fork popular custom OSS auth themselves
I mean can you imagine the cost ??? also the effect of third party that hold your entire user data
There are solutions out there for golang (FusionAuth, my employer, is one) but I think you are looking for one that integrates directly into an application the way that better-auth does (just like devise for rails, or Django's user model).
I'm not aware of any such library for golang. This reddit thread might be helpful: https://www.reddit.com/r/golang/comments/1le9q65/is_there_a_... with some options to evaluate.
[0]: https://github.com/lastlogin-net/decent-auth
Then a replacement to zombified Auth.js pops up, but this time he's early so I would take bets on him having a slice. Use your closeness (via having hired the lead dev) to facilitate "absorbing" (read: erasing) the last dregs of Auth.js, successfully replacing it with a duopoly you've invested in both sides of!
Bonus: Having raised (which you helped with) they can't undercut Clerk on some shoestring budget.. they'll fail!
The prophecy continues :) https://news.ycombinator.com/item?id=40321997
I tried Better Auth and it was not usable for what I wanted to do - I manage my own database schema and expose it through a permissioned GraphQL API. With Auth.js I just needed to implement a documented set of functions with specified input and output types, like creating users, storing tokens, etc. - however I wanted to - and then it all just worked with my own custom GraphQL API as the backend.
But with Better Auth it’s all insanely general, where the data types are “whatever a particular plugin wants” meaning the any type in TypeScript; and the only thing you can do is delegate responsibility for design of database schemas and execution of data migrations to whatever plugin developers decide you need for the particular authentication methods you support.
Way beyond the pale for an auth library in my opinion, I thought I was dumb and just didn’t understand the library but when I asked the community about it, they told me that’s by design - plugins determine their own data model. This isn’t a matter of me having a weird use case with the whole GraphQL thing, I can’t imagine anyone who takes their data modeling/security seriously would be fine with delegating that kind of control to plugin developers.
(Yes I know you can make your own adapters, but the interface for that is literally “implement a general purpose SQL-like query executor” where the models that you’re querying/mutating are arbitrary strings - so basically no control over your schema. It literally just takes in a code: string value for eval’ing your migrations! Insane! [1])
When I saw the announcements before about Better Auth, emphasizing not that it was innovative nor technically good in any way, but instead focusing on the fact that its developer was self-taught and has only been coding for a few years [2], I tried to restrain myself from assuming anything about how it might be designed, especially since it seems everyone was hyping it up… but I’m not so confident my prejudices were totally wrong.
I guess this is marginally better than the status quo where Auth.js was basically unmaintained and not being developed further at all. Which is to say, the state of open source auth libraries in JS is surprisingly poor.
[1] https://github.com/better-auth/better-auth/blob/f6cbdcc84ee5...
[2] https://techcrunch.com/2025/06/25/this-self-taught-ethiopian...
2. The features we offer through plugins don’t exist in NextAuth, so that shouldn’t be a problem. You can use the core library for almost all of NextAuth’s features, and we provide most plugins first-party. Of course, you can choose not to use a plugin, write your own, copy and modify one, or only use the first-party ones we provide. We handle the database so you can own your auth without writing the logic yourself.
3. Auth.js hasn’t been actively maintained for a while. Our main reason for bringing it under Better Auth was to avoid a sudden deprecation, as that would directly harm the open-source auth ecosystem by eroding trust. Something we’ve already seen happen on a smaller scale with Lucia Auth.
Patches are better than nothing but I am disappointed with the state of auth in JS.