Authentication and Authorization

Safe auth patterns you can extend.

Goal

Ship secure auth on Workers with room to grow.

Auth provider overview

Complete, production-ready authentication system out of the box - no need for an external auth service like Supabase, Auth0, or Cognito
Better Auth configured for Cloudflare Workers.
OAuth and credential-ready flows are supported.

Social sign-in

Google OAuth callback: /api/auth/callback/google.
GitHub OAuth callback: /api/auth/callback/github.

Sessions and cookies

Sessions are created server-side and verified at the edge.
Cookie handling is centralized in the auth helpers.

Server vs client auth checks

Use server checks for protected routes.
Client checks are for UX only, not enforcement.

Role-based access control

Start with organization-level access, extend as needed.
Add roles in the DB schema when you introduce tiers.

Protecting routes

requireSession() is the primary guard for server routes.
Keep auth logic close to the data you are protecting.

Common auth pitfalls

Do not expose secrets to the client.
Avoid relying on client-only checks for gated features.