CREA.MBABeyond the login form: the production-ready Better Auth setup in Next.js 16 — 2FA, organizations, admin, rate limiting, and the gotchas that matter.
Better Auth is the reasonable default for new Next.js projects in 2026. But "set up auth" and "set up auth that survives production" are different jobs. A login form is an afternoon; sessions, 2FA, organizations, admin controls and the edge cases around them are a week.
This is the production starter setup — the pieces you actually need, and the gotchas between a demo and a real app.
Better Auth runs inside your Next.js app against your own database. The minimum production-grade core:
auth) with your database adapter (Prisma + Postgres) and emailAndPassword + socialProviders (Google, GitHub, LinkedIn).auth.api.getSession() in server components / route handlers.This is where Better Auth pulls ahead. Each is a line of config, not a week of building:
twoFactor() — TOTP + backup codes. Don't ship a paid product without it.organization() — multi-tenancy: teams, roles (owner/admin/member), invitations. The backbone of B2B SaaS.admin() — impersonation, ban, list sessions. The support tooling you'll need by month two.passkey() — WebAuthn, increasingly expected.magicLink() — passwordless option.Type safety flows from here: enable the organization plugin and session.activeOrganizationId becomes typed automatically.
1. Verify email before granting access. A demo skips it; production gets fake signups. Gate sensitive routes on emailVerified.
2. Rate-limit auth endpoints. Login, signup and reset are abuse magnets. Better Auth has rate limiting — turn it on, don't assume defaults fit.
3. Session strategy on edge. Better Auth works on edge without a special adapter, but decide deliberately where sessions are read (middleware vs server component) to avoid double lookups.
4. Trusted origins / CSRF. Set trustedOrigins correctly for production domains, or OAuth callbacks and cross-site requests will fail in confusing ways.
5. Don't sprinkle auth checks. Centralize authorization in a helper (a createAuthenticatedAction pattern) instead of repeating getSession() guards across the codebase — it's where bugs and security holes hide.
That's roughly a week of careful work — and it's the same week for every SaaS you'll ever build.
The Better Auth core is quick. Production Better Auth — verification, 2FA, orgs, admin, rate limiting, the edge cases — is the part that eats a week and that you'll redo on every project. Build it once, well, and reuse it.
CREA.MBA is that production setup, done: Better Auth with email/password + OAuth, 2FA (TOTP + backup codes), organizations with roles and invitations, an admin panel with impersonation and bans, rate limiting and centralized auth actions — all on Prisma + your own Postgres. You start from the production checklist above already ticked, not from a login form.
Subscribe for more tutorials and tips on building products with AI
The boilerplate now includes the receiver endpoint to publish posts from a Postiz custom provider. Editorial calendar unified with your social media in under 2 hours.