Auth.js comparison - Edge runtimes, JWT sessions, and scaling.
I stumbled upon
better-auth while nearing completion of my auth.js integration. After perusing the docs and forums, I understand why better-auth is praised for it's ease of setup and community support (and confirm those as pain points with auth.js) . I could abandon my auth.js integration and work towards integrating better-auth, but I do see a missing feature that gives me pause. From both the docs and posts I've found on the topic, it's not clear that better-auth has a good answer to Auth.js's edge compatibility?
Specifically, Auth.js provides three strategies for you to store/fetch sessions and user data:
1. Database Only - Both session records and user data are stored in a database. Every authenticated request request requires a database fetch. This seems to be the only option in better-auth.
1. JWT Only - Everything is stored in a short lived, encrypted, JWT token. This is great for edge environments, but limiting. No record of user emails, no refreshing access tokens, etc. Not a viable solution for paywalled features, etc.
1. Split Config - User data, refresh tokens, etc, are stored in a database, but sessions are tracked using encrypted JWT tokens. Those tokens can be extended to include user's roles for role-based access control.
The final option seems ideal to me. Hitting a database for every request to verify sessions seems unnecessary. Seems like it will be both more costly and slower than the "split config" approach.
So, finally, a few questions: Did I miss something? Does better-auth offer JWT session tracking? From what I saw, the answer was definitively no. If not, are there good reasons for that I'm not understanding? Is better-auth being used by anyone at scale (millions of MAU's) on edge runtimes? If so, how is the experience?4 Replies
I wouldn't recommend you using auth.js at all
I hate this library so much. I wasted a lot of time on it
Better-auth has way more features (plugins), better structure
As far as I know, there is no support for JWT as auth.js provides. The only thing that comes to my mind is cookie cache, it allows you to cache the session not to make a request every time you need it
I can understand the frustration with
auth.js, documentation is sparse and it's hard to get a response on issue's / PR's.
Still, now that I understand it, I am tempted to just run with it. Especially since we're pretty price sensitive.You're hosting your app where every request coast money, right? Serverless I mean
Correct, serverless