Documentation

Authentication

Built-in authentication system powered by better-auth, supporting email/password login, OAuth providers, email verification, and captcha protection

VibeAny uses better-auth as its authentication framework, with session data stored in PostgreSQL. Authentication is optional — if DATABASE_URL and BETTER_AUTH_SECRET are not configured, the app runs in static mode without user login.

Prerequisites

Before setting up authentication, make sure you have:

  1. A PostgreSQL database — see Database for setup instructions
  2. An email service — required for email verification (Resend recommended, see Environment Variables)

Quick Start

Set Auth Secret

Add to .env:

BETTER_AUTH_SECRET=your-secret-key

You can generate one on the better-auth website, or use the button below:

Configure Database

Make sure DATABASE_URL is set in .env:

DATABASE_URL="postgresql://user:password@host:port/database"

Configure Email Service

Email verification is disabled by default. Configure an email provider so users can verify their accounts:

EMAIL_VERIFICATION_ENABLED=false
EMAIL_PROVIDER=resend
EMAIL_FROM="YourApp <[email protected]>"
RESEND_API_KEY=re_xxx

Or configure a custom SMTP server:

EMAIL_PROVIDER=custom
EMAIL_FROM="YourApp <[email protected]>"
EMAIL_HOST=smtp.example.com
EMAIL_ADDRESS=[email protected]
EMAIL_USER=your-username
EMAIL_PASSWORD=your-password

Run Migrations

Generate and apply the database schema:

pnpm db:generate
pnpm db:migrate

Verify

Start the dev server and visit the login page. You should see the email/password sign-up form.

Email/Password Authentication

Email/password login is enabled by default. The flow works as follows:

  1. User signs up with email and password
  2. A verification email is sent automatically
  3. User clicks the verification link
  4. Account is verified and the user is signed in automatically

Note

Email verification is required — users cannot sign in until they verify their email address.

OAuth Providers

VibeAny supports GitHub and Google as OAuth providers. They are automatically enabled when the corresponding environment variables are set.

GitHub

Create OAuth App

Go to GitHub Developer SettingsOAuth AppsNew OAuth App.

Set the callback URL to:

https://your-domain.com/api/auth/callback/github

For local development:

http://localhost:3377/api/auth/callback/github

Configure Environment Variables

Copy the Client ID and Client Secret to .env:

GITHUB_CLIENT_ID=your-client-id
GITHUB_CLIENT_SECRET=your-client-secret

Google

Create OAuth Credentials

Go to Google Cloud ConsoleCreate CredentialsOAuth client ID.

Select Web application as the application type. Add the authorized redirect URI:

https://your-domain.com/api/auth/callback/google

For local development:

http://localhost:3377/api/auth/callback/google

Configure Environment Variables

Copy the Client ID and Client Secret to .env:

GOOGLE_CLIENT_ID=your-client-id
GOOGLE_CLIENT_SECRET=your-client-secret

Note

OAuth providers are optional. The login page automatically shows the corresponding OAuth buttons only when the environment variables are configured.

Captcha Protection

VibeAny supports Cloudflare Turnstile to protect sign-in, sign-up, and OAuth flows from bots.

Create Turnstile Widget

Go to the Cloudflare DashboardTurnstileAdd Widget. Add your domain and get the Site Key and Secret Key.

Configure Environment Variables

VITE_TURNSTILE_CAPTCHA_ENABLED=true
VITE_TURNSTILE_SITE_KEY=0x4xxx
TURNSTILE_SECRET_KEY=0x4xxx

Admin Access

Admin users have access to the admin panel for managing users, payments, credits, and configuration.

To grant admin access, add the user's email to the ADMIN_EMAILS environment variable:

ADMIN_EMAILS=[email protected],[email protected]

Multiple emails are separated by commas.

Configuration Reference

Environment VariableRequiredDescription
BETTER_AUTH_SECRETYesAuth secret key for encryption
DATABASE_URLYesPostgreSQL connection URL
ADMIN_EMAILSNoComma-separated admin email addresses
GITHUB_CLIENT_IDNoGitHub OAuth Client ID
GITHUB_CLIENT_SECRETNoGitHub OAuth Client Secret
GOOGLE_CLIENT_IDNoGoogle OAuth Client ID
GOOGLE_CLIENT_SECRETNoGoogle OAuth Client Secret
VITE_TURNSTILE_CAPTCHA_ENABLEDNoEnable Turnstile captcha (true/false)
VITE_TURNSTILE_SITE_KEYNoTurnstile Site Key
TURNSTILE_SECRET_KEYNoTurnstile Secret Key

Database Tables

Authentication creates the following tables automatically:

TableDescription
userUser profiles (name, email, avatar, etc.)
sessionActive sessions with tokens and expiration
accountLinked auth providers (credentials, GitHub, Google)
verificationEmail verification tokens

Developer

Database development guide

RBAC

Role-Based Access Control system with roles, permissions, wildcards, conditional rules, and a CLI management tool

On this page

PrerequisitesQuick StartSet Auth SecretConfigure DatabaseConfigure Email ServiceRun MigrationsVerifyEmail/Password AuthenticationOAuth ProvidersGitHubCreate OAuth AppConfigure Environment VariablesGoogleCreate OAuth CredentialsConfigure Environment VariablesCaptcha ProtectionCreate Turnstile WidgetConfigure Environment VariablesAdmin AccessConfiguration ReferenceDatabase Tables