> ## Documentation Index
> Fetch the complete documentation index at: https://docs.builderbox.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> The Builder Box uses BetterAuth for handling authentication, providing a robust and secure authentication system with multiple sign-in methods and seamless integration with payment providers.

> **Note:** The setup guides below explain how we configured the boilerplate. You don't need to perform these steps yourself.

## Features

* 🔐 Multiple Authentication Methods
  * Email & Password
  * Social Providers (Google)
  * Email Verification
  * Password Reset Flow
* 💳 Payment Integration (Stripe & Polar.sh)
* 🛡️ Protected Routes
* 🔒 Session Management

## Quick Start

1. Set up environment variables: in the .env file in `apps/server`

```env theme={null}
# Auth Configuration
AUTH_SECRET="your-auth-secret"
CORS_ORIGIN="http://localhost:3001"

# OAuth Providers
GOOGLE_CLIENT_ID="your-google-client-id"
GOOGLE_CLIENT_SECRET="your-google-client-secret"

# Email (Resend)
RESEND_API_KEY="your-resend-api-key"
```

setup in the .env file in `apps/web`

```env theme={null}
NEXT_PUBLIC_SERVER_URL=http://localhost:3000
NEXT_PUBLIC_APP_URL=http://localhost:3001
```

2. Install dependencies:

```bash theme={null}
bun add better-auth @better-auth/stripe @polar-sh/better-auth
```

## Authentication Methods

### Email & Password

The boilerplate supports traditional email and password authentication with:

* Email verification
* Password reset flow
* Secure password hashing
* Rate limiting

[Learn more about Email & Password authentication](/auth/email-password)

### Social Providers

Currently supported social providers:

* Google OAuth
* More providers coming soon

[Learn more about Social authentication](/auth/social)

## Protected Routes

The boilerplate includes middleware for protecting routes:

```typescript theme={null}
// middleware.ts
export const config = {
  matcher: [
    "/dashboard/:path*",
    "/settings/:path*",
    "/api/protected/:path*",
  ],
};
```

[Learn more about route protection](/auth/protected-routes)

## Session Management

Sessions are managed securely with:

* Secure cookie storage
* Automatic session refresh
* Cross-subdomain support

[Learn more about session management](/auth/sessions)

## Integration with Payments

Authentication is integrated with payment providers:

* Polar.sh (primary)
* Stripe (fallback)
* Subscription management
* Customer portal

[Learn more about payment integration](/payments/overview)

## Security Best Practices

1. **Password Security**
   * Strong password hashing
   * Rate limiting
   * Password complexity requirements

2. **Session Security**
   * Secure session storage
   * Session timeout
   * CSRF protection
   * Secure cookies

3. **OAuth Security**
   * Token validation
   * State parameter
   * Secure client secrets

## Next Steps

* [Set up Email & Password auth](./auth/email-pass)
* [Set up Social auth](./auth/socials)
* [Configure protected routes](./auth/protected-routes)
* [Set up session management](./auth/sessions)