Skill Security →

Create Auth Skill

Skill for creating auth layers in TypeScript/JavaScript apps using Better Auth.

A guided authentication implementation toolkit built on the Better Auth framework for TypeScript and JavaScript apps. It walks you from an empty project (or an existing one with no auth) through server config, client setup, route handlers, database migrations, and feature plugins: so you ship secure login, sessions, and access control without reinventing OAuth, CSRF, or session handling.

$15 one-time
Add to a kit →

Prices include 20% VAT. · Forged on real agency work · one-time, no lock-in

  • Type Skill
  • Category Security
  • Delivery Email · instant
  • License One-time
Run preview
forgehouse, create-auth-skill

Inside the run · no black box

See the actual work before you buy it.

Three starting points, three different builds: empty project, existing app, or migration from another auth system. A decision tree picks the branch, then config pairs, framework wiring and schema migrations follow through a security checklist.

  1. Starts at the decision tree, not at npm install: new empty project, existing project without auth, or migration from an existing auth system, because each branch has a different sequence and the migration branch starts with a gap audit.
  2. Installs the core plus only the scoped packages the case needs (passkey, sso, stripe, expo), then sets the env floor: a 32+ character secret, base URL and database connection.
  3. Creates the pair of config files: auth.ts on the server (database, email/password, social providers, plugins) and auth-client.ts with the import matched to the framework, React, Vue, Svelte, Solid or vanilla.
  4. Wires the route handler per framework from the mapping table: the catch-all route for Next.js App Router, hooks.server.ts for SvelteKit, app.all for Express, with the nextCookies plugin added when Server Components are in play.
  5. Runs the schema migration matched to the adapter: direct migrate for the built-in Kysely, or generate then prisma migrate / drizzle-kit push, and repeats it after every plugin addition.
  6. Finishes against the security checklist: trustedOrigins without wildcards, rate limits verified against a live Redis, OAuth callback URLs matching the provider dashboard, account linking behavior consciously chosen, CSRF never disabled.
Use cases · what happens when you plug it in

One power source. 6 lines out.

create-auth-skill · core

core active · 6 lines

  1. Adding email/password login to a fresh Next.js, Express, SvelteKit, or Hono app

    ✓ adding email/password lo…

  2. Wiring Google or GitHub OAuth with correct PKCE, redirect URIs, and trusted origins

    ✓ wiring google or github

  3. Layering two-factor (TOTP/OTP), passkeys, or enterprise SSO onto existing auth

    ✓ layering two-factor (tot…

  4. Choosing between session-based (Redis) and stateless JWT auth for your use case

    ✓ choosing between session…

  5. Running schema migrations across Prisma, Drizzle, Kysely, or raw SQL adapters

    ✓ running schema migrations

  6. Auditing an existing auth setup for security gaps before production

    ✓ auditing an existing auth
Benefits · what you walk away with

Yours to keep.

Drag time forward. Watch what stays.

Forever

That's what owning means.

The rented stack

ai writing tool: subscription

expired · access lost

analytics suite: subscription

expired · access lost

design platform: subscription

expired · access lost

(nothing left)

Your forge

  1. Ship a production-ready login flow in hours instead of weeks of trial and error

    license: perpetual

  2. Avoid the silent security holes: wildcard origins, disabled CSRF, weak secrets, caught by a built-in security checklist

    license: perpetual

  3. Pick the right session strategy with a clear understanding of the cross-device logout trade-off

    license: perpetual

  4. Reduce auth support tickets with friction-free flows and human-readable error messages

    license: perpetual

subscriptions expire · deeds don't

What's included · the full manifest

Everything in the box.

Pick a piece up. Watch it work.

Decision tree for new project, migration, or add-to-existing scenarios

part 01 of 06 · in the box

6 parts · one working system · ships instantly by email

Who it's for

This wasn't forged for everyone.

  • Not for you if you'd rather rent a tool than own one.
  • Not for you if you want someone else to run your stack.
  • Not for you if you're happy guessing.
Still here? Good.

Full-stack and backend developers who need to add or harden authentication in a TypeScript/JavaScript application.

then this was forged for you.

Works with

Universal by design: these run in any AI. Delivered in the open Agent Skills + MCP format (native in Claude); ChatGPT, Gemini, Cursor and Copilot adapt the same files their own way.

  • Claude Native format
  • ChatGPT Adapts via open standards
  • Gemini Adapts via open standards
  • Cursor Adapts via open standards
  • Copilot Adapts via open standards
Questions · still in the air

Catch what's on your mind.

the air is clear. nothing between you and the forge.
catch a spark: the forge will answer

  1. Does this lock my app to Better Auth, or can I switch frameworks later?

    It builds on Better Auth, so your auth layer lives in your own codebase rather than a vendor's dashboard. If you later change your web framework, the same Better Auth core moves with you across Next.js, Express, SvelteKit, or Hono.

  2. OAuth usually breaks on redirect URIs and PKCE. How does this avoid those misconfigurations?

    It wires the redirect URIs, trusted origins, and PKCE flow as part of the guided setup, instead of leaving you to discover them through failed logins. You still register the app on Google or GitHub yourself, but the handshake config is laid out for you.

  3. Is this a hosted auth service I can offload to?

    No. It sets auth up inside your own app and database, so you run and own it, unlike a managed identity service. That keeps your user data in your hands but means uptime and key rotation are yours to handle.

  4. How is it delivered?

    By email right after purchase: ready to run, downloaded instantly, no setup wait.

  5. One-time or subscription?

    A one-time purchase; no subscription or hidden fees. VAT (20%) is included.

  6. Can I get a refund?

    As a digital product, it can’t be refunded once downloaded. That’s why we show exactly what’s inside and who it’s for, right here.

Related products

All skills →