ObjectStackObjectStack

Auth Config

Auth Config protocol schemas

Better-Auth Configuration Protocol

Defines the configuration required to initialize the Better-Auth kernel.

Used in server-side configuration injection.

Source: packages/spec/src/system/auth-config.zod.ts

TypeScript Usage

import { AdvancedAuthConfig, AuthConfig, AuthPluginConfig, AuthProviderConfig, EmailAndPasswordConfig, EmailVerificationConfig, MutualTLSConfig, SocialProviderConfig } from '@objectstack/spec/system';
import type { AdvancedAuthConfig, AuthConfig, AuthPluginConfig, AuthProviderConfig, EmailAndPasswordConfig, EmailVerificationConfig, MutualTLSConfig, SocialProviderConfig } from '@objectstack/spec/system';

// Validate data
const result = AdvancedAuthConfig.parse(data);

AdvancedAuthConfig

Advanced / low-level Better-Auth options

Properties

PropertyTypeRequiredDescription
crossSubDomainCookiesObjectoptionalShare auth cookies across subdomains (critical for *.example.com multi-tenant)
useSecureCookiesbooleanoptionalForce Secure flag on cookies
disableCSRFCheckbooleanoptional⚠ Disable CSRF check — security risk, use with caution
cookiePrefixstringoptionalPrefix for auth cookie names

AuthConfig

Properties

PropertyTypeRequiredDescription
secretstringoptionalEncryption secret
baseUrlstringoptionalBase URL for auth routes
databaseUrlstringoptionalDatabase connection string
providersObject[]optional
pluginsObjectoptional
sessionObjectoptional
trustedOriginsstring[]optionalTrusted origins for CSRF protection. Supports wildcards (e.g. "https://*.example.com"). The baseUrl origin is always trusted implicitly.
socialProvidersRecord<string, Record<string, any>>optionalSocial/OAuth provider map forwarded to better-auth socialProviders. Keys are provider ids (google, github, apple, …).
emailAndPasswordObjectoptionalEmail and password authentication options forwarded to better-auth
emailVerificationObjectoptionalEmail verification options forwarded to better-auth
advancedObjectoptionalAdvanced / low-level Better-Auth options
mutualTlsObjectoptionalMutual TLS (mTLS) configuration

AuthPluginConfig

Properties

PropertyTypeRequiredDescription
organizationbooleanEnable Organization/Teams support
twoFactorbooleanEnable 2FA
passkeysbooleanEnable Passkey support
magicLinkbooleanEnable Magic Link login

AuthProviderConfig

Properties

PropertyTypeRequiredDescription
idstringProvider ID (github, google)
clientIdstringOAuth Client ID
clientSecretstringOAuth Client Secret
scopestring[]optionalRequested permissions

EmailAndPasswordConfig

Email and password authentication options forwarded to better-auth

Properties

PropertyTypeRequiredDescription
enabledbooleanEnable email/password auth
disableSignUpbooleanoptionalDisable new user registration via email/password
requireEmailVerificationbooleanoptionalRequire email verification before creating a session
minPasswordLengthnumberoptionalMinimum password length (default 8)
maxPasswordLengthnumberoptionalMaximum password length (default 128)
resetPasswordTokenExpiresInnumberoptionalReset-password token TTL in seconds (default 3600)
autoSignInbooleanoptionalAuto sign-in after sign-up (default true)
revokeSessionsOnPasswordResetbooleanoptionalRevoke all other sessions on password reset

EmailVerificationConfig

Email verification options forwarded to better-auth

Properties

PropertyTypeRequiredDescription
sendOnSignUpbooleanoptionalAutomatically send verification email after sign-up
sendOnSignInbooleanoptionalSend verification email on sign-in when not yet verified
autoSignInAfterVerificationbooleanoptionalAuto sign-in the user after email verification
expiresInnumberoptionalVerification token TTL in seconds (default 3600)

MutualTLSConfig

Properties

PropertyTypeRequiredDescription
enabledbooleanEnable mutual TLS authentication
clientCertRequiredbooleanRequire client certificates for all connections
trustedCAsstring[]PEM-encoded CA certificates or file paths
crlUrlstringoptionalCertificate Revocation List (CRL) URL
ocspUrlstringoptionalOnline Certificate Status Protocol (OCSP) URL
certificateValidationEnum<'strict' | 'relaxed' | 'none'>Certificate validation strictness level
allowedCNsstring[]optionalAllowed Common Names (CN) on client certificates
allowedOUsstring[]optionalAllowed Organizational Units (OU) on client certificates
pinningObjectoptionalCertificate pinning configuration

On this page

TypeScript UsageAdvancedAuthConfigPropertiesAuthConfigPropertiesAuthPluginConfigPropertiesAuthProviderConfigPropertiesEmailAndPasswordConfigPropertiesEmailVerificationConfigPropertiesMutualTLSConfigProperties