Agent Skills: Authentication Best Practices

Read sessions client- and server-side, guard routes, and run sign in/up/out with Better Auth. Use when gating pages/APIs on auth or wiring auth flows.

UncategorizedID: andrelandgraf/fullstackrecipes/authentication-best-practices

Install this agent skill to your local

pnpm dlx add-skill https://github.com/andrelandgraf/fullstackrecipes/tree/HEAD/templates/fullstackrecipe/.agents/skills/authentication-best-practices

Skill Files

Browse the full folder contents for authentication-best-practices.

Download Skill

Loading file tree…

templates/fullstackrecipe/.agents/skills/authentication-best-practices/SKILL.md

Skill Metadata

Name
authentication-best-practices
Description
Read sessions client- and server-side, guard routes, and run sign in/up/out with Better Auth. Use when gating pages/APIs on auth or wiring auth flows.

Authentication Best Practices

Read sessions, protect routes, and run sign in/up/out with Better Auth.

Prerequisites

Complete these setup recipes first:

  • Better Auth Setup

Client-Side Sessions

Use the auth client hooks from @/lib/auth/client in client components.

"use client";

import { useSession, signOut } from "@/lib/auth/client";

export function UserMenu() {
  const { data: session, isPending } = useSession();

  if (isPending) return <div>Loading...</div>;
  if (!session) return <a href="/sign-in">Sign In</a>;

  return (
    <div>
      <span>{session.user.name}</span>
      <button onClick={() => signOut()}>Sign Out</button>
    </div>
  );
}

Server-Side Sessions

In Server Components and API routes, call auth.api.getSession with the request headers.

import { auth } from "@/lib/auth/server";
import { headers } from "next/headers";

const session = await auth.api.getSession({ headers: await headers() });

if (!session) {
  return new Response("Unauthorized", { status: 401 });
}

// session.user.id for queries...

Guarding Routes

Redirect unauthenticated users away from protected pages, and authenticated users away from auth pages.

import { redirect } from "next/navigation";
import { headers } from "next/headers";
import { auth } from "@/lib/auth/server";

export default async function ProtectedPage() {
  const session = await auth.api.getSession({ headers: await headers() });
  if (!session) redirect("/sign-in");
  return <Dashboard user={session.user} />;
}

export default async function SignInPage() {
  const session = await auth.api.getSession({ headers: await headers() });
  if (session) redirect("/chats");
  return <SignIn />;
}

After validating the session, fetch user-specific data in parallel.

const [chats, profile] = await Promise.all([
  getUserChats(session.user.id),
  getUserProfile(session.user.id),
]);

Sign In / Up / Out

import { signIn, signUp, signOut } from "@/lib/auth/client";

await signIn.email({ email, password, callbackURL: "/chats" });
await signIn.social({ provider: "google", callbackURL: "/chats" });

await signUp.email({ email, password, name, callbackURL: "/verify-email" });

await signOut({
  fetchOptions: { onSuccess: () => router.push("/") },
});

References