Skip to main content

WorkOS

WorkOS remains the hosted Overlay authentication backend. It owns hosted browser login, session refresh, and AuthKit connections.
Use WorkOS for the hosted SaaS profile. Do not put WorkOS credentials in a Better Auth private deployment unless a separately enabled feature explicitly requires them.

Better Auth

Better Auth is the recommended private web-session backend. It runs inside the Overlay Next.js application and stores auth-scoped users, accounts, sessions, verification records, SSO provider metadata, and signing keys in Postgres.
BETTER_AUTH_DATABASE_URL is auth state. OVERLAY_DATABASE_URL is application data. They may use separate databases on one PostgreSQL cluster, but they must remain separately named and independently migratable. Better Auth delegates login to one or more configured OIDC connections. A canonical connection has a stable internal ID, preset, permitted domains, and credentials:
The connection ID is deployment-defined. It appears only in Overlay callback routing; do not encode a customer name in a reusable default.

OIDC bearer verifier

AUTH_PROVIDER=oidc verifies an existing bearer/access token using issuer discovery and JWKS. It is useful for service clients and deployments where another component already owns the browser session. It does not provide Overlay’s browser sign-in, callback, session-cookie, or account-management flow. Use Better Auth when Overlay must own those flows.

Session contract

All supported browser backends map to the same Overlay user/session shape:
Application services must consume this normalized contract instead of importing WorkOS, Better Auth, or provider SDKs directly.