Requirements
- A Postgres database dedicated to Better Auth session/account data.
- A deployed Overlay web origin, for example
https://overlay.example.com. - An OIDC application in the customer’s IdP. Direct Google Workspace is the recommended first private-deployment flow.
- Matching Convex environment variables for Better Auth JWT verification only when Convex is enabled. Postgres-only deployments do not need a Convex client or Convex credentials.
OVERLAY_DATABASE_URL for app records and BETTER_AUTH_DATABASE_URL only for Better Auth state.
Environment
Set these on the Next.js/Overlay web runtime:http://localhost:3000 consistently for BETTER_AUTH_URL, BETTER_AUTH_JWT_ISSUER, BETTER_AUTH_JWT_AUDIENCE, BETTER_AUTH_JWKS_URL, and trusted origins.
IdP Callback URLs
Register these URLs in the OIDC app:BETTER_AUTH_CONNECTION_ID.
Also register the app origin as an allowed web origin:
- Google Workspace
- Auth0
- Generic OIDC for Cognito, Okta, and Keycloak
Migrations
Run migrations before starting production traffic:Convex Verification
Convex verifies the short-lived Better Auth JWTs using the JWKS URL:Smoke Checklist
After configuration:/api/better-auth/jwksreturns JWKS./api/auth/optionsexposes only the configured connection IDs and labels./api/auth/sso/workspace?redirect=%2Fapp%2Fchatredirects into the configured Better Auth SSO provider.- The SSO callback creates a Better Auth session cookie.
/api/auth/sessionreturnsauthenticated: true./api/auth/convex-tokenreturns a JWT.- Convex-backed app APIs accept the JWT.
- Sign out clears the Better Auth session.
- Account deletion removes Better Auth rows and does not merge with hosted WorkOS accounts.