Better Auth vs Clerk vs NextAuth 2026: Auth Guide
TL;DR
Better Auth is the new third option in Next.js authentication — more feature-complete than NextAuth, free like NextAuth, but easier to set up. It ships with built-in email/password, OAuth, magic links, two-factor auth, and passkeys out of the box. NextAuth v5 (Auth.js) is the established alternative with the larger ecosystem. Clerk is the managed option where you pay for convenience. Better Auth sits in the sweet spot: self-hosted (no vendor lock-in), batteries-included (no building auth UIs from scratch), and actively maintained.
Key Takeaways
- Better Auth: new (2024-2025), self-hosted, batteries-included, free, built-in 2FA/passkeys/organizations
- NextAuth v5: established, self-hosted, free, requires more manual setup, huge ecosystem
- Clerk: managed, paid ($0.02/MAU after 10K), fastest setup, best UX, organizations built-in
- Break-even: Clerk becomes expensive vs free options at ~5,000-10,000 active users
- Better Auth vs NextAuth: Better Auth wins on built-in features; NextAuth wins on ecosystem/maturity
- In boilerplates: T3 uses NextAuth, Supastarter uses Clerk, Better Auth gaining adoption in 2025+
Better Auth: The New Contender
npm install better-auth
Setup
// lib/auth.ts
import { betterAuth } from 'better-auth';
import { prismaAdapter } from 'better-auth/adapters/prisma';
import { twoFactor, passkey, organization, magicLink } from 'better-auth/plugins';
import { db } from './db';
export const auth = betterAuth({
database: prismaAdapter(db, {
provider: 'postgresql',
}),
emailAndPassword: {
enabled: true,
requireEmailVerification: true,
sendVerificationEmail: async ({ user, token }) => {
await sendVerificationEmail(user.email, token);
},
sendResetPassword: async ({ user, token }) => {
await sendPasswordResetEmail(user.email, token);
},
},
socialProviders: {
google: {
clientId: process.env.GOOGLE_CLIENT_ID!,
clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
},
github: {
clientId: process.env.GITHUB_CLIENT_ID!,
clientSecret: process.env.GITHUB_CLIENT_SECRET!,
},
},
plugins: [
twoFactor({
totpIssuer: 'My SaaS', // TOTP/authenticator app 2FA
}),
passkey(), // WebAuthn passkeys — zero config!
magicLink({
sendMagicLink: async ({ email, token }) => {
await sendMagicLinkEmail(email, token);
},
}),
organization({
// Multi-tenant organizations — built-in
}),
],
});
export type Session = typeof auth.$Infer.Session;
// app/api/auth/[...all]/route.ts
import { auth } from '@/lib/auth';
import { toNextJsHandler } from 'better-auth/next-js';
export const { GET, POST } = toNextJsHandler(auth);
Client Usage
// Client-side:
import { createAuthClient } from 'better-auth/react';
import { twoFactorClient, passkeyClient } from 'better-auth/client/plugins';
export const authClient = createAuthClient({
baseURL: process.env.NEXT_PUBLIC_APP_URL,
plugins: [twoFactorClient(), passkeyClient()],
});
export const { useSession, signIn, signOut, signUp } = authClient;
// Sign-in component:
export function SignIn() {
return (
<div>
{/* Email/password: */}
<button onClick={() => signIn.emailAndPassword({ email, password })}>
Sign In
</button>
{/* OAuth: */}
<button onClick={() => signIn.social({ provider: 'google', callbackURL: '/dashboard' })}>
Continue with Google
</button>
{/* Magic link: */}
<button onClick={() => signIn.magicLink({ email, callbackURL: '/dashboard' })}>
Send Magic Link
</button>
{/* Passkey: */}
<button onClick={() => signIn.passkey()}>
Sign in with Passkey
</button>
</div>
);
}
Feature Comparison
| Feature | Better Auth | NextAuth v5 | Clerk |
|---|---|---|---|
| Email/password | ✅ Built-in | ✅ Credentials | ✅ |
| OAuth | ✅ | ✅ | ✅ 30+ |
| Magic links | ✅ Plugin | ❌ (manual) | ✅ |
| Two-factor (TOTP) | ✅ Plugin | ❌ (manual) | ✅ |
| Passkeys | ✅ Plugin | ❌ | ✅ |
| Organizations | ✅ Plugin | ❌ (manual) | ✅ |
| Session management | ✅ | ✅ | ✅ |
| Pre-built UI | ❌ | ❌ | ✅ |
| Self-hosted | ✅ | ✅ | ❌ |
| Vendor lock-in | None | None | High |
| Price | Free | Free | Free to 10K MAU |
| Maturity | 2024/new | 2020/mature | 2022/mature |
When to Choose Each
Choose Better Auth if:
→ Self-hosted with more features than NextAuth
→ Need 2FA, passkeys, or magic links without building them
→ Starting a new project and want modern auth DX
→ Don't want vendor lock-in
Choose NextAuth v5 if:
→ Established codebase already using it
→ Prefer maximum ecosystem maturity
→ Using non-Prisma ORMs (more adapters available)
→ Team has existing NextAuth expertise
Choose Clerk if:
→ Speed is priority (30-minute setup vs 2-3 hours)
→ Building B2B SaaS needing organizations now
→ Budget is not a concern at current scale
→ Need the best pre-built auth UI
NextAuth v5 Setup Comparison
NextAuth v5 (Auth.js) requires more manual setup than Better Auth or Clerk:
// auth.ts — NextAuth v5 config
import NextAuth from 'next-auth';
import { PrismaAdapter } from '@auth/prisma-adapter';
import Credentials from 'next-auth/providers/credentials';
import GitHub from 'next-auth/providers/github';
import { prisma } from './lib/db';
import bcrypt from 'bcryptjs';
export const { handlers, auth, signIn, signOut } = NextAuth({
adapter: PrismaAdapter(prisma),
providers: [
GitHub,
Credentials({
credentials: { email: {}, password: {} },
authorize: async ({ email, password }) => {
const user = await prisma.user.findUnique({ where: { email: email as string } });
if (!user?.passwordHash) return null;
const valid = await bcrypt.compare(password as string, user.passwordHash);
return valid ? user : null;
},
}),
],
session: { strategy: 'jwt' }, // or 'database' for Prisma session storage
callbacks: {
session({ session, token }) {
session.user.id = token.sub!;
return session;
},
},
});
What's missing from NextAuth v5 out of the box: 2FA, passkeys, magic links, organizations, and email verification all require custom implementation. Better Auth ships these as plugins.
Clerk Setup: The Fastest Path
Clerk's setup is genuinely fast:
npm install @clerk/nextjs
// middleware.ts — Clerk protects routes automatically
import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server';
const isProtectedRoute = createRouteMatcher(['/dashboard(.*)']);
export default clerkMiddleware((auth, req) => {
if (isProtectedRoute(req)) auth().protect();
});
// app/layout.tsx — wrap with ClerkProvider
import { ClerkProvider } from '@clerk/nextjs';
export default function RootLayout({ children }) {
return (
<ClerkProvider>
<html><body>{children}</body></html>
</ClerkProvider>
);
}
That's it. Pre-built <SignIn /> and <SignUp /> components, user management, organizations, and billing hooks all come pre-configured. Total setup time: 30-45 minutes vs 2-3 hours for Better Auth or NextAuth.
Cost Analysis at Scale
| Monthly Active Users | Better Auth (Free) | NextAuth (Free) | Clerk Cost |
|---|---|---|---|
| 0-10,000 | $0 | $0 | $0 |
| 25,000 | $0 | $0 | $300 |
| 50,000 | $0 | $0 | $800 |
| 100,000 | $0 | $0 | $1,800 |
Clerk's pricing ($0.02/MAU after 10,000) is manageable for early-stage products but becomes significant at scale. The break-even vs developer time is roughly 5,000-10,000 users: below that, Clerk's faster setup and better UX justify the eventual cost; above that, migrating to a self-hosted option becomes financially motivated.
Better Auth avoids this cliff entirely. The migration from Clerk to Better Auth is possible but not trivial — it requires migrating user credentials, sessions, and auth configuration.
Organizations: The B2B Feature
B2B SaaS products typically need multi-tenant organizations where multiple users share one subscription. All three options support this, with very different levels of effort:
Clerk: Organizations are built-in. Create an org, add members, check membership in middleware — one day of work.
Better Auth: Organizations via the organization() plugin. Well-documented and fully TypeScript-typed. Two to three days of work.
NextAuth: No built-in organization support. Build a custom organizations table, membership model, and access control from scratch. One week minimum.
For B2B SaaS launching in 2026, the organization support in Clerk and Better Auth is a concrete reason to choose one over plain NextAuth.
Which Boilerplates Use Which Auth
| Boilerplate | Auth Library |
|---|---|
| ShipFast | NextAuth v5 |
| Supastarter | Clerk |
| Makerkit | Supabase Auth or Clerk |
| T3 Stack | NextAuth |
| SaaSrock | Remix + custom session |
| Better T3 App | Better Auth |
Better Auth adoption is growing in 2025-2026 boilerplates. It's likely to be the default self-hosted choice within 12-18 months as the ecosystem matures.
Key Takeaways
- Better Auth is the best self-hosted option for new projects in 2026: more features than NextAuth, free like NextAuth, and actively maintained
- Clerk is worth its cost ($0.02/MAU after 10K) when the 30-minute setup saves a week of auth infrastructure work
- NextAuth v5 is the established choice for teams with existing codebases — migrating to Better Auth is possible but not free
- Organizations (multi-tenancy) are built into Clerk and Better Auth as plugins; NextAuth requires custom implementation
- The cost cliff for Clerk at ~10,000 MAU is real — plan for migration if you're building a high-volume consumer product
Migrating Between Auth Libraries
The auth library decision feels reversible, but it's not. The database schema, session model, OAuth callback URLs, and client-side hooks are all tied to your auth library choice. Plan to live with your decision for 12-18 months minimum.
The most common migration path: Clerk → Better Auth or NextAuth when Clerk costs become significant at scale. This migration requires:
- Exporting users from Clerk (available via their dashboard export)
- Creating users in your database with hashed passwords (if using email/password) or OAuth provider records
- Migrating active sessions (users will need to log in again during cutover)
- Updating environment variables, removing Clerk components, adding Better Auth/NextAuth components
- Redirecting OAuth providers' callback URLs to your new endpoints
The actual migration takes 1-2 weeks depending on how deeply Clerk components are embedded in your UI. For a new project, the migration cost is the reason to make the right choice upfront rather than optimizing for setup speed today.
Better Auth → NextAuth migration: Both use database sessions (with Prisma adapters). The primary change is the configuration file and client hooks. The database schema is similar enough that users can be migrated without requiring new logins.
Passkeys: The Auth Future
All three libraries support passkeys (WebAuthn) in 2026, but with different levels of effort:
- Clerk: Passkeys are a toggle in the dashboard. Users can add passkeys to their account with no code changes.
- Better Auth: The
passkey()plugin adds passkey support in ~10 lines of configuration. WebAuthn protocol complexity is handled by the library. - NextAuth v5: No built-in passkey support. Requires integrating a separate WebAuthn library (simplewebauthn) and writing custom registration/authentication flows.
Passkeys improve conversion on sign-in forms (biometric authentication is faster than password entry) and eliminate password-related support tickets. For consumer-facing products, the Better Auth or Clerk passkey implementations are worth the investment.
Organizations and Multi-Tenancy: The B2B Requirement
Most B2B SaaS products need organizations — a way for multiple team members to share access to the same account, with role-based permissions and billing at the organization level rather than the user level. This is where auth library choice has the most significant impact on development time.
Clerk handles organizations at the platform level. Create an organization, add members, assign roles — all through Clerk's dashboard or SDK without writing authorization code. The useOrganization() hook gives you current org context in any component.
Better Auth includes an organization() plugin:
// Better Auth organization plugin
import { organization } from 'better-auth/plugins';
export const auth = betterAuth({
plugins: [
organization({
allowUserToCreateOrganization: true,
organizationLimit: 3,
membershipLimit: 100,
}),
],
});
// Get current user's organization memberships
const { data: orgs } = useListOrganizations();
const { data: currentOrg } = useActiveOrganization();
NextAuth has no organization concept. You build it yourself: an organizations table, an organization_members table with a role column, middleware to check organization membership on protected routes, and client hooks to expose the current organization context. This is 2-4 days of correct implementation.
The practical implication: if your product needs organizations now or in the next 6 months, Better Auth and Clerk have a meaningful advantage over NextAuth. The organization data model is not trivial to retrofit onto an existing codebase after launch.
Two-Factor Authentication: Implementation Comparison
2FA is increasingly expected for B2B SaaS. Security-conscious teams require TOTP (authenticator app) support before onboarding. Clerk provides it out of the box. Better Auth ships a twoFactor() plugin. NextAuth requires integrating a third-party TOTP library and building the enrollment and verification UI yourself.
// Better Auth 2FA — enforcing 2FA for admin users
import { twoFactor } from 'better-auth/plugins';
const auth = betterAuth({
plugins: [
twoFactor({
issuer: 'YourSaaS',
skipVerificationOnEnable: false, // Require verification on setup
}),
],
});
// Check if user has 2FA enabled
const { data: session } = useSession();
if (session?.user.twoFactorEnabled) {
// User has 2FA, require TOTP on sensitive operations
}
For enterprise buyers requiring SOC 2 compliance, 2FA enforceability (admins can require all members to enable 2FA) is part of the security checklist. Better Auth's organization plugin includes an enforceTwoFactor option. Clerk provides the same through dashboard settings.
The Decision Framework: Which Auth Library to Use
The choice maps cleanly to product stage and requirements:
Pre-launch, B2C, speed is everything: Clerk. The 30-minute setup versus 2-3 hours for Better Auth is significant when you're validating an idea. The $0 cost for the first 10,000 MAU is free for most products at validation stage.
Pre-launch, B2B, need organizations now: Better Auth with the organization plugin, or Clerk. Both ship organizations out of the box. Avoid NextAuth unless you're willing to implement organizations yourself.
Existing NextAuth v4 codebase: Stay on NextAuth v5 unless you have a specific feature requirement (passkeys, organizations, 2FA enforcement) that NextAuth doesn't satisfy. Migration cost is real.
High-volume consumer product (>50K MAU expected): Better Auth. Clerk's pricing at 50,000 MAU is $800/month — that's a meaningful cost that Better Auth eliminates.
Enterprise B2B with compliance requirements: Better Auth (self-hosted, no third-party data processor) or Clerk Enterprise (dedicated instance). NextAuth is viable if you implement the compliance features yourself.
Better Auth's Plugin Architecture
Better Auth's plugin system is what makes it genuinely extensible rather than just feature-complete. Each capability is a discrete plugin that adds database tables, API endpoints, and client hooks without modifying the core auth configuration:
import { betterAuth } from 'better-auth';
import {
organization,
twoFactor,
passkey,
magicLink,
phoneNumber,
oneTap, // Google One Tap
admin, // Admin panel for user management
} from 'better-auth/plugins';
export const auth = betterAuth({
plugins: [
organization(),
twoFactor({ issuer: 'YourSaaS' }),
passkey(),
magicLink({ sendMagicLink: async ({ email, token }) => { /* ... */ } }),
admin({ adminEmails: ['admin@yoursaas.com'] }),
],
});
Each plugin you add extends the Prisma schema (run npx better-auth generate to update your schema after adding plugins), adds new API endpoints (automatically handled by the Better Auth route handler), and exports new client hooks. The admin plugin adds a /api/auth/admin/* endpoint for user management operations — listing users, banning accounts, impersonating users — without building a custom admin backend.
This composability is Better Auth's architectural advantage over NextAuth's monolithic configuration. NextAuth requires custom code for everything beyond the basics. Better Auth's plugin system means most requirements (2FA, passkeys, organizations, magic links) are solved problems you opt into rather than build yourself.
Email and SMS Verification Patterns
All three libraries support email verification, but the implementation quality varies.
Clerk handles email verification through hosted flows — the verification email is sent from Clerk's infrastructure, and the verification UI is Clerk's component. This is the fastest path but means Clerk controls the email deliverability, the branding, and the verification flow.
Better Auth's email verification sends through your configured email provider (Resend, Postmark, SendGrid). You control the template, the from address, and the sending infrastructure. The downside: you're responsible for deliverability — setting up DKIM, SPF, and monitoring bounce rates.
NextAuth doesn't include email verification out of the box. The sendVerificationRequest callback gives you a hook to send the email, but you build the verification token storage and validation logic yourself.
For most SaaS products, Better Auth's approach is the right balance: you control the email (critical for brand consistency and deliverability) without building the verification token logic from scratch. The tradeoff between Clerk's zero-setup email handling and Better Auth's developer-controlled email is the same tradeoff that appears in every managed-vs-self-hosted decision: setup speed now versus control and cost at scale. Better Auth's rapid release cadence in 2025 has addressed most of the early rough edges, making it the most compelling self-hosted option for teams who want modern authentication patterns without ongoing Clerk pricing exposure as monthly active users grow.
Better Auth's active development trajectory — major releases every few months — means the library is evolving faster than most alternatives. Monitor the changelog closely; features that require custom implementation today may ship as built-in modules in the next major version.
Find boilerplates using Better Auth, Clerk, and NextAuth in our authentication setup guide.
See our guide to multi-tenancy patterns for SaaS for the organization data model.
Compare full-stack boilerplates by their auth setup in our best open-source SaaS boilerplates guide.