Auth
Better Auth on Cloudflare — authentication, sessions, organizations, and plugins for your Quickback API.
Quickback Stack uses Better Auth for authentication, running on Cloudflare Workers with D1 as the session store.
Overview
Better Auth provides:
- Email/password authentication
- Session management with cookies
- Multi-tenant organizations with roles
- Plugin ecosystem for passwordless auth, passkeys, and more
Configuration
Auth is configured in your quickback.config.ts:
import { defineAuth, defineConfig, defineRuntime, defineDatabase } from "@quickback/compiler";
export default defineConfig({
name: "my-app",
providers: {
runtime: defineRuntime("cloudflare"),
database: defineDatabase("cloudflare-d1"),
auth: defineAuth("better-auth", {
emailAndPassword: { enabled: true },
plugins: ["emailOtp", "passkey", "magicLink"],
}),
},
});Auth Base Path
All Better Auth routes are served under:
/auth/v1/*Common endpoints:
POST /auth/v1/sign-in/email— Email/password sign inPOST /auth/v1/sign-up/email— Create accountGET /auth/v1/get-session— Get current sessionPOST /auth/v1/sign-out— Sign out
Organization Roles
| Role | Description |
|---|---|
owner | Full access — can delete the organization and transfer ownership |
admin | Full access — can manage members and resources, cannot delete the organization |
member | Standard access — read and limited write, cannot delete or manage members |
These are Better Auth's built-in organization roles — no configuration needed. The creatorRole defaults to owner.
Tip: Account UI's role picker uses these exact three roles. Use
["owner", "admin", "member"]in your Access rules so generated projects plug into Better Auth and Account UI seamlessly.
Roles are used throughout the security layers — in Access rules, Firewall owner checks, and RLS policies.