BA
Better Auth2w ago
shubhattin

how to use `auth.api` on other servers

I have currently made a single auth server and admin panel on users.xyz.com and using that server with authClient while using its URL (backend). This works fine for requests made from frontend directly directly to the auth backend. But when we need to authenticate the user on our backend (different from auth server), then how should we do it.
7 Replies
shubhattin
shubhattinOP2w ago
One way I am thinking of is to use the REST endpoints.
shubhattin
shubhattinOP2w ago
Like for auth.api.getSession we could use this.
No description
shubhattin
shubhattinOP2w ago
I am correct in my approach and is there a better and more typesafe way to do this
keytrap-x86
keytrap-x862w ago
You can use jwt plugin https://www.better-auth.com/docs/plugins/jwt
JWT | Better Auth
Authenticate users with JWT tokens in services that can't use the session
keytrap-x86
keytrap-x862w ago
Or bearer https://www.better-auth.com/docs/plugins/bearer
Bearer Token Authentication | Better Auth
Authenticate API requests using Bearer tokens instead of browser cookies
shubhattin
shubhattinOP2w ago
Could you also some advice on using one instance of better auth as the main auth server and then using it in multipple apps. like if my auth server is at users.xyz.com then how to use it effectively in app1.xyz.cm and so on.
shubhattin
shubhattinOP2w ago
Is this what I should be referring to https://www.better-auth.com/docs/concepts/cookies#cross-subdomain-cookies But it seems a little vague as to what exactly the trustedOrigins does I had to configure the hook myself in the end to have it work in localhost atleasr 
if (event.url.pathname.startsWith('/api')) {
    // Required for CORS to work
    if (event.request.method === 'OPTIONS') {
      return new Response(null, {
        headers: {
          'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, PATCH, OPTIONS',
          'Access-Control-Allow-Origin': 'http://localhost:5173',
          // Explicitly list content-type and other common headers
          'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Requested-With',
          'Access-Control-Allow-Credentials': 'true'
        }
      });
    }
  }
  const res: Response = await svelteKitHandler({ event, resolve, auth });
  if (event.url.pathname.startsWith('/api')) {
    res.headers.append('Access-Control-Allow-Origin', `http://localhost:5173`);
    res.headers.append('Access-Control-Allow-Credentials', 'true');
  }
  return res;
if (event.url.pathname.startsWith('/api')) {
    // Required for CORS to work
    if (event.request.method === 'OPTIONS') {
      return new Response(null, {
        headers: {
          'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, PATCH, OPTIONS',
          'Access-Control-Allow-Origin': 'http://localhost:5173',
          // Explicitly list content-type and other common headers
          'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Requested-With',
          'Access-Control-Allow-Credentials': 'true'
        }
      });
    }
  }
  const res: Response = await svelteKitHandler({ event, resolve, auth });
  if (event.url.pathname.startsWith('/api')) {
    res.headers.append('Access-Control-Allow-Origin', `http://localhost:5173`);
    res.headers.append('Access-Control-Allow-Credentials', 'true');
  }
  return res;
If my question is not please let me know
Cookies | Better Auth
Learn how cookies are used in Better Auth.

Did you find this page helpful?