The auth layer for your personal stack. Deploy once, every app you build shares the same users.
Live demo: accounts.ruixen.app · client app: vibe.ruixen.app
- One deploy, every app — spin up a new project and it already has users on day one
- Your data, your DB — lives in your own Neon Postgres, no monthly auth bill, no vendor lock-in
- Any backend that speaks JWT — Convex, Express, FastAPI, whatever. If it can verify a JWT against a JWKS endpoint, it works
- Admin dashboard included — manage users, sessions, and API keys across your whole portfolio from one UI
- Stripe / billing integration
- Enterprise SSO (SAML, LDAP)
- SOC2 or HIPAA compliance
- Scaling beyond ~10k users
- A team managing auth (this is single-operator infra)
┌─────────────┐ ┌──────────────────────┐
│ App A │──── JWT ──► │ │
│ App B │──── JWT ──► │ VibeAuth │ ← one Vercel deploy
│ App C... │──── JWT ──► │ accounts.you.com │ your Neon DB
└─────────────┘ │ │
└──────────────────────┘
one dashboard, all users
A server-side relay on VibeAuth handles cross-domain sign-in: the user authenticates once and gets a signed JWT appended to the redirect URL. Client apps store the JWT and pass it to their backend on every request.
- GitHub + Google OAuth — social sign-in out of the box
- Email OTP — passwordless sign-in via Resend, no passwords
- Admin dashboard — manage users, sessions, API keys with a polished UI
- JWT + JWKS — issue signed JWTs for client app verification
- Silent SSO relay — already signed in? Client apps get a token automatically, no second login
- Setup wizard — configure everything from the browser, no code or CLI needed
- Cross-subdomain sessions — one login works across all your subdomains
- DB-backed config — OAuth credentials and settings stored encrypted in Postgres
- Rate-limited OTP — built-in protection against email spam
- One required env var — just
DATABASE_URL. Everything else is configured in the UI
- Click Deploy — Vercel will prompt you to connect a Neon Postgres database (free tier works)
- Set
BETTER_AUTH_URLto your deployment URL — required for OAuth. You can skip and add it later - Deploy — database tables are created automatically on first request
- Visit your deployment — the setup wizard walks you through OAuth and email config
- Sign in — the first account automatically becomes admin
OAuth callback URLs: When setting up GitHub or Google OAuth apps, set the callback to
https://your-deployment-url/api/auth/callback/github(or
VibeAuth issues signed JWTs that any client app can verify. After deploying, go to Admin → Integration to find your endpoints:
| Endpoint | Description |
|---|---|
BETTER_AUTH_URL |
Base URL — set as VIBE_AUTH_URL in your client app |
BETTER_AUTH_URL/api/auth/jwks |
Public JWKS — point your backend here to verify tokens |
BETTER_AUTH_URL/api/relay?redirect=<url> |
Sign-in relay — redirect users here to sign in and get a JWT |
For Next.js + Convex, use vibe_client — a ready-made template pre-wired to VibeAuth. Clone it, set two env vars, done.
For any other backend: verify the JWT against the JWKS endpoint. The sub claim is the user's ID and is consistent across all your apps.
Once you've pointed a domain (e.g. accounts.yourdomain.com) to your deployment, go to Admin → Settings and set:
- Cookie Domain —
.yourdomain.com(enables cross-subdomain sessions) - Trusted Origins — any other apps on your domain that will receive JWTs via the relay
git clone https://github.com/gitcoder89431/vibe_auth
cd vibe_auth
pnpm installCreate .env.local:
DATABASE_URL=your_neon_connection_string
BETTER_AUTH_URL=http://localhost:3000pnpm devOpen http://localhost:3000 — the setup wizard will guide you through the rest.
| Variable | Required | Description |
|---|---|---|
DATABASE_URL |
Yes | Neon (or any Postgres) connection string |
BETTER_AUTH_URL |
OAuth + JWT | Full URL of your deployment (e.g. https://accounts.yourdomain.com) |
BETTER_AUTH_SECRET |
No | Auto-generated on first boot if not set |
All other configuration (OAuth credentials, Resend API key, app name, cookie domain, trusted origins) is managed through the setup wizard and admin UI — no redeploys needed.
- v0.1 — core auth, admin dashboard, JWT hub, cross-domain relay, silent SSO
- v0.2 — TOTP/2FA (#13), passkeys (#14), audit log (#16)
- v0.3 — portfolio analytics — one dashboard across all your apps (#18)
- Next.js 16 — App Router, server components, server actions
- BetterAuth — auth engine (sessions, OAuth, API keys, JWT)
- Neon — serverless Postgres
- Drizzle ORM — type-safe schema and migrations
- Resend — transactional email for OTP delivery
- Tailwind CSS + shadcn/ui
See CONTRIBUTING.md. Security issues: see SECURITY.md.