Identity & Access
Better Auth for single- and multi-tenant auth, RBAC, workspace and team management, admin panel. Usage tracking and tenant isolation.
What this system covers
Multi-tenant auth
Better Auth: tenant-scoped sign-in, sessions, email/password, OAuth, magic links. Clear isolation per tenant.
Roles & permissions
RBAC and permission checks so you can model admin, member, viewer, etc. Complete flow implementation.
Tenant isolation
Data and APIs are scoped by tenant so one customer never sees another's. Default billing limits and data retention rules.
Workspace & team management
Workspaces and teams with invite flows and roles per workspace. Tenant-scoped so teams stay isolated.
Admin panel
Admin UI for user and tenant management. Impersonation and oversight without crossing tenant boundaries.
Usage tracking
Usage events are tracked for billing enforcement. Credit system and limits integrate with Revenue & Billing.
Decisions & trade-offs
We chose Better Auth because we wanted a single stack that supports both single- and multi-tenant out of the box, with sessions and RBAC built in. Auth is the foundation for tenant isolation and billing enforcement, so we prioritized clarity and auditability over maximum flexibility.
Pros
- One library for auth, sessions, and tenant context; less integration surface.
- RBAC and permission checks are explicit and testable.
- Workspace/team and admin panel ship with the kit so you don't build from zero.
- Usage tracking ties directly into billing; no second system to sync.
Trade-offs
- Better Auth is less established than Auth.js/Clerk; we accept that for DX and multi-tenant fit.
- Complex org hierarchies (nested teams, custom roles) may need extension.
- Default data retention and billing limits are opinionated; you can override but must document.