Authentication Setup
Configure user authentication with Better Auth, including OAuth providers
Overview
Echo uses Better Auth for authentication
By default, authentication is optional - you can access the admin panel without logging in during development.
Development Mode:
Set DISABLE_AUTH=true in your .env.local to access admin without authentication.
Configuration
Set up authentication for production
Production Mode
In production, authentication is required. Add these to your environment variables:
# Generate a secure secret:
openssl rand -base64 32
# Add to .env.local:
DISABLE_AUTH=false
BETTER_AUTH_SECRET=your-very-secret-random-string
SITE_URL=https://yourdomain.com
Google OAuth Setup
Allow users to sign in with Google
- Go to Google Cloud Console
- Create or select a project
- Enable Google+ API
- Go to Credentials → Create Credentials → OAuth client ID
- Configure OAuth consent screen
- Add redirect URI:
http://localhost:3000/api/auth/callback/google - Copy credentials to
.env.local
GOOGLE_CLIENT_ID=xxx.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-...
GitHub OAuth Setup
Allow users to sign in with GitHub
- Go to GitHub → Settings → Developer settings → OAuth Apps
- Click New OAuth App
- Fill in:
- Application name: Echo Website
- Homepage URL:
http://localhost:3000 - Authorization callback URL:
http://localhost:3000/api/auth/callback/github
- Click Register application
- Copy credentials to
.env.local
GITHUB_CLIENT_ID=...
GITHUB_CLIENT_SECRET=...
User Roles
Admin and user roles
Admin Role
Claim admin access using the admin claim code:
- Sign in to your account
- Go to
/admin/claim - Enter your admin claim code
- Your role will be upgraded to admin
User Profile
User profiles are automatically created with fields: userId, displayName, role, avatarUrl, and subscription fields.
Security Best Practices
- Never commit secrets to version control
- Use strong BETTER_AUTH_SECRET (32+ characters)
- Rotate secrets regularly (every 3-6 months)
- Use HTTPS in production
- Validate user input on server-side