Share Better Auth Secrets Across Environments

Better Auth requires a 32-byte secret to sign sessions. Use different values per environment and never commit them.

Generate secrets

openssl rand -base64 32
# or
node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"

Local development

apps/web/.env.local:

BETTER_AUTH_SECRET="base64string=="
NEXT_PUBLIC_BETTER_AUTH_URL="http://localhost:3000"

Vercel deployment

vercel env add BETTER_AUTH_SECRET production
vercel env add NEXT_PUBLIC_BETTER_AUTH_URL production

Self-hosted?

• Use Docker secrets: docker secret create better_auth_secret secret.txt.
• On Kubernetes, mount as Secret and inject via env vars.

Diagram

  flowchart LR
    A[Secret manager] --> B[CI/CD]
    B --> C[Vercel env vars]
    B --> D[Docker compose]

Rotate secrets periodically and revoke leaked ones by deleting associated sessions in the database.