Better Auth is moving fast in the most annoying category to move fast in: authentication. ToolVitals records 30 GitHub releases in 90 days, 8 release events in 30 days, a 100 shipping score, and a 95 health score. That is a strong signal for a framework handling sessions, OAuth, SAML, 2FA, cookies, API keys, and user management.

The official site positions Better Auth as “the most comprehensive authentication framework” for TypeScript. Its homepage leans hard into code-first auth, plugin composition, bring-your-own database support, framework coverage, enterprise SSO and SCIM, and newer agent-auth features like MCP auth, token exchange, and delegation.

The interesting part is not just volume. It is where the release energy is going.

The signal: security and protocol churn, not cosmetic shipping

The recent release stream is full of the unglamorous work that serious auth libraries have to do. v1.6.6 fixed preservation of the Partitioned cookie attribute, boolean coercion in session validation, API key lookup performance, Expo session loading, SSO ESM/CJS compatibility, and several SSRF vulnerabilities in OAuth provider logic.

v1.6.5 patched a high-severity authorization bypass in @better-auth/oauth-provider, tracked as GHSA-xr8f-h2gw-9xh6. v1.6.3 included a prototype pollution fix in the Stripe plugin, plus OAuth, SSO, OpenAPI, and 2FA fixes. v1.6.2 required a schema migration for two-factor enrollment behavior and fixed OAuth state verification against cookie-stored nonce.

That pattern says Better Auth is not treating auth as a static checklist. It is actively sanding down edge cases across protocol boundaries, framework adapters, and deployment shapes. That is exactly where auth libraries usually get weird.

The beta line points in the same direction. v1.7.0-beta.0 changed two-factor enablement behavior and hardened SAML response validation. v1.7.0-beta.1 rewrote the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults, added token response customization, and changed SAML ACS behavior.

That is a bet on breadth, but with a maintenance bill attached. Better Auth wants to be the auth layer for TypeScript apps that would rather keep auth in code than outsource every policy decision to a hosted dashboard.

The bet: code-owned auth with lots of plugins

Better Auth’s website says auth lives inside your app, with declarative config that is version controlled, type-safe, and reviewable in PRs. That matters. It pitches the framework against both lighter auth helpers and hosted identity products.

The product claims broad framework support, built-in credential auth, social sign-on, multi-tenancy, enterprise SSO/SAML/SCIM, passkeys, magic links, API keys, JWTs, OpenAPI, Stripe integrations, and agent-auth features. The release notes support the idea that these are active surfaces, not stale marketing boxes.

The cost is complexity. A framework with this many plugins can ship valuable fixes quickly, but it can also create more migration moments. The recent notes include breaking changes, schema migration requirements, and beta-line warnings. Teams should read changelogs before upgrading, especially if they use OAuth provider, SSO, 2FA, or Stripe plugins.

What ToolVitals cannot tell you

ToolVitals can see public signals: 28,203 GitHub stars, release cadence, score movement, SSL and uptime checks, and public repository activity. It gives Better Auth a 94 ToolVitals score, a 214.6 hot score, a 100 shipping score, and an 86 data-confidence score.

ToolVitals cannot see whether your migration will be painless. It cannot measure code quality from the inside, user satisfaction, revenue, support quality, or whether the product works well for your exact stack.

It also cannot prove that every feature claim on the website is equally mature. The public site and release notes show active work across many surfaces. They do not prove operational excellence in production for every deployment model.

Comparisons: active, but not the loudest project in the set

Better Auth’s 8 release events in 30 days is strong for an auth framework, but it is not the highest velocity in the related set. ToolVitals shows LangChain at 36 release events in 30 days with 136,054 stars, and Gemini CLI at 24 release events with 103,358 stars.

Against ToolJet, Better Auth is smaller by stars, 28,203 versus 37,874, and quieter by release events, 8 versus 17. Both have a 100 shipping score. The difference is category context: ToolJet is a broader app-building platform, while Better Auth is changing security-sensitive infrastructure where each release deserves closer reading.

n8n is in another weight class by public attention, with 186,990 stars and 52 release events in 30 days. That comparison mostly shows scale, not direct substitution. Nobody should pick an auth framework because it ships like an automation platform.

Recommendation

If your team wants TypeScript auth that stays in your codebase, evaluate Better Auth seriously, especially if you need plugins for organizations, SSO, OAuth, passkeys, API keys, or emerging agent-auth flows.

Do not adopt it casually. Pin versions, read every changelog, and test auth flows before upgrading. The release cadence is a strength, but in auth, fast shipping only helps if your team treats upgrades like security work, not dependency janitor duty.

Sources