Removing Authentication Providers
You might decide to simplify your login experience by removing unused authentication providers. Since Better Auth is configured declaratively, removing a provider is straightforward.
You might decide to simplify your login experience by removing unused authentication providers. Since Better Auth is configured declaratively, removing a provider is straightforward.
Removing Social Providers
To remove a social provider like Google or Microsoft:
- Open
packages/backend/convex/auth.ts. - Locate the
socialProvidersconfiguration inside thecreateAuthfunction. - Remove the corresponding block (e.g., the
googleobject or the...microsoftSocialProviderspread). - Remove the associated environment variables from your
.envfile to clean up your configuration.
Removing Email & Password
To enforce a completely passwordless experience, you can disable email and password authentication:
- Open
packages/backend/convex/auth.ts. - Locate the
emailAndPasswordconfiguration. - Change
enabled: truetoenabled: false.
emailAndPassword: {
enabled: false,
},Considerations
- Existing Users: Before removing a provider, consider how existing users who rely on that provider will access their accounts. You may need to ask them to link another auth method before disabling it.
- UI Updates: Ensure you update your frontend authentication components in
packages/uiandapps/appto remove the buttons or forms associated with the disabled provider.
Sensitive Actions
Certain actions in your application, like deleting an account, changing a password, or updating billing information, are highly sensitive. To protect these actions from session hijacking or an unattended terminal, you should require users to re-authenticate or verify their identity.
Overview
How the starter protects user accounts and dangerous actions after login: sensitive-action step-up, an audit log, rate limiting, and a server-side super-admin boundary.