WorkOS vs better-auth for convex. Which is better?
#WorkOS vs better-auth
maiden forge
undone frostBOT
Hi @maiden forge. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
Both WorkOS AuthKit and Better Auth work with Convex, but they’re in different stages and have different tradeoffs.
WorkOS AuthKit
Pros
- Officially documented Convex integration via
<ConvexProviderWithAuthKit>(React / Next.js). [AuthKit docs] - Hosted third‑party auth: passwords, social login, OTP, 2FA, user management, etc. [Auth overview]
- Good fit for B2B / multi‑tenant apps; free up to 1M users. [Auth overview]
Cons / Current rough edges
- Next.js / SPA integration is still being refined: you often need
expectAuth: trueor<Authenticated>wrappers to avoid auth “races” (queries firing before auth is ready), and there have been issues with brief “logged‑out” flashes and redirect loops while tokens refresh. [WorkOS thread 1; WorkOS thread 2] - Some custom-JWT / OIDC interoperability issues existed and have been gradually fixed, but multiple people still report setup difficulties and errors. [WorkOS custom auth thread]
Better Auth (Convex integration)
Pros
- First‑party Convex integration exists: <https://github.com/get-convex/better-auth.> [Need another auth option]
- Good fit if you want everything in Convex (no external SaaS), with plugins for things like orgs/admin, API keys, etc. [Better‑auth basic usage]
- Convex team has suggested Better Auth as the more “future‑proof” path given Auth.js deprecation, and is actively focusing on that integration. [Convex Auth reliability; Auth.js joins Better Auth; Convex Auth status]
Cons / Current rough edges
- The Convex Better Auth integration is explicitly in alpha; there have been reports of issues (e.g. orgs, perceived slowness) and expected breaking changes while it stabilizes. [Authjs now part of Better‑Auth; WorkOS vs Better‑Auth thread]
- Auth tables live in a separate component/schema instead of your main Convex schema, which some people dislike. [Authjs now part of Better‑Auth]
- Some folks report that, in its current state, it feels slower for heavy auth/org use compared to Convex Auth. [Authjs now part of Better‑Auth]
How to choose (based on current info)
From the available sources, a rough decision guide:
-
You want “hosted, batteries‑included”, B2B‑friendly, and don’t mind a third‑party service
→ WorkOS AuthKit is a strong fit; expect some integration nuances around token refresh and<Authenticated>/expectAuth, but it is an officially documented path. [AuthKit docs; WorkOS + Convex threads] -
You want to keep auth data in Convex and avoid a separate SaaS, and you’re OK with alpha‑state APIs
→ Better Auth is the more “future‑aligned” choice; Convex staff explicitly recommend it over new Convex Auth usage for long‑term projects, but you should be ready for some rough edges and upcoming changes. [Convex Auth reliability; Authjs now part of Better‑Auth] -
You prioritize maximum maturity and docs today over everything else
The knowledge sources also highlight Clerk and Auth0 as the most polished, officially supported options right now. [Auth overview]