Three surfaces. One Worker.
Everything ships in a single Cloudflare Worker: the API your app calls, the login pages your users see, and the dashboard you manage them from.

Hosted login pages
Sign-in, sign-up, passkeys, email codes and social buttons — themed in Cloudflare orange, light & dark, English & 中文. Zero frontend work.

Admin dashboard
Better Auth Studio built in: browse, create, ban, role and delete users and organizations — live event stream included, gated to admins.
// your app, anywhere const s = await fetch( "https://auth.you.com" + "/api/auth/get-session", { credentials: "include" } ).then(r => r.json()) s.user.email // → "ada@example.com"
Better Auth API
The full Better Auth surface, public where it should be. Point any SDK at it, share sessions across subdomains, add trusted origins per app.
The parts you'd have built anyway.
Deployed before your coffee drips.
Click deploy
Cloudflare clones the repo into your GitHub and auto-provisions a D1 database and a KV namespace. Every push redeploys.
Paste one secret
32+ random characters to sign your sessions. That's the whole configuration.
$ openssl rand -base64 33You're live
The schema creates itself on first request — no migrations. Social providers switch on automatically when you add their keys.
→ https://auth-kit.you.workers.dev ● liveSmall on ceremony, big on surface.
A login page you don't have to design
Built from better-auth-ui's shadcn components and themed like it belongs to Cloudflare. Light and dark. English and 中文. Passkeys and email codes appear the moment you enable them — the page always mirrors your config.
- Passkeys (WebAuthn) with cross-subdomain support
- Email OTP via Cloudflare Email Routing or Resend
- Google, Apple, GitHub, Microsoft — auto-enabled by config
An admin you'd actually open
Live session events, growth charts, user and organization management, CSV export, ban / role / delete — Better Auth Studio ships inside the same Worker, locked to admins only.
- Role-gated: admins in, everyone else bounced to login
- Organizations & members with owner roles
- Works on day zero — no separate deploy
One deployment, many apps
Mount extra apps under their own path — each with its own D1 database, KV namespace and signing secret. Users of one app can never leak into another: isolation is declared in config, enforced by bindings.
- Per-app databases — hard isolation, not row filters
- Per-app login pages & OAuth callback routing
- Cross-subdomain SSO when you want it, host-only when you don't