email-and-password-best-practices

by better-auth

email-and-password-best-practices helps you configure Better Auth email/password login, verification emails, reset flows, password rules, hashing options, and the required migration step.

Stars162

Favorites0

Comments0

AddedMar 30, 2026

CategoryAccess Control

Install Command

npx skills add https://github.com/better-auth/skills --skill emailandpassword

Curation Score

This skill scores 78/100, which means it is a solid directory listing candidate for agents working with Better Auth email/password authentication. The repository gives a clear trigger, concrete configuration examples, and a usable setup flow for email verification and password reset, so users can usually decide to install it with reasonable confidence, though some operational details are still left to surrounding Better Auth knowledge.

78/100

Strengths

Strong triggerability: the frontmatter explicitly covers login, sign-in, sign-up, credential authentication, and password security with Better Auth.
Practical workflow content: Quick Start includes enabling email/password, wiring verification and reset handlers, running migrations, and testing verification email behavior.
Useful implementation examples: SKILL.md provides concrete config code for `emailVerification.sendVerificationEmail` and explains how `url` and `token` are used.

Cautions

Adoption still requires some guesswork because the repo has only a single SKILL.md and no supporting scripts, references, or install-specific files.
Operational constraints and edge cases are lightly documented; structural signals show no explicit constraints section, which may leave policy and failure-mode questions unanswered.

Better Auth Auth Security Backend Email Password

Overview

Overview of email-and-password-best-practices skill

The email-and-password-best-practices skill is a focused Better Auth setup guide for teams implementing classic credential login with the security pieces people usually miss: email verification, password reset, password policy, and password hashing configuration. It is best for developers who already know they want Better Auth and need a fast, correct path to production-grade email/password flows rather than a generic auth explainer.

What this skill helps you do

Use this skill when your real job is to wire up a complete email/password flow that is safe enough to ship:

enable Better Auth email/password login
send verification emails
require verification before sign-in when needed
add reset-password delivery
apply password rules and validation
tune hashing behavior
run the required migration step

Who should install it

This skill is a strong fit for:

app teams adding username/email login to a Better Auth project
developers replacing ad hoc auth prompts with a repeatable setup path
AI-assisted coding workflows where you want the agent to remember the Better Auth-specific config names and sequence

It is less useful if you are still deciding between auth providers, or if your app uses only OAuth/passkeys and does not need passwords.

Why it is better than a generic auth prompt

A generic prompt might tell an agent to “add login and reset password.” This skill narrows that into the actual Better Auth knobs and expected setup order, including emailAndPassword: { enabled: true }, emailVerification.sendVerificationEmail, reset-password handling, and npx @better-auth/cli@latest migrate. That makes the email-and-password-best-practices for Access Control use case much more reliable.

What matters most before adoption

Before you install, check these decision points:

you must have an email sending function ready or planned
you need to decide whether sign-in should require verified email
you should know your password policy expectations
you need access to run Better Auth migrations
you should be comfortable editing auth server config, not just frontend forms

How to Use email-and-password-best-practices skill

Install context for the email-and-password-best-practices skill

Install the skill from the Better Auth skills repository:

npx skills add https://github.com/better-auth/skills --skill emailAndPassword

Then invoke it in an AI coding session when you want Better Auth credential flows configured, audited, or improved.

Read this file first

Start with:

better-auth/emailAndPassword/SKILL.md

This repository slice is lightweight, so the main value is in applying the guidance to your codebase correctly rather than exploring a large support tree.

What input the skill needs from you

Give the agent the missing context the repo cannot infer:

your Better Auth config file path
whether email/password is already partially enabled
your email sending provider or helper function
whether email verification is optional or mandatory
the reset-password UX you want
any password length or complexity requirements
whether you need custom hashing settings

Without that context, the agent can still scaffold, but the output will be generic.

Turn a rough goal into a strong prompt

Weak prompt:

“Set up auth with Better Auth.”

Better prompt:

“Use the email-and-password-best-practices skill to configure Better Auth email/password login in src/lib/auth.ts, require email verification before sign-in, add sendVerificationEmail using our existing sendEmail() helper, implement reset-password email sending, and tell me what migration command and test steps I need.”

This works better because it supplies file location, desired enforcement, existing mail primitive, and expected deliverables.

Recommended setup workflow

A practical sequence is:

Enable email/password in Better Auth.
Add verification email sending.
Decide whether to require verification before sign-in.
Add reset-password email delivery.
Apply password validation rules.
Review hashing settings only if you have a reason to customize them.
Run migration.
Test sign-up, verification, sign-in, and reset flows end to end.

That order reduces rework and matches how teams usually debug auth rollout.

Core config the skill is built around

The skill centers on a few Better Auth features:

emailAndPassword: { enabled: true }
emailVerification.sendVerificationEmail
emailAndPassword.requireEmailVerification
sendResetPassword
password policy configuration
hashing algorithm customization
npx @better-auth/cli@latest migrate

If your prompt does not mention which of these you need, the agent may choose defaults you did not intend.

Email verification is the main adoption blocker

For most teams, the hardest part is not enabling password auth but shipping verification safely. The skill is useful because it reminds the agent that sendVerificationEmail receives { user, url, token }, and that the provided url already contains the verification link. That helps avoid rebuilding links incorrectly when a full URL is already available.

When to require verified email

Use emailAndPassword.requireEmailVerification when your access control model assumes a confirmed identity before account use. The repository guidance also notes an important behavior: unverified users get a fresh verification email when they try to sign in. That is a practical detail many generic prompts miss.

Password reset usage guidance

If your app supports forgotten-password recovery, explicitly ask the agent to wire sendResetPassword and to show the full user journey:

request reset
receive email
follow link
set new password
sign in again

Do not ask only for “reset password backend,” or you may get a partial implementation with no delivery step.

Password policy and client validation

The skill covers password policy, but you will get better results if you state:

minimum length
whether special characters are required
whether frontend validation should mirror backend rules
whether to return user-friendly validation messages

This is especially important if your team wants consistent behavior across sign-up, password change, and reset flows.

Hashing customization is not always needed

The email-and-password-best-practices usage path includes hashing customization, but treat it as an advanced requirement. If you do not have a compliance, migration, or performance reason, ask the agent to keep secure defaults and explain them rather than changing the algorithm unnecessarily.

Practical test checklist after implementation

Ask the agent to validate these scenarios:

new user sign-up succeeds
verification email is sent
verification link works
unverified sign-in is blocked if required
repeat sign-in triggers a new verification email when expected
reset-password email sends successfully
old password stops working after reset
password validation fails clearly on weak input

This is where the email-and-password-best-practices guide becomes materially better than a repo skim: it helps you test behavior, not just paste config.

email-and-password-best-practices skill FAQ

Is this skill only for Better Auth?

Yes. This is a provider-specific skill for Better Auth configuration and flows. If you are not using Better Auth, the config names and migration step will not transfer directly.

Is the email-and-password-best-practices skill beginner friendly?

Mostly yes, if you already understand where your auth config lives and how your app sends email. Absolute beginners may still need separate help with SMTP, transactional email providers, route wiring, and frontend forms.

Does it install anything by itself?

No. The skill is guidance for an AI workflow. Your project still needs Better Auth set up, any email provider integration you rely on, and the migration command run in your environment.

When should I not use this skill?

Skip it if:

you only need OAuth or passkeys
you are comparing auth platforms, not implementing Better Auth
your app forbids password login entirely
you want a broad security architecture review rather than a Better Auth config task

How is this different from asking an LLM for auth help?

The email-and-password-best-practices skill is narrower and more actionable. It steers the model toward Better Auth’s real configuration surface and the operational details around verification and reset flows, which reduces hallucinated APIs and missing steps.

Is it useful for email-and-password-best-practices for Access Control?

Yes, especially when your access control depends on verified identity before granting app access. The requirement to block unverified sign-in is one of the most important policy decisions this skill helps implement correctly.

How to Improve email-and-password-best-practices skill

Give the skill your exact auth file and mail helper

The fastest way to improve output quality is to point the agent at the right file and existing email utility. For example:

“Edit src/lib/auth.ts and use lib/email/sendEmail.ts.”

That removes guesswork and reduces fake abstractions.

State your verification policy up front

For email-and-password-best-practices work, one missing sentence causes a lot of churn:

“Users must verify email before first sign-in.”

“Users can sign in before verification, but we still send verification email.”

If you do not specify this, the implementation may be secure but wrong for your product.

Ask for end-to-end flow output, not config only

A stronger request is:

“Configure the backend and show the frontend/user flow, email triggers, migration command, and manual test plan.”

This avoids incomplete output where the auth server is configured but no one knows how users complete the flow.

Watch for common failure modes

Common issues when using this skill include:

forgetting to implement actual email delivery
generating custom verification links when url is already provided
enabling verification but not deciding whether sign-in must be blocked
wiring reset-password transport without testing the callback path
adding frontend password rules that do not match backend validation

Provide policy details for stronger password handling

If password strength matters in your environment, include exact requirements. “Use strong passwords” is too vague. Better prompts mention length, banned patterns, reset expectations, and whether existing users must comply immediately or only on change/reset.

Ask the agent to explain tradeoffs, not just patch code

Good prompt addition:

“Explain why you kept defaults or changed hashing settings, and note any security/usability tradeoffs.”

That improves reviewability and helps teams avoid cargo-cult security changes.

Iterate after the first draft with failure cases

After the agent produces an initial implementation, improve it by asking:

“Now review this for unverified-user edge cases.”
“Add manual test cases for expired reset links.”
“Check whether password validation is consistent between sign-up and reset.”

This second pass is often where the email-and-password-best-practices install decision pays off, because the skill keeps the iteration grounded in real Better Auth behavior rather than generic auth advice.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

two-factor-authentication-best-practices

by better-auth

two-factor-authentication-best-practices for Better Auth: install the twoFactor plugin, add client redirects, run migrations, verify schema, and implement TOTP, backup codes, trusted devices, and 2FA sign-in flows for Access Control.

Access Control

Favorites 0GitHub 163

organization-best-practices

by better-auth

organization-best-practices guides Better Auth organization setup for access control, covering server and client plugins, migration, database checks, org creation, invitations, roles, and RBAC-focused usage.

Access Control

Favorites 0GitHub 162

create-auth-skill

by better-auth

create-auth-skill helps add Better Auth to JS or TS apps with a planning-first workflow. It scans your repo, detects framework and database signals, asks structured setup questions, then guides route wiring, providers, auth pages, and migration-safe implementation.

Access Control

Favorites 0GitHub 162

better-auth-best-practices

by better-auth

better-auth-best-practices helps developers install and use Better Auth with the right env vars, auth.ts location, CLI migrate or generate steps, plugin updates, and /api/auth/ok verification.

Access Control

Favorites 0GitHub 162

claude-api

by anthropics

claude-api is a practical skill for installing and using the Claude API and Anthropic SDKs. It helps developers choose the right SDK or raw HTTP path, detect language-specific docs, and implement streaming, tool use, files, batches, and error handling with less guesswork.

API Development

Favorites 0GitHub 105k

ckm:design-system

by nextlevelbuilder

ckm:design-system helps you build three-layer tokens, component specs, CSS variables, Tailwind mappings, and brand-consistent slide assets from a clear token architecture.

Design Systems

Favorites 0GitHub 53.6k

vercel-react-best-practices

by vercel-labs

vercel-react-best-practices is a Vercel Engineering skill that guides AI agents to optimize React and Next.js performance with prioritized rules for waterfalls, bundle size, and rendering.

Frontend Development

Favorites 0GitHub 24k

shadcn

by shadcn-ui

Use the shadcn skill to inspect project context, run the right CLI commands, install components, and compose UI with documented patterns for base vs radix, forms, theming, and registries.

UI Design

Favorites 0GitHub 111k

systematic-debugging

by obra

systematic-debugging is a root-cause-first debugging skill for bugs, flaky tests, build failures, and unexpected behavior. Learn the four-phase workflow, companion files, and when to use it before proposing fixes.

Debugging

Favorites 0GitHub 121.8k

xlsx

by anthropics

The xlsx skill helps agents read, edit, repair, create, and convert .xlsx, .xlsm, .csv, and .tsv files when the required deliverable is a spreadsheet. It is strongest for template-preserving updates, formula-safe workbook edits, messy tabular cleanup, and practical spreadsheet workflows backed by repo scripts for packing, validation, and recalculation.

Spreadsheet Workflows

Favorites 0GitHub 105.1k

skill-creator

by anthropics

skill-creator is a Skill Authoring meta-skill for drafting new skills, revising existing SKILL.md files, running evals, comparing variants, and improving trigger descriptions with repository scripts and review tools.

Skill Authoring

Favorites 0GitHub 105.1k

pptx

by anthropics

Use the pptx skill to read, create, edit, split, merge, and inspect PowerPoint .pptx files. It guides you through text extraction with markitdown, thumbnail review, unpack/edit/clean/pack workflows, and PptxGenJS for new deck creation.

PowerPoint

Favorites 0GitHub 105.1k

pdf

by anthropics

The pdf skill guides PDF Processing tasks like text extraction, merge and split operations, rendering pages to images, and PDF form workflows. It is especially useful for checking fillable fields, extracting form metadata, and validating non-fillable form layouts with scripts.

PDF Processing

Favorites 0GitHub 105.1k

mcp-builder

by anthropics

mcp-builder is a practical guide for planning, building, and evaluating MCP servers for external APIs and services. It helps developers choose tool scope, naming, transport, Python or Node implementation patterns, and evaluation workflows so agents can use the server reliably.

MCP Server Development

Favorites 0GitHub 105k

copy-editing

by coreyhaines31

Use the copy-editing skill to improve existing marketing copy with a Seven Sweeps workflow. Learn install steps, recommended files, usage prompts, and how to preserve voice while tightening wording, proof, clarity, and copy-editing for Proofreading.

Proofreading

Favorites 0GitHub 17.3k

revops

by coreyhaines31

The revops skill helps agents design and optimize revenue operations, including lead lifecycle management, scoring, routing, and CRM automation. Use revops to define lifecycle stages, build scoring models, set routing rules, and implement automation workflows in HubSpot, Salesforce, or mixed stacks. Ideal for RevOps managers, CRM admins, and GTM leaders needing practical frameworks and reference files for CRM operations. Install via parent repo and follow the guide for best results.

CRM Operations

Favorites 0GitHub 17.3k