Auth Tables
Better Auth user, session, account, and verification tables.
Auth tables are driven by Better Auth. Schemas are defined for both SQLite and PostgreSQL:
src/core/db/schema/sqlite/auth.schema.ts
src/core/db/schema/pg/auth.schema.tsThe field meanings are the same across databases, though low-level column types differ.
Business boundary
These tables support:
- Email/password login, email verification, password reset
- Google and GitHub social login
- Magic links
- Server-side session reads
- User role and avatar fields
Better Auth is configured in src/modules/auth/config.ts, and the route handler lives in app/api/auth/[...all]/route.ts.
Tables
| Table | Meaning | Main writer |
|---|---|---|
user | Application users | Better Auth and profile update API |
session | Login sessions | Better Auth |
account | Login provider bindings | Better Auth |
verification | Email verification, reset password, magic link tokens | Better Auth |
user
| Field | Description |
|---|---|
id | User ID |
name | Display name |
email | Unique email |
emailVerified | Email verification status |
image | Avatar URL or storage object key |
role | Project extension, default user, admin uses admin |
createdAt / updatedAt | Timestamps |
role is declared as an additional Better Auth field. Profile updates go through app/api/user/profile/route.ts and update name and image.
session
| Field | Description |
|---|---|
userId | References user.id |
token | Unique session token |
expiresAt | Expiration |
ipAddress / userAgent | Request source metadata |
createdAt / updatedAt | Timestamps |
Read the current session with:
import { getSession } from "@/modules/auth/server";API routes can use:
import { getUser, requireUser, requireAdmin } from "@/modules/auth/server";account
| Field | Description |
|---|---|
userId | References user.id |
accountId | Provider account ID |
providerId | Provider such as credential, google, github |
accessToken / refreshToken | OAuth tokens |
password | Email/password credential managed by Better Auth |
scope / idToken | OAuth fields |
Do not manipulate OAuth token fields from business modules.
verification
| Field | Description |
|---|---|
identifier | Email or target identifier |
value | Token value; magic links use hashed token |
expiresAt | Expiration |
createdAt / updatedAt | Timestamps |
This powers email verification, password reset, and magic links.
Extend user fields
Update both schemas
src/core/db/schema/sqlite/auth.schema.ts
src/core/db/schema/pg/auth.schema.tsUpdate Better Auth additionalFields
Declare the field in src/modules/auth/config.ts.
Update business read/write paths
Keep user profile logic centralized in user services and types.
Notes
user.emailis unique and central to account identity.- Deleting a user cascades to
sessionandaccount, but other business tables depend on their own foreign key rules. - Admin access depends on
user.role, not only hidden UI.