WorkOS
WorkOS remains the hosted Overlay authentication backend. It owns hosted browser login, session refresh, and AuthKit connections.Better Auth
Better Auth is the recommended private web-session backend. It runs inside the Overlay Next.js application and stores auth-scoped users, accounts, sessions, verification records, SSO provider metadata, and signing keys in Postgres.BETTER_AUTH_DATABASE_URL is auth state. OVERLAY_DATABASE_URL is application data. They may use separate databases on one PostgreSQL cluster, but they must remain separately named and independently migratable.
Better Auth delegates login to one or more configured OIDC connections. A canonical connection has a stable internal ID, preset, permitted domains, and credentials:
OIDC bearer verifier
AUTH_PROVIDER=oidc verifies an existing bearer/access token using issuer discovery and JWKS. It is useful for service clients and deployments where another component already owns the browser session.
It does not provide Overlay’s browser sign-in, callback, session-cookie, or account-management flow. Use Better Auth when Overlay must own those flows.