Tuesday, July 14th 2026 · 7 min read
Vercel Acquires Better Auth: What Next.js SaaS Teams Need to Know
Vercel acquired Better Auth on July 7, 2026. Learn what stays open, why agent identity matters and what Next.js SaaS teams should do now.
On July 7, 2026, Vercel announced its acquisition of Better Auth. Founder Bereket Engida and the core team are joining Vercel while continuing to develop the open-source authentication framework.
The announcement is especially relevant to Next.js SaaS teams. Better Auth has become a popular TypeScript option for sessions, social login, two-factor authentication and organizations. It is also the authentication foundation used by the current Achromatic Prisma and Drizzle starter kits.
The short version is simple:
- Existing Better Auth applications do not need to migrate because of the acquisition.
- Better Auth remains free, MIT licensed and framework agnostic.
- The project keeps its name, open contribution model and broad framework support.
- Vercel and the Better Auth team plan to invest more deeply in identity for AI agents.
- Dependency upgrades and security work should still follow release notes and advisories, not company news.
Here is what the announcement means in practice.
What Vercel acquired
Vercel acquired the company behind Better Auth, not a closed hosted identity service. At the time of the announcement, Vercel reported that the library had more than 4.7 million weekly npm downloads and over 850 contributors.
Both companies emphasized continuity. According to the Better Auth announcement, the team is joining Vercel to accelerate its work on open-source authentication and secure agent workflows. Vercel says the library will remain:
- Free and open source under the MIT license
- Portable across frameworks and hosting providers
- Led by the existing team
- Open to community contributions
That matters because portability is one of Better Auth's main advantages. Your application can keep its database, session model and integration code in your own infrastructure. The acquisition announcement does not require you to move hosting providers or replace your current authentication flow.
Why agent identity is central to the deal
Traditional authentication answers questions about people:
- Who is this user?
- Is their session valid?
- Which organization do they belong to?
- What can they access?
AI agents add another layer. An agent may act for a user across GitHub, Slack, Linear or another service. Giving every agent the same long-lived token as the application creates too much authority and makes targeted revocation difficult.
Vercel describes the goal as giving each agent its own identity with scoped and revocable access. The company is connecting this work to products such as Vercel Connect, which exchanges application identity for short-lived provider credentials at runtime.
This is roadmap direction, not an automatic feature added to existing Better Auth applications. SaaS teams should still design explicit boundaries around every tool an agent can call, every organization it can access and every action it can perform.
What Better Auth already supports in Next.js
Better Auth already fits the Next.js App Router without requiring the acquisition.
The official Next.js integration guide covers:
- Mounting the Better Auth handler in an App Router route
- Creating a React client for browser-side authentication
- Reading sessions in React Server Components and Server Actions
- Setting cookies from Server Actions with the Next.js cookies plugin
- Using
proxy.tswith Next.js 16
One distinction in that guide is easy to miss: checking for a session cookie in proxy.ts can be useful for an optimistic redirect, but it is not a secure authorization check. A user can present a cookie that exists without proving that the session is valid or that the user may access a specific tenant.
The Next.js authentication guide recommends separating three concerns:
- Authentication verifies the user's identity.
- Session management tracks their authenticated state.
- Authorization decides which data and actions they may access.
For sensitive operations, validate the session and permissions again at the server-side data boundary. A proxy redirect can improve navigation, but the page, route handler or data access function must still enforce access.
Organizations remain the SaaS security boundary
For a multi-tenant SaaS, a valid user session is only the first check. Every request also needs an organization boundary.
Better Auth's organization plugin provides organizations, members, teams, roles and invitations. Those primitives are useful, but the application still decides how organization ownership maps to product data.
A reliable request path looks like this:
- Validate the session on the server.
- Read the organization identifier from trusted application context.
- Confirm that the user is an active member of that organization.
- Check the required role or permission.
- Scope every database query to the same organization identifier.
- Return only the fields needed by the current screen or action.
An active organization selected in the interface is context, not proof of access. Membership changes, invitation revocation and role updates must take effect at the server boundary.
What Next.js SaaS teams should do now
1. Do not migrate because of the acquisition
There is no acquisition-specific migration. Keep your current architecture unless a product requirement, release note or security advisory gives you a reason to change it.
2. Treat Better Auth 1.7 as a separate upgrade decision
Better Auth 1.7 is currently a release candidate. Its upgrade guide covers changes across OAuth, OpenID Connect, SAML, SCIM, two-factor authentication, Stripe and custom adapters.
Do not combine a corporate announcement with a production dependency upgrade. Review the guide, generate schema changes and test the complete authentication flow in a staging environment before adopting a release candidate.
3. Audit every Better Auth package you install
The June 2026 security update includes advisories for Better Auth core and scoped packages such as SSO, SCIM and the OAuth provider. Updating only the top-level package may not address a plugin-specific advisory.
Check your lockfile, direct dependencies and enabled plugins against the upstream advisory. Apply the fixed version named for each affected package.
4. Test behavior, not only types
Authentication regressions often appear in state transitions rather than TypeScript errors. Test at least:
- Sign-up, sign-in and sign-out
- Email verification and password reset
- OAuth callbacks and account linking
- Session expiration and revocation
- Two-factor authentication and recovery codes
- Invitation creation, acceptance, expiration and cancellation
- Organization switching and membership removal
- Role changes and cross-tenant access attempts
- Admin impersonation start and stop
- Direct access to protected pages and API routes
5. Inventory credentials used by AI features
If your product has agents that call external services, document which identity each agent uses. Prefer narrowly scoped, short-lived and revocable credentials over a shared token stored indefinitely in an environment variable.
The acquisition makes agent identity more visible, but the architectural work remains yours: define the actor, tenant, scope, lifetime and audit trail for each delegated action.
What this means for Achromatic users
The current Achromatic starter kits use Better Auth for email and password authentication, Google OAuth, TOTP two-factor authentication, sessions and organizations. Both Prisma and Drizzle versions keep authorization close to server-side application code and tenant-scoped data access.
The Vercel acquisition does not change that setup. Evaluate Better Auth releases on their technical contents, apply security guidance deliberately and test migrations before deploying them.
If you are starting a new product, explore the Achromatic starter kit documentation, review the live demo or see the one-time license.
The takeaway
Vercel's acquisition gives Better Auth more resources while preserving the open-source and portable model that made it useful to Next.js teams. The most interesting long-term direction is agent identity, where applications need authority that is scoped to a task and revocable without disabling the user.
For teams shipping today, the priorities are more familiar: keep dependencies current, enforce authorization at the data boundary, isolate organization data and test every authentication transition that can grant or remove access.
Sources:
Related Articles
New Achromatic Starter Kits Are Here
Next.js 16, React 19, Better Auth, tRPC with Prisma or Drizzle ORM. Ship your SaaS faster than ever.
Integrating Stripe with Auth.js in Next.js: Complete Guide
Learn how to connect Stripe billing with Auth.js authentication in Next.js. Covers customer creation, subscription syncing, webhooks, and access control patterns.
CVE-2026-23864 - React Server Components DoS Vulnerabilities
Multiple denial of service vulnerabilities discovered in React Server Components. All Achromatic starter kits updated to patched versions.