Authentication
Overview
Authentication concepts for Buildspace SDK integrations.
Buildspace auth uses a hosted login flow powered by Better Auth, an open-source TypeScript authentication framework.
How it works
- Your app redirects users to the Buildspace hosted login page.
- Users authenticate via email + password or email OTP (one-time passcode).
- On success, Buildspace redirects back to your app with an authorization code.
- Your server exchanges the code for a session token.
┌──────────┐ redirect ┌──────────────────┐ code ┌──────────┐
│ Your App │ ──────────────▶ │ Buildspace Login │ ─────────▶ │ Your App │
│ (client) │ │ (hosted, BetterAuth) │ │ (server) │
└──────────┘ └──────────────────┘ └──────────┘
│
exchange code
for token
│
▼
┌──────────────┐
│ Runtime API │
└──────────────┘Auth methods
| Method | Description |
|---|---|
| Email + password | Standard sign-in with argon2id password hashing |
| Email OTP | 6-digit code sent via email, 5-minute expiry |
| Password reset | Email-based reset link with 1-hour token expiry |
Built on Better Auth
Buildspace uses Better Auth as its authentication infrastructure. Better Auth is an open-source, framework-agnostic TypeScript auth library that provides:
- Secure password hashing — argon2id by default (OWASP recommended)
- Email OTP plugin — one-time passcode authentication
- Session management — server-side sessions with configurable expiry
- Drizzle ORM adapter — direct integration with the Buildspace database layer
For more on Better Auth's capabilities, see the Better Auth documentation.
SDK integration
- Browser redirects are generated with
buildspace/client— see Client SDK. - Code exchange and session validation run on your server with
buildspace— see Server SDK. - Session lifecycle details are covered in Sessions.