From f4073c051af140390114969e263c00f7fb5156c3 Mon Sep 17 00:00:00 2001
From: Brian Johnson <brianmjohnson@users.noreply.github.com>
Date: Wed, 7 Jan 2026 03:23:35 -0800
Subject: [PATCH 01/11] feat: Migrate authentication from NextAuth v5 to Better
 Auth

- Update Prisma schema with Better Auth models (User, Session, Account, Verification, Passkey, TwoFactor, Jwks)
- Change User.id from CUID to UUID format
- Change emailVerified from DateTime? to Boolean
- Add cross-subdomain cookie support for SSO on .usefoundry.ai domain
- Create Better Auth configuration for builder and viewer apps
- Update SignInForm and SocialLoginButtons to use Better Auth client
- Add public environment variables for auth provider visibility
- Configure shared database sessions for SSO across apps

BREAKING: Requires new environment variables BETTER_AUTH_URL and BETTER_AUTH_SECRET

Brian Johnson in useFoundry.ai

(cherry picked from commit 1c39a71bf834d0c422d62f8230a9196289cfe4d3)
---
 .gitignore                                    |   1 +
 apps/builder/package.json                     |   4 +-
 .../src/app/api/auth/[...all]/route.ts        |   4 +
 .../src/app/api/auth/[...nextauth]/route.ts   |  31 ---
 .../features/auth/components/SignInForm.tsx   |  56 ++---
 .../auth/components/SocialLoginButtons.tsx    | 107 ++++-----
 .../auth/helpers/createAuthPrismaAdapter.ts   | 204 ------------------
 .../auth/helpers/getAuthenticatedUser.ts      |  16 +-
 .../builder/src/features/auth/lib/nextAuth.ts | 193 -----------------
 .../src/features/auth/lib/providers.ts        | 145 -------------
 apps/builder/src/features/auth/next-auth.d.ts |   7 -
 apps/builder/src/lib/auth/client.ts           |  25 +++
 apps/builder/src/lib/auth/config.ts           | 120 +++++++++++
 apps/builder/src/lib/auth/providers.ts        |  56 +++++
 .../src/lib/auth/send-verification-email.ts   |  37 ++++
 apps/viewer/package.json                      |   1 +
 .../viewer/src/app/api/auth/[...all]/route.ts |   4 +
 apps/viewer/src/lib/auth/client.ts            |   9 +
 apps/viewer/src/lib/auth/config.ts            |  35 +++
 bun.lock                                      |  57 +++--
 packages/env/src/index.ts                     |  32 ++-
 packages/prisma/postgresql/schema.prisma      | 192 ++++++++++++-----
 22 files changed, 598 insertions(+), 738 deletions(-)
 create mode 100644 apps/builder/src/app/api/auth/[...all]/route.ts
 delete mode 100644 apps/builder/src/app/api/auth/[...nextauth]/route.ts
 delete mode 100644 apps/builder/src/features/auth/helpers/createAuthPrismaAdapter.ts
 delete mode 100644 apps/builder/src/features/auth/lib/nextAuth.ts
 delete mode 100644 apps/builder/src/features/auth/lib/providers.ts
 delete mode 100644 apps/builder/src/features/auth/next-auth.d.ts
 create mode 100644 apps/builder/src/lib/auth/client.ts
 create mode 100644 apps/builder/src/lib/auth/config.ts
 create mode 100644 apps/builder/src/lib/auth/providers.ts
 create mode 100644 apps/builder/src/lib/auth/send-verification-email.ts
 create mode 100644 apps/viewer/src/app/api/auth/[...all]/route.ts
 create mode 100644 apps/viewer/src/lib/auth/client.ts
 create mode 100644 apps/viewer/src/lib/auth/config.ts

diff --git a/.gitignore b/.gitignore
index da387ecdc0..41509bf962 100644
--- a/.gitignore
+++ b/.gitignore
@@ -63,3 +63,4 @@ snapshots
 .nitro
 
 **/test/.auth
+.env*.local
diff --git a/apps/builder/package.json b/apps/builder/package.json
index 31a293ff4f..3c06d929cf 100644
--- a/apps/builder/package.json
+++ b/apps/builder/package.json
@@ -9,8 +9,9 @@
     "test": "dotenv -e ./.env -e ../../.env -- bun test"
   },
   "dependencies": {
-    "@auth/core": "^0.39.1",
+    "@better-auth/expo": "^1.4.10",
     "@braintree/sanitize-url": "^7.0.1",
+    "better-auth": "^1.4.10",
     "@dnd-kit/helpers": "^0.1.21",
     "@dnd-kit/react": "^0.1.21",
     "@giphy/js-fetch-api": "^5.7.0",
@@ -77,7 +78,6 @@
     "micro-cors": "^0.1.1",
     "nanoid": "^5.1.5",
     "next": "^15.5.9",
-    "next-auth": "^5.0.0-beta.28",
     "next-themes": "^0.4.6",
     "nextjs-cors": "^2.1.2",
     "nodemailer": "^7.0.6",
diff --git a/apps/builder/src/app/api/auth/[...all]/route.ts b/apps/builder/src/app/api/auth/[...all]/route.ts
new file mode 100644
index 0000000000..d441e7ea66
--- /dev/null
+++ b/apps/builder/src/app/api/auth/[...all]/route.ts
@@ -0,0 +1,4 @@
+import { auth } from "@/lib/auth/config";
+import { toNextJsHandler } from "better-auth/next-js";
+
+export const { GET, POST } = toNextJsHandler(auth);
diff --git a/apps/builder/src/app/api/auth/[...nextauth]/route.ts b/apps/builder/src/app/api/auth/[...nextauth]/route.ts
deleted file mode 100644
index 3ab54a4def..0000000000
--- a/apps/builder/src/app/api/auth/[...nextauth]/route.ts
+++ /dev/null
@@ -1,31 +0,0 @@
-import { type NextRequest, NextResponse } from "next/server";
-import {
-  authHandlers,
-  SET_TYPEBOT_COOKIE_HEADER,
-} from "@/features/auth/lib/nextAuth";
-
-export const GET = async (req: NextRequest) => {
-  const response = await authHandlers.GET(req);
-  setTypebotCookie(req, response);
-  return response;
-};
-
-export const POST = async (req: NextRequest) => {
-  const response = await authHandlers.POST(req);
-  setTypebotCookie(req, response);
-  return response;
-};
-
-// Accept company firewall requests? Not sure if it is still necessary
-export const HEAD = () => {
-  return NextResponse.json({ message: "ok" }, { status: 200 });
-};
-
-// Because we don't have access to `res` in nextAuth.ts
-const setTypebotCookie = (req: NextRequest, response: Response) => {
-  const typebotSetCookieHeaderValue = req.headers.get(
-    SET_TYPEBOT_COOKIE_HEADER,
-  );
-  if (typebotSetCookieHeaderValue)
-    response.headers.append("Set-Cookie", typebotSetCookieHeaderValue);
-};
diff --git a/apps/builder/src/features/auth/components/SignInForm.tsx b/apps/builder/src/features/auth/components/SignInForm.tsx
index 006a939286..029c80ac38 100644
--- a/apps/builder/src/features/auth/components/SignInForm.tsx
+++ b/apps/builder/src/features/auth/components/SignInForm.tsx
@@ -9,12 +9,12 @@ import { CheckmarkSquare02Icon } from "@typebot.io/ui/icons/CheckmarkSquare02Ico
 import { LoaderCircleIcon } from "@typebot.io/ui/icons/LoaderCircleIcon";
 import { cn } from "@typebot.io/ui/lib/cn";
 import { useRouter } from "next/navigation";
-import { getProviders, signIn, useSession } from "next-auth/react";
 import { useQueryState } from "nuqs";
 import type { FormEvent } from "react";
 import { useEffect, useState } from "react";
 import { TextLink } from "@/components/TextLink";
 import { toast } from "@/lib/toast";
+import { authClient, useSession } from "@/lib/auth/client";
 import { createEmailMagicLink } from "../helpers/createEmailMagicLink";
 import { DividerWithText } from "./DividerWithText";
 import { SignInError } from "./SignInError";
@@ -25,35 +25,36 @@ type Props = {
   className?: string;
 };
 
+// Available providers configuration (matches server config)
+const availableProviders = {
+  github: !!process.env.NEXT_PUBLIC_GITHUB_ENABLED,
+  google: !!process.env.NEXT_PUBLIC_GOOGLE_ENABLED,
+  facebook: !!process.env.NEXT_PUBLIC_FACEBOOK_ENABLED,
+  gitlab: !!process.env.NEXT_PUBLIC_GITLAB_ENABLED,
+  microsoft: !!process.env.NEXT_PUBLIC_AZURE_ENABLED,
+  email: !!process.env.NEXT_PUBLIC_EMAIL_ENABLED,
+};
+
 export const SignInForm = ({ defaultEmail, className }: Props) => {
   const { t } = useTranslate();
   const router = useRouter();
   const [authError, setAuthError] = useQueryState("error");
   const [redirectPath] = useQueryState("redirectPath");
-  const { status } = useSession();
+  const { data: session, isPending } = useSession();
   const [authLoading, setAuthLoading] = useState(false);
-  const [isLoadingProviders, setIsLoadingProviders] = useState(true);
+  const [isLoadingProviders, setIsLoadingProviders] = useState(false);
 
   const [emailValue, setEmailValue] = useState(defaultEmail ?? "");
   const [isMagicCodeSent, setIsMagicCodeSent] = useState(false);
 
-  const [providers, setProviders] =
-    useState<Awaited<ReturnType<typeof getProviders>>>();
-
-  const hasNoAuthProvider =
-    !isLoadingProviders && Object.keys(providers ?? {}).length === 0;
+  // Check if any provider is configured
+  const hasNoAuthProvider = !Object.values(availableProviders).some(Boolean);
 
   useEffect(() => {
-    if (status === "authenticated") {
+    if (session?.user) {
       router.replace(redirectPath ? sanitizeUrl(redirectPath) : "/typebots");
-      return;
     }
-    (async () => {
-      const providers = await getProviders();
-      setProviders(providers ?? undefined);
-      setIsLoadingProviders(false);
-    })();
-  }, [status, router]);
+  }, [session, router, redirectPath]);
 
   useEffect(() => {
     if (authError === "ip-banned") {
@@ -71,29 +72,29 @@ export const SignInForm = ({ defaultEmail, className }: Props) => {
     if (isMagicCodeSent) return;
     setAuthLoading(true);
     try {
-      const response = await signIn("nodemailer", {
+      const { error } = await authClient.signIn.magicLink({
         email: emailValue,
-        redirect: false,
+        callbackURL: redirectPath ? sanitizeUrl(redirectPath) : "/typebots",
       });
-      if (response?.error) {
-        if (response.error.includes("too-many-requests"))
+      if (error) {
+        if (error.message?.includes("too-many-requests"))
           toast({
             type: "info",
             description: t("auth.signinErrorToast.tooManyRequests"),
           });
-        else if (response.error.includes("sign-up-disabled"))
+        else if (error.message?.includes("sign-up-disabled"))
           toast({
             type: "info",
             description: t("auth.signinErrorToast.title"),
           });
-        else if (response.error.includes("email-not-legit"))
+        else if (error.message?.includes("email-not-legit"))
           toast({
             description: "Please use a valid email address",
           });
         else
           toast({
             description: t("errorMessage"),
-            details: "Check server logs to see relevent error message.",
+            details: error.message || "Check server logs to see relevent error message.",
           });
       } else {
         setIsMagicCodeSent(true);
@@ -113,7 +114,7 @@ export const SignInForm = ({ defaultEmail, className }: Props) => {
     );
   };
 
-  if (isLoadingProviders) return <LoaderCircleIcon className="animate-spin" />;
+  if (isPending) return <LoaderCircleIcon className="animate-spin" />;
   if (hasNoAuthProvider)
     return (
       <p>
@@ -130,8 +131,8 @@ export const SignInForm = ({ defaultEmail, className }: Props) => {
     <div className={cn("flex flex-col gap-6 w-[330px]", className)}>
       {!isMagicCodeSent && (
         <>
-          <SocialLoginButtons providers={providers} />
-          {providers?.nodemailer && (
+          <SocialLoginButtons />
+          {availableProviders.email && (
             <>
               <DividerWithText>{t("auth.orEmailLabel")}</DividerWithText>
               <form
@@ -150,7 +151,8 @@ export const SignInForm = ({ defaultEmail, className }: Props) => {
                 <Button
                   type="submit"
                   disabled={
-                    ["loading", "authenticated"].includes(status) ||
+                    isPending ||
+                    !!session?.user ||
                     authLoading ||
                     isMagicCodeSent
                   }
diff --git a/apps/builder/src/features/auth/components/SocialLoginButtons.tsx b/apps/builder/src/features/auth/components/SocialLoginButtons.tsx
index b9e1288d45..fe8164def9 100644
--- a/apps/builder/src/features/auth/components/SocialLoginButtons.tsx
+++ b/apps/builder/src/features/auth/components/SocialLoginButtons.tsx
@@ -3,7 +3,6 @@ import { omit } from "@typebot.io/lib/utils";
 import { Button } from "@typebot.io/ui/components/Button";
 import { GithubIcon } from "@typebot.io/ui/icons/GithubIcon";
 import { useRouter } from "next/router";
-import { type getProviders, signIn, useSession } from "next-auth/react";
 import { stringify } from "qs";
 import { useState } from "react";
 import { GoogleLogo } from "@/components/GoogleLogo";
@@ -11,23 +10,34 @@ import { AzureAdLogo } from "@/components/logos/AzureAdLogo";
 import { FacebookLogo } from "@/components/logos/FacebookLogo";
 import { GitlabLogo } from "@/components/logos/GitlabLogo";
 import { KeycloackLogo } from "@/components/logos/KeycloakLogo";
+import { authClient, useSession } from "@/lib/auth/client";
 
-type Props = {
-  providers: Awaited<ReturnType<typeof getProviders>> | undefined;
+// Available providers configuration
+const availableProviders = {
+  github: !!process.env.NEXT_PUBLIC_GITHUB_ENABLED,
+  google: !!process.env.NEXT_PUBLIC_GOOGLE_ENABLED,
+  facebook: !!process.env.NEXT_PUBLIC_FACEBOOK_ENABLED,
+  gitlab: !!process.env.NEXT_PUBLIC_GITLAB_ENABLED,
+  microsoft: !!process.env.NEXT_PUBLIC_AZURE_ENABLED,
+  keycloak: !!process.env.NEXT_PUBLIC_KEYCLOAK_ENABLED,
+  customOAuth: !!process.env.NEXT_PUBLIC_CUSTOM_OAUTH_ENABLED,
 };
 
-export const SocialLoginButtons = ({ providers }: Props) => {
+export const SocialLoginButtons = () => {
   const { t } = useTranslate();
   const { query } = useRouter();
-  const { status } = useSession();
+  const { data: session, isPending } = useSession();
   const [authLoading, setAuthLoading] = useState<string>();
 
-  const handleSignIn = async (provider: string) => {
+  const getCallbackUrl = () =>
+    query.callbackUrl?.toString() ??
+    `/typebots?${stringify(omit(query, "error", "callbackUrl"))}`;
+
+  const handleSignIn = async (provider: "github" | "google" | "facebook" | "gitlab" | "microsoft") => {
     setAuthLoading(provider);
-    await signIn(provider, {
-      callbackUrl:
-        query.callbackUrl?.toString() ??
-        `/typebots?${stringify(omit(query, "error", "callbackUrl"))}`,
+    await authClient.signIn.social({
+      provider,
+      callbackURL: getCallbackUrl(),
     });
     setTimeout(() => setAuthLoading(undefined), 3000);
   };
@@ -40,104 +50,99 @@ export const SocialLoginButtons = ({ providers }: Props) => {
 
   const handleGitlabClick = () => handleSignIn("gitlab");
 
-  const handleMicrosoftEntraIdClick = () => handleSignIn("microsoft-entra-id");
+  const handleMicrosoftEntraIdClick = () => handleSignIn("microsoft");
+
+  const handleCustomOAuthClick = async () => {
+    setAuthLoading("custom-oauth");
+    await authClient.signIn.oauth2({
+      providerId: "custom-oauth",
+      callbackURL: getCallbackUrl(),
+    });
+    setTimeout(() => setAuthLoading(undefined), 3000);
+  };
 
-  const handleCustomOAuthClick = () => handleSignIn("custom-oauth");
+  const handleKeyCloackClick = async () => {
+    setAuthLoading("keycloak");
+    await authClient.signIn.oauth2({
+      providerId: "keycloak",
+      callbackURL: getCallbackUrl(),
+    });
+    setTimeout(() => setAuthLoading(undefined), 3000);
+  };
 
-  const handleKeyCloackClick = () => handleSignIn("keycloak");
+  const isDisabled = isPending || !!session?.user;
 
   return (
     <div className="flex flex-col gap-2">
-      {providers?.github && (
+      {availableProviders.github && (
         <Button
           onClick={handleGitHubClick}
-          disabled={
-            ["loading", "authenticated"].includes(status) ||
-            authLoading === "github"
-          }
+          disabled={isDisabled || authLoading === "github"}
           variant="outline-secondary"
         >
           <GithubIcon />
           {t("auth.socialLogin.githubButton.label")}
         </Button>
       )}
-      {providers?.google && (
+      {availableProviders.google && (
         <Button
           onClick={handleGoogleClick}
-          disabled={
-            ["loading", "authenticated"].includes(status) ||
-            authLoading === "google"
-          }
+          disabled={isDisabled || authLoading === "google"}
           variant="outline-secondary"
         >
           <GoogleLogo />
           {t("auth.socialLogin.googleButton.label")}
         </Button>
       )}
-      {providers?.facebook && (
+      {availableProviders.facebook && (
         <Button
           onClick={handleFacebookClick}
-          disabled={
-            ["loading", "authenticated"].includes(status) ||
-            authLoading === "facebook"
-          }
+          disabled={isDisabled || authLoading === "facebook"}
           variant="outline-secondary"
         >
           <FacebookLogo />
           {t("auth.socialLogin.facebookButton.label")}
         </Button>
       )}
-      {providers?.gitlab && (
+      {availableProviders.gitlab && (
         <Button
           onClick={handleGitlabClick}
-          disabled={
-            ["loading", "authenticated"].includes(status) ||
-            authLoading === "gitlab"
-          }
+          disabled={isDisabled || authLoading === "gitlab"}
           variant="outline-secondary"
         >
           <GitlabLogo />
           {t("auth.socialLogin.gitlabButton.label", {
-            gitlabProviderName: providers.gitlab.name,
+            gitlabProviderName: "GitLab",
           })}
         </Button>
       )}
-      {providers?.["microsoft-entra-id"] && (
+      {availableProviders.microsoft && (
         <Button
           onClick={handleMicrosoftEntraIdClick}
-          disabled={
-            ["loading", "authenticated"].includes(status) ||
-            authLoading === "microsoft-entra-id"
-          }
+          disabled={isDisabled || authLoading === "microsoft"}
           variant="outline"
         >
           <AzureAdLogo />
           {t("auth.socialLogin.azureButton.label", {
-            azureProviderName: providers["microsoft-entra-id"].name,
+            azureProviderName: "Microsoft",
           })}
         </Button>
       )}
-      {providers?.["custom-oauth"] && (
+      {availableProviders.customOAuth && (
         <Button
           onClick={handleCustomOAuthClick}
-          disabled={
-            ["loading", "authenticated"].includes(status) ||
-            authLoading === "custom-oauth"
-          }
+          disabled={isDisabled || authLoading === "custom-oauth"}
           variant="outline-secondary"
         >
           {t("auth.socialLogin.customButton.label", {
-            customProviderName: providers["custom-oauth"].name,
+            customProviderName: process.env.NEXT_PUBLIC_CUSTOM_OAUTH_NAME || "SSO",
           })}
         </Button>
       )}
-      {providers?.keycloak && (
+      {availableProviders.keycloak && (
         <Button
           onClick={handleKeyCloackClick}
-          disabled={
-            ["loading", "authenticated"].includes(status) ||
-            authLoading === "keycloak"
-          }
+          disabled={isDisabled || authLoading === "keycloak"}
           variant="outline-secondary"
         >
           <KeycloackLogo />
diff --git a/apps/builder/src/features/auth/helpers/createAuthPrismaAdapter.ts b/apps/builder/src/features/auth/helpers/createAuthPrismaAdapter.ts
deleted file mode 100644
index cb93252ecb..0000000000
--- a/apps/builder/src/features/auth/helpers/createAuthPrismaAdapter.ts
+++ /dev/null
@@ -1,204 +0,0 @@
-import type {
-  Adapter,
-  AdapterAccount,
-  AdapterSession,
-  AdapterUser,
-} from "@auth/core/adapters";
-import { createId } from "@paralleldrive/cuid2";
-import { env } from "@typebot.io/env";
-import { ky } from "@typebot.io/lib/ky";
-import { omit } from "@typebot.io/lib/utils";
-import {
-  PrismaClientKnownRequestError,
-  WorkspaceRole,
-} from "@typebot.io/prisma/enum";
-import type { Prisma } from "@typebot.io/prisma/types";
-import type { TelemetryEvent } from "@typebot.io/telemetry/schemas";
-import { trackEvents } from "@typebot.io/telemetry/trackEvents";
-import { userSchema } from "@typebot.io/user/schemas";
-import { convertInvitationsToCollaborations } from "@/features/auth/helpers/convertInvitationsToCollaborations";
-import { getNewUserInvitations } from "@/features/auth/helpers/getNewUserInvitations";
-import { joinWorkspaces } from "@/features/auth/helpers/joinWorkspaces";
-import { parseWorkspaceDefaultPlan } from "@/features/workspace/helpers/parseWorkspaceDefaultPlan";
-
-export const createAuthPrismaAdapter = (p: Prisma.PrismaClient): Adapter => ({
-  createUser: async (data) => {
-    if (!data.email)
-      throw Error("Provider did not forward email but it is required");
-    const user = { id: createId(), email: data.email };
-    const { invitations, workspaceInvitations } = await getNewUserInvitations(
-      p,
-      user.email,
-    );
-    if (
-      env.DISABLE_SIGNUP &&
-      env.ADMIN_EMAIL?.every((email) => email !== user.email) &&
-      invitations.length === 0 &&
-      workspaceInvitations.length === 0
-    )
-      throw Error("New users are forbidden");
-
-    const newWorkspaceData = {
-      name: data.name ? `${data.name}'s workspace` : `My workspace`,
-      plan: parseWorkspaceDefaultPlan(data.email),
-    };
-    const createdUser = await p.user.create({
-      data: {
-        ...data,
-        id: user.id,
-        workspaces:
-          workspaceInvitations.length > 0
-            ? undefined
-            : {
-                create: {
-                  role: WorkspaceRole.ADMIN,
-                  workspace: {
-                    create: newWorkspaceData,
-                  },
-                },
-              },
-        onboardingCategories: [],
-      },
-      include: {
-        workspaces: { select: { workspaceId: true } },
-      },
-    });
-    const newWorkspaceId = createdUser.workspaces.pop()?.workspaceId;
-    const events: TelemetryEvent[] = [];
-    if (newWorkspaceId) {
-      events.push({
-        name: "Workspace created",
-        workspaceId: newWorkspaceId,
-        userId: createdUser.id,
-      });
-    }
-    events.push({
-      name: "User created",
-      userId: createdUser.id,
-    });
-    if (env.USER_CREATED_WEBHOOK_URL) {
-      try {
-        await ky.post(env.USER_CREATED_WEBHOOK_URL, {
-          json: {
-            email: createdUser.email,
-          },
-        });
-      } catch (e) {
-        console.error("Failed to call user created webhook", e);
-      }
-    }
-    await trackEvents(events);
-    if (invitations.length > 0)
-      await convertInvitationsToCollaborations(p, user, invitations);
-    if (workspaceInvitations.length > 0)
-      await joinWorkspaces(p, user, workspaceInvitations);
-    return createdUser as AdapterUser;
-  },
-  getUser: async (id) =>
-    userSchema.parse(await p.user.findUnique({ where: { id } })),
-  getUserByEmail: async (email) => {
-    const user = await p.user.findUnique({
-      where: { email },
-    });
-    if (!user) return null;
-    return userSchema.parse(user);
-  },
-  async getUserByAccount(provider_providerAccountId) {
-    const account = await p.account.findUnique({
-      where: { provider_providerAccountId },
-      include: { user: true },
-    });
-    return (account?.user as AdapterUser) ?? null;
-  },
-  updateUser: ({ id, ...data }) =>
-    p.user.update({
-      where: { id },
-      ...stripUndefined(data),
-    }) as Promise<AdapterUser>,
-  deleteUser: (id) => p.user.delete({ where: { id } }) as Promise<AdapterUser>,
-  linkAccount: (data) =>
-    p.account.create({
-      data: {
-        userId: data.userId,
-        type: data.type,
-        provider: data.provider,
-        providerAccountId: data.providerAccountId,
-        refresh_token: data.refresh_token,
-        access_token: data.access_token,
-        expires_at: data.expires_at,
-        token_type: data.token_type,
-        scope: data.scope,
-        id_token: data.id_token,
-        session_state: data.session_state as string | undefined,
-        oauth_token_secret: data.oauth_token_secret as string,
-        oauth_token: data.oauth_token as string,
-        refresh_token_expires_in: data.refresh_token_expires_in as
-          | number
-          | undefined,
-      },
-    }) as unknown as AdapterAccount,
-  unlinkAccount: (provider_providerAccountId) =>
-    p.account.delete({
-      where: { provider_providerAccountId },
-    }) as unknown as AdapterAccount,
-  async getSessionAndUser(sessionToken) {
-    const userAndSession = await p.session.findUnique({
-      where: { sessionToken },
-      include: { user: true },
-    });
-    if (!userAndSession) return null;
-    const { user, ...session } = userAndSession;
-    return { user, session } as {
-      user: AdapterUser;
-      session: AdapterSession;
-    };
-  },
-  createSession: (data) => p.session.create(stripUndefined(data)),
-  updateSession: (data) =>
-    p.session.update({
-      where: { sessionToken: data.sessionToken },
-      ...stripUndefined(data),
-    }),
-  deleteSession: (sessionToken) =>
-    p.session.delete({ where: { sessionToken } }),
-  async createVerificationToken(data) {
-    const verificationToken = await p.verificationToken.create(
-      stripUndefined(data),
-    );
-    if ("id" in verificationToken && verificationToken.id) {
-      return omit(verificationToken, "id");
-    }
-    return verificationToken;
-  },
-  async useVerificationToken(identifier_token) {
-    try {
-      const verificationToken = await p.verificationToken.delete({
-        where: { identifier_token },
-      });
-      if ("id" in verificationToken && verificationToken.id) {
-        return omit(verificationToken, "id");
-      }
-      return verificationToken;
-    } catch (error: unknown) {
-      // If token already used/deleted
-      if (
-        error instanceof PrismaClientKnownRequestError &&
-        error.code === "P2025"
-      )
-        return null;
-      throw error;
-    }
-  },
-  async getAccount(providerAccountId, provider) {
-    return p.account.findFirst({
-      where: { providerAccountId, provider },
-    }) as Promise<AdapterAccount | null>;
-  },
-});
-
-/** @see https://www.prisma.io/docs/orm/prisma-client/special-fields-and-types/null-and-undefined */
-function stripUndefined<T>(obj: T) {
-  const data = {} as T;
-  for (const key in obj) if (obj[key] !== undefined) data[key] = obj[key];
-  return { data };
-}
diff --git a/apps/builder/src/features/auth/helpers/getAuthenticatedUser.ts b/apps/builder/src/features/auth/helpers/getAuthenticatedUser.ts
index d296341747..820d95d302 100644
--- a/apps/builder/src/features/auth/helpers/getAuthenticatedUser.ts
+++ b/apps/builder/src/features/auth/helpers/getAuthenticatedUser.ts
@@ -2,7 +2,8 @@ import * as Sentry from "@sentry/nextjs";
 import prisma from "@typebot.io/prisma";
 import { type ClientUser, clientUserSchema } from "@typebot.io/user/schemas";
 import type { NextApiRequest, NextApiResponse } from "next";
-import { auth } from "../lib/nextAuth";
+import { auth } from "@/lib/auth/config";
+import { headers } from "next/headers";
 
 export const getAuthenticatedUser = async (
   req: NextApiRequest,
@@ -10,7 +11,18 @@ export const getAuthenticatedUser = async (
 ): Promise<ClientUser | undefined> => {
   const bearerToken = extractBearerToken(req);
   if (bearerToken) return authenticateByToken(bearerToken);
-  return (await auth(req, res))?.user;
+
+  // Get session from Better Auth
+  const session = await auth.api.getSession({
+    headers: new Headers({
+      cookie: req.headers.cookie || "",
+    }),
+  });
+
+  if (!session?.user) return undefined;
+
+  Sentry.setUser({ id: session.user.id });
+  return clientUserSchema.parse(session.user);
 };
 
 const authenticateByToken = async (
diff --git a/apps/builder/src/features/auth/lib/nextAuth.ts b/apps/builder/src/features/auth/lib/nextAuth.ts
deleted file mode 100644
index 1c800769cf..0000000000
--- a/apps/builder/src/features/auth/lib/nextAuth.ts
+++ /dev/null
@@ -1,193 +0,0 @@
-import { env } from "@typebot.io/env";
-import { datesAreOnSameDay } from "@typebot.io/lib/datesAreOnSameDay";
-import { getIp } from "@typebot.io/lib/getIp";
-import { isDefined } from "@typebot.io/lib/utils";
-import prisma from "@typebot.io/prisma";
-import {
-  getTypebotCookie,
-  serializeTypebotCookie,
-} from "@typebot.io/telemetry/cookies/helpers";
-import type { TypebotCookieValue } from "@typebot.io/telemetry/cookies/schema";
-import { mergeIds } from "@typebot.io/telemetry/mergeIds";
-import { trackEvents } from "@typebot.io/telemetry/trackEvents";
-import { clientUserSchema } from "@typebot.io/user/schemas";
-import type { NextRequest } from "next/server";
-import NextAuth from "next-auth";
-import { accountHasRequiredOAuthGroups } from "../helpers/accountHasRequiredOAuthGroups";
-import { createAuthPrismaAdapter } from "../helpers/createAuthPrismaAdapter";
-import { isEmailLegit } from "../helpers/emailValidation";
-import { getNewUserInvitations } from "../helpers/getNewUserInvitations";
-import oneMinRateLimiter from "./oneMinRateLimiter";
-import { providers } from "./providers";
-
-export const SET_TYPEBOT_COOKIE_HEADER = "Set-Typebot-Cookie" as const;
-
-export const {
-  auth,
-  handlers: authHandlers,
-  signIn,
-  signOut,
-} = NextAuth((req) => ({
-  adapter: createAuthPrismaAdapter(prisma),
-  secret: env.ENCRYPTION_SECRET,
-  providers,
-  trustHost: env.VERCEL_GIT_COMMIT_SHA ? undefined : true,
-  pages: {
-    signIn: "/signin",
-    newUser: env.NEXT_PUBLIC_ONBOARDING_TYPEBOT_ID ? "/onboarding" : undefined,
-    error: "/signin",
-  },
-  events: {
-    session: async ({ session }) => {
-      if (!datesAreOnSameDay(session.user.lastActivityAt, new Date())) {
-        await prisma.user.updateMany({
-          where: { id: session.user.id },
-          data: { lastActivityAt: new Date() },
-        });
-      }
-      const typebotCookie = getTypebotCookieFromNextReq(req);
-      if (typebotCookie) {
-        if (
-          typebotCookie?.landingPage?.id &&
-          !typebotCookie.landingPage.isMerged
-        ) {
-          await mergeIds({
-            visitorId: typebotCookie.landingPage.id,
-            userId: session.user.id,
-          });
-          updateCookieIsMerged({ req, typebotCookie });
-        }
-      }
-    },
-    async signIn({ user, isNewUser, account }) {
-      if (!user.id) return;
-      const typebotCookie = getTypebotCookieFromNextReq(req);
-      if (typebotCookie && account?.provider)
-        updateCookieLastProvider(account.provider, { req, typebotCookie });
-      if (isNewUser) return;
-      await trackEvents([
-        {
-          name: "User logged in",
-          userId: user.id,
-        },
-      ]);
-    },
-    async signOut(props) {
-      if ("token" in props) return;
-      const typebotCookie = getTypebotCookieFromNextReq(req);
-      if (typebotCookie) resetLandingPageCookie({ req, typebotCookie });
-      await trackEvents([
-        {
-          name: "User logged out",
-          userId: (props.session as unknown as { userId: string }).userId,
-        },
-      ]);
-    },
-  },
-  callbacks: {
-    session: async ({ session, user }) => ({
-      ...session,
-      user: clientUserSchema.parse(user),
-    }),
-    signIn: async ({ account, user, email }) => {
-      if (!account) return false;
-      const isNewUser = !("createdAt" in user && isDefined(user.createdAt));
-      if (user.email && email?.verificationRequest) {
-        const ip = req
-          ? getIp({
-              "x-forwarded-for": req.headers.get("x-forwarded-for"),
-              "cf-connecting-ip": req.headers.get("cf-connecting-ip"),
-            })
-          : null;
-        if (oneMinRateLimiter && ip) {
-          const { success } = await oneMinRateLimiter.limit(ip);
-          if (!success) throw new Error("too-many-requests");
-        }
-        if (!isEmailLegit(user.email)) throw new Error("email-not-legit");
-      }
-      if (
-        env.DISABLE_SIGNUP &&
-        isNewUser &&
-        user.email &&
-        !env.ADMIN_EMAIL?.includes(user.email)
-      ) {
-        const { invitations, workspaceInvitations } =
-          await getNewUserInvitations(prisma, user.email);
-        if (invitations.length === 0 && workspaceInvitations.length === 0)
-          throw new Error("sign-up-disabled");
-      }
-      return await accountHasRequiredOAuthGroups(account);
-    },
-  },
-}));
-
-const updateCookieIsMerged = ({
-  req,
-  typebotCookie,
-}: {
-  req: NextRequest | undefined;
-  typebotCookie: TypebotCookieValue;
-}) => {
-  if (!isValidNextRequest(req) || !typebotCookie.landingPage) return;
-  req.headers.set(
-    SET_TYPEBOT_COOKIE_HEADER,
-    serializeTypebotCookie({
-      ...typebotCookie,
-      landingPage: {
-        ...typebotCookie.landingPage,
-        isMerged: true,
-      },
-    }),
-  );
-};
-
-const updateCookieLastProvider = (
-  provider: string,
-  {
-    req,
-    typebotCookie,
-  }: { req: NextRequest | undefined; typebotCookie: TypebotCookieValue },
-) => {
-  if (!isValidNextRequest(req)) return;
-  req.headers.set(
-    SET_TYPEBOT_COOKIE_HEADER,
-    serializeTypebotCookie({
-      ...typebotCookie,
-      lastProvider: provider,
-    }),
-  );
-};
-
-const resetLandingPageCookie = ({
-  req,
-  typebotCookie,
-}: {
-  req: NextRequest | undefined;
-  typebotCookie: TypebotCookieValue;
-}) => {
-  if (!isValidNextRequest(req)) return;
-  req.headers.set(
-    SET_TYPEBOT_COOKIE_HEADER,
-    serializeTypebotCookie({
-      ...typebotCookie,
-      lastProvider: undefined,
-      landingPage: undefined,
-    }),
-  );
-};
-
-const getTypebotCookieFromNextReq = (
-  req: NextRequest | undefined,
-): TypebotCookieValue | null => {
-  if (!isValidNextRequest(req)) return null;
-  const cookieStr = req.headers.get("cookie");
-  if (!cookieStr) return null;
-  return getTypebotCookie(cookieStr);
-};
-
-// Nextauth req type is not correct, so we need to assert it
-const isValidNextRequest = (
-  req: NextRequest | undefined,
-): req is NextRequest => {
-  return Boolean(req && "headers" in req && "get" in req.headers);
-};
diff --git a/apps/builder/src/features/auth/lib/providers.ts b/apps/builder/src/features/auth/lib/providers.ts
deleted file mode 100644
index e1d47f5961..0000000000
--- a/apps/builder/src/features/auth/lib/providers.ts
+++ /dev/null
@@ -1,145 +0,0 @@
-import { env } from "@typebot.io/env";
-import { getAtPath } from "@typebot.io/lib/utils";
-import { userSchema } from "@typebot.io/user/schemas";
-import FacebookProvider from "next-auth/providers/facebook";
-import GitHubProvider from "next-auth/providers/github";
-import GitlabProvider from "next-auth/providers/gitlab";
-import GoogleProvider from "next-auth/providers/google";
-import type { Provider } from "next-auth/providers/index";
-import KeycloakProvider from "next-auth/providers/keycloak";
-import MicrosoftEntraID from "next-auth/providers/microsoft-entra-id";
-import Nodemailer from "next-auth/providers/nodemailer";
-import { sendVerificationRequest } from "../helpers/sendVerificationRequest";
-
-export const providers: Provider[] = [];
-
-if (env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET)
-  providers.push(
-    GitHubProvider({
-      clientId: env.GITHUB_CLIENT_ID,
-      clientSecret: env.GITHUB_CLIENT_SECRET,
-      allowDangerousEmailAccountLinking: true,
-    }),
-  );
-
-if (env.NEXT_PUBLIC_SMTP_FROM && !env.SMTP_AUTH_DISABLED)
-  providers.push(
-    Nodemailer({
-      server: {
-        host: env.SMTP_HOST,
-        port: env.SMTP_PORT,
-        secure: env.SMTP_SECURE,
-        ignoreTLS: env.SMTP_IGNORE_TLS,
-        auth:
-          env.SMTP_USERNAME || env.SMTP_PASSWORD
-            ? {
-                user: env.SMTP_USERNAME,
-                pass: env.SMTP_PASSWORD,
-              }
-            : undefined,
-      },
-      maxAge: 5 * 60,
-      from: env.NEXT_PUBLIC_SMTP_FROM,
-      generateVerificationToken: () =>
-        Math.floor(100000 + Math.random() * 900000).toString(),
-      sendVerificationRequest,
-    }),
-  );
-
-if (env.GOOGLE_AUTH_CLIENT_ID && env.GOOGLE_AUTH_CLIENT_SECRET)
-  providers.push(
-    GoogleProvider({
-      clientId: env.GOOGLE_AUTH_CLIENT_ID,
-      clientSecret: env.GOOGLE_AUTH_CLIENT_SECRET,
-      allowDangerousEmailAccountLinking: true,
-    }),
-  );
-
-if (env.FACEBOOK_CLIENT_ID && env.FACEBOOK_CLIENT_SECRET)
-  providers.push(
-    FacebookProvider({
-      clientId: env.FACEBOOK_CLIENT_ID,
-      clientSecret: env.FACEBOOK_CLIENT_SECRET,
-      allowDangerousEmailAccountLinking: true,
-    }),
-  );
-
-if (env.GITLAB_CLIENT_ID && env.GITLAB_CLIENT_SECRET) {
-  const BASE_URL = env.GITLAB_BASE_URL;
-  providers.push(
-    GitlabProvider({
-      clientId: env.GITLAB_CLIENT_ID,
-      clientSecret: env.GITLAB_CLIENT_SECRET,
-      authorization: `${BASE_URL}/oauth/authorize?scope=read_api`,
-      token: `${BASE_URL}/oauth/token`,
-      userinfo: `${BASE_URL}/api/v4/user`,
-      name: env.GITLAB_NAME,
-      profile(profile) {
-        return {
-          id: profile.sub?.toString() || profile.id.toString(),
-          name: profile.name ?? profile.username,
-          email: profile.email,
-          image: profile.avatar_url,
-        };
-      },
-    }),
-  );
-}
-
-if (
-  env.AZURE_AD_CLIENT_ID &&
-  env.AZURE_AD_CLIENT_SECRET &&
-  env.AZURE_AD_TENANT_ID
-) {
-  providers.push(
-    MicrosoftEntraID({
-      clientId: env.AZURE_AD_CLIENT_ID,
-      clientSecret: env.AZURE_AD_CLIENT_SECRET,
-      issuer: `https://login.microsoftonline.com/${env.AZURE_AD_TENANT_ID || "common"}/v2.0`,
-    }),
-  );
-}
-
-if (
-  env.KEYCLOAK_CLIENT_ID &&
-  env.KEYCLOAK_BASE_URL &&
-  env.KEYCLOAK_CLIENT_SECRET &&
-  env.KEYCLOAK_REALM
-) {
-  providers.push(
-    KeycloakProvider({
-      clientId: env.KEYCLOAK_CLIENT_ID,
-      clientSecret: env.KEYCLOAK_CLIENT_SECRET,
-      issuer: `${env.KEYCLOAK_BASE_URL}/${env.KEYCLOAK_REALM}`,
-    }),
-  );
-}
-
-if (env.CUSTOM_OAUTH_ISSUER) {
-  providers.push({
-    id: "custom-oauth",
-    name: env.CUSTOM_OAUTH_NAME,
-    type: "oidc",
-    authorization: {
-      params: {
-        scope: env.CUSTOM_OAUTH_SCOPE,
-      },
-    },
-    checks: ["pkce", "state"],
-    clientId: env.CUSTOM_OAUTH_CLIENT_ID,
-    clientSecret: env.CUSTOM_OAUTH_CLIENT_SECRET,
-    wellKnown: env.CUSTOM_OAUTH_WELL_KNOWN_URL,
-    issuer: env.CUSTOM_OAUTH_ISSUER,
-    profile(profile) {
-      const user = {
-        id: getAtPath(profile, env.CUSTOM_OAUTH_USER_ID_PATH),
-        name: getAtPath(profile, env.CUSTOM_OAUTH_USER_NAME_PATH) ?? null,
-        email: getAtPath(profile, env.CUSTOM_OAUTH_USER_EMAIL_PATH),
-        image: getAtPath(profile, env.CUSTOM_OAUTH_USER_IMAGE_PATH) ?? null,
-      };
-      return userSchema
-        .pick({ id: true, email: true, name: true, image: true })
-        .parse(user);
-    },
-  });
-}
diff --git a/apps/builder/src/features/auth/next-auth.d.ts b/apps/builder/src/features/auth/next-auth.d.ts
deleted file mode 100644
index 4249489c7c..0000000000
--- a/apps/builder/src/features/auth/next-auth.d.ts
+++ /dev/null
@@ -1,7 +0,0 @@
-import type { ClientUser } from "@typebot.io/user/schemas";
-
-declare module "next-auth" {
-  interface Session extends DefaultSession {
-    user: ClientUser;
-  }
-}
diff --git a/apps/builder/src/lib/auth/client.ts b/apps/builder/src/lib/auth/client.ts
new file mode 100644
index 0000000000..01119ff691
--- /dev/null
+++ b/apps/builder/src/lib/auth/client.ts
@@ -0,0 +1,25 @@
+"use client";
+
+import { createAuthClient } from "better-auth/react";
+import { magicLinkClient } from "better-auth/client/plugins";
+import { emailOTPClient } from "better-auth/client/plugins";
+import { adminClient } from "better-auth/client/plugins";
+import { genericOAuthClient } from "better-auth/client/plugins";
+
+export const authClient = createAuthClient({
+  baseURL: process.env.NEXT_PUBLIC_BETTER_AUTH_URL || "",
+  plugins: [
+    magicLinkClient(),
+    emailOTPClient(),
+    adminClient(),
+    genericOAuthClient(),
+  ],
+});
+
+export const {
+  signIn,
+  signOut,
+  signUp,
+  useSession,
+  getSession,
+} = authClient;
diff --git a/apps/builder/src/lib/auth/config.ts b/apps/builder/src/lib/auth/config.ts
new file mode 100644
index 0000000000..28f25cd019
--- /dev/null
+++ b/apps/builder/src/lib/auth/config.ts
@@ -0,0 +1,120 @@
+import { betterAuth } from "better-auth";
+import { prismaAdapter } from "better-auth/adapters/prisma";
+import { magicLink } from "better-auth/plugins/magic-link";
+import { emailOTP } from "better-auth/plugins/email-otp";
+import { admin } from "better-auth/plugins/admin";
+import { genericOAuth } from "better-auth/plugins/generic-oauth";
+import { env } from "@typebot.io/env";
+import prisma from "@typebot.io/prisma";
+import { sendVerificationEmail } from "./send-verification-email";
+import { getOAuthProviders } from "./providers";
+
+export const auth = betterAuth({
+  database: prismaAdapter(prisma, {
+    provider: "postgresql",
+  }),
+  baseURL: env.BETTER_AUTH_URL,
+  secret: env.BETTER_AUTH_SECRET || env.ENCRYPTION_SECRET,
+
+  // Cross-subdomain SSO configuration
+  advanced: {
+    crossSubDomainCookies: {
+      enabled: true,
+      domain: ".usefoundry.ai",
+    },
+    defaultCookieAttributes: {
+      sameSite: "lax",
+      secure: process.env.NODE_ENV === "production",
+    },
+  },
+
+  session: {
+    expiresIn: 60 * 60 * 24 * 7, // 7 days
+    updateAge: 60 * 60 * 24, // 24 hours
+    cookieCache: {
+      enabled: true,
+      maxAge: 60 * 5, // 5 minutes
+    },
+  },
+
+  emailAndPassword: {
+    enabled: false, // Using magic link instead
+  },
+
+  socialProviders: getOAuthProviders(),
+
+  plugins: [
+    // Magic link email authentication
+    ...(env.NEXT_PUBLIC_SMTP_FROM && !env.SMTP_AUTH_DISABLED
+      ? [
+          magicLink({
+            sendMagicLink: async ({ email, url }) => {
+              await sendVerificationEmail({ email, url });
+            },
+            expiresIn: 60 * 5, // 5 minutes
+          }),
+          emailOTP({
+            sendVerificationOTP: async ({ email, otp }) => {
+              await sendVerificationEmail({ email, otp });
+            },
+            otpLength: 6,
+            expiresIn: 60 * 5, // 5 minutes
+          }),
+        ]
+      : []),
+
+    // Admin plugin for user management
+    admin({
+      defaultRole: "user",
+    }),
+
+    // Generic OAuth for custom OIDC providers
+    ...(env.CUSTOM_OAUTH_ISSUER
+      ? [
+          genericOAuth({
+            config: [
+              {
+                providerId: "custom-oauth",
+                clientId: env.CUSTOM_OAUTH_CLIENT_ID!,
+                clientSecret: env.CUSTOM_OAUTH_CLIENT_SECRET!,
+                discoveryUrl: env.CUSTOM_OAUTH_WELL_KNOWN_URL,
+                scopes: env.CUSTOM_OAUTH_SCOPE?.split(" ") || [
+                  "openid",
+                  "profile",
+                  "email",
+                ],
+                pkce: true,
+              },
+            ],
+          }),
+        ]
+      : []),
+  ],
+
+  user: {
+    additionalFields: {
+      role: {
+        type: "string",
+        required: false,
+        defaultValue: "user",
+      },
+      lastActivityAt: {
+        type: "date",
+        required: false,
+      },
+      company: {
+        type: "string",
+        required: false,
+      },
+    },
+  },
+
+  account: {
+    accountLinking: {
+      enabled: true,
+      trustedProviders: ["github", "google", "facebook", "gitlab", "azure-ad", "keycloak", "custom-oauth"],
+    },
+  },
+});
+
+export type Auth = typeof auth;
diff --git a/apps/builder/src/lib/auth/providers.ts b/apps/builder/src/lib/auth/providers.ts
new file mode 100644
index 0000000000..d63f32ce5e
--- /dev/null
+++ b/apps/builder/src/lib/auth/providers.ts
@@ -0,0 +1,56 @@
+import { env } from "@typebot.io/env";
+import type { BetterAuthOptions } from "better-auth";
+
+type SocialProviders = NonNullable<BetterAuthOptions["socialProviders"]>;
+
+export function getOAuthProviders(): SocialProviders {
+  const providers: SocialProviders = {};
+
+  // GitHub OAuth
+  if (env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET) {
+    providers.github = {
+      clientId: env.GITHUB_CLIENT_ID,
+      clientSecret: env.GITHUB_CLIENT_SECRET,
+    };
+  }
+
+  // Google OAuth
+  if (env.GOOGLE_AUTH_CLIENT_ID && env.GOOGLE_AUTH_CLIENT_SECRET) {
+    providers.google = {
+      clientId: env.GOOGLE_AUTH_CLIENT_ID,
+      clientSecret: env.GOOGLE_AUTH_CLIENT_SECRET,
+    };
+  }
+
+  // Facebook OAuth
+  if (env.FACEBOOK_CLIENT_ID && env.FACEBOOK_CLIENT_SECRET) {
+    providers.facebook = {
+      clientId: env.FACEBOOK_CLIENT_ID,
+      clientSecret: env.FACEBOOK_CLIENT_SECRET,
+    };
+  }
+
+  // GitLab OAuth
+  if (env.GITLAB_CLIENT_ID && env.GITLAB_CLIENT_SECRET) {
+    providers.gitlab = {
+      clientId: env.GITLAB_CLIENT_ID,
+      clientSecret: env.GITLAB_CLIENT_SECRET,
+      issuer: env.GITLAB_BASE_URL || "https://gitlab.com",
+    };
+  }
+
+  // Microsoft Azure AD / Entra ID
+  if (
+    env.AZURE_AD_CLIENT_ID &&
+    env.AZURE_AD_CLIENT_SECRET &&
+    env.AZURE_AD_TENANT_ID
+  ) {
+    providers.microsoft = {
+      clientId: env.AZURE_AD_CLIENT_ID,
+      clientSecret: env.AZURE_AD_CLIENT_SECRET,
+      tenantId: env.AZURE_AD_TENANT_ID,
+    };
+  }
+
+  return providers;
+}
diff --git a/apps/builder/src/lib/auth/send-verification-email.ts b/apps/builder/src/lib/auth/send-verification-email.ts
new file mode 100644
index 0000000000..203454b7c9
--- /dev/null
+++ b/apps/builder/src/lib/auth/send-verification-email.ts
@@ -0,0 +1,37 @@
+import { env } from "@typebot.io/env";
+import { sendEmail } from "@typebot.io/emails/sendEmail";
+import { render } from "@typebot.io/emails/render";
+
+type SendVerificationEmailProps = {
+  email: string;
+  url?: string;
+  otp?: string;
+};
+
+export async function sendVerificationEmail({
+  email,
+  url,
+  otp,
+}: SendVerificationEmailProps): Promise<void> {
+  const subject = otp
+    ? `Your verification code: ${otp}`
+    : "Sign in to your account";
+
+  const body = otp
+    ? `Your verification code is: <strong>${otp}</strong><br/><br/>This code expires in 5 minutes.`
+    : `Click the link below to sign in:<br/><br/><a href="${url}">Sign in</a><br/><br/>This link expires in 5 minutes.`;
+
+  await sendEmail({
+    to: email,
+    subject,
+    html: `
+      <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto;">
+        <h2>Sign in to Foundry</h2>
+        <p>${body}</p>
+        <p style="color: #666; font-size: 12px;">
+          If you did not request this, you can safely ignore this email.
+        </p>
+      </div>
+    `,
+  });
+}
diff --git a/apps/viewer/package.json b/apps/viewer/package.json
index 6221ae6a7d..590f3ec95c 100644
--- a/apps/viewer/package.json
+++ b/apps/viewer/package.json
@@ -9,6 +9,7 @@
     "test:e2e:report": "playwright show-report"
   },
   "dependencies": {
+    "better-auth": "^1.4.10",
     "partysocket": "^1.0.2",
     "@planetscale/database": "^1.8.0",
     "@sentry/nextjs": "^10.32.1",
diff --git a/apps/viewer/src/app/api/auth/[...all]/route.ts b/apps/viewer/src/app/api/auth/[...all]/route.ts
new file mode 100644
index 0000000000..d441e7ea66
--- /dev/null
+++ b/apps/viewer/src/app/api/auth/[...all]/route.ts
@@ -0,0 +1,4 @@
+import { auth } from "@/lib/auth/config";
+import { toNextJsHandler } from "better-auth/next-js";
+
+export const { GET, POST } = toNextJsHandler(auth);
diff --git a/apps/viewer/src/lib/auth/client.ts b/apps/viewer/src/lib/auth/client.ts
new file mode 100644
index 0000000000..9d36a64fea
--- /dev/null
+++ b/apps/viewer/src/lib/auth/client.ts
@@ -0,0 +1,9 @@
+"use client";
+
+import { createAuthClient } from "better-auth/react";
+
+export const authClient = createAuthClient({
+  baseURL: process.env.NEXT_PUBLIC_BETTER_AUTH_URL || "",
+});
+
+export const { useSession, getSession } = authClient;
diff --git a/apps/viewer/src/lib/auth/config.ts b/apps/viewer/src/lib/auth/config.ts
new file mode 100644
index 0000000000..21ed9137a8
--- /dev/null
+++ b/apps/viewer/src/lib/auth/config.ts
@@ -0,0 +1,35 @@
+import { betterAuth } from "better-auth";
+import { prismaAdapter } from "better-auth/adapters/prisma";
+import { env } from "@typebot.io/env";
+import prisma from "@typebot.io/prisma";
+
+export const auth = betterAuth({
+  database: prismaAdapter(prisma, {
+    provider: "postgresql",
+  }),
+  baseURL: env.BETTER_AUTH_URL,
+  secret: env.BETTER_AUTH_SECRET || env.ENCRYPTION_SECRET,
+
+  // Cross-subdomain SSO configuration (shared with builder)
+  advanced: {
+    crossSubDomainCookies: {
+      enabled: true,
+      domain: ".usefoundry.ai",
+    },
+    defaultCookieAttributes: {
+      sameSite: "lax",
+      secure: process.env.NODE_ENV === "production",
+    },
+  },
+
+  session: {
+    expiresIn: 60 * 60 * 24 * 7, // 7 days
+    updateAge: 60 * 60 * 24, // 24 hours
+    cookieCache: {
+      enabled: true,
+      maxAge: 60 * 5, // 5 minutes
+    },
+  },
+});
+
+export type Auth = typeof auth;
diff --git a/bun.lock b/bun.lock
index c90f47bc70..186abdaa2b 100644
--- a/bun.lock
+++ b/bun.lock
@@ -17,7 +17,7 @@
     "apps/builder": {
       "name": "builder",
       "dependencies": {
-        "@auth/core": "^0.39.1",
+        "@better-auth/expo": "^1.4.10",
         "@braintree/sanitize-url": "^7.0.1",
         "@dnd-kit/helpers": "^0.1.21",
         "@dnd-kit/react": "^0.1.21",
@@ -67,6 +67,7 @@
         "@upstash/ratelimit": "^0.4.3",
         "@use-gesture/react": "^10.3.1",
         "ai": "^4.3.19",
+        "better-auth": "^1.4.10",
         "browser-image-compression": "^2.0.2",
         "canvas-confetti": "^1.6.0",
         "codemirror": "^6.0.1",
@@ -85,7 +86,6 @@
         "motion": "^12.23.25",
         "nanoid": "^5.1.5",
         "next": "^15.5.9",
-        "next-auth": "^5.0.0-beta.28",
         "next-themes": "^0.4.6",
         "nextjs-cors": "^2.1.2",
         "nodemailer": "^7.0.6",
@@ -237,6 +237,7 @@
         "@typebot.io/webhook-block": "workspace:*",
         "@typebot.io/whatsapp": "workspace:*",
         "@typebot.io/zod": "workspace:*",
+        "better-auth": "^1.4.10",
         "cors": "^2.8.5",
         "google-spreadsheet": "^4.1.4",
         "next": "^15.5.9",
@@ -1439,8 +1440,6 @@
 
     "@ark-ui/solid": ["@ark-ui/solid@5.19.0", "", { "dependencies": { "@internationalized/date": "3.8.2", "@zag-js/accordion": "1.21.6", "@zag-js/anatomy": "1.21.6", "@zag-js/angle-slider": "1.21.6", "@zag-js/auto-resize": "1.21.6", "@zag-js/avatar": "1.21.6", "@zag-js/carousel": "1.21.6", "@zag-js/checkbox": "1.21.6", "@zag-js/clipboard": "1.21.6", "@zag-js/collapsible": "1.21.6", "@zag-js/collection": "1.21.6", "@zag-js/color-picker": "1.21.6", "@zag-js/color-utils": "1.21.6", "@zag-js/combobox": "1.21.6", "@zag-js/core": "1.21.6", "@zag-js/date-picker": "1.21.6", "@zag-js/date-utils": "1.21.6", "@zag-js/dialog": "1.21.6", "@zag-js/dom-query": "1.21.6", "@zag-js/editable": "1.21.6", "@zag-js/file-upload": "1.21.6", "@zag-js/file-utils": "1.21.6", "@zag-js/floating-panel": "1.21.6", "@zag-js/focus-trap": "1.21.6", "@zag-js/highlight-word": "1.21.6", "@zag-js/hover-card": "1.21.6", "@zag-js/i18n-utils": "1.21.6", "@zag-js/json-tree-utils": "1.21.6", "@zag-js/listbox": "1.21.6", "@zag-js/menu": "1.21.6", "@zag-js/number-input": "1.21.6", "@zag-js/pagination": "1.21.6", "@zag-js/password-input": "1.21.6", "@zag-js/pin-input": "1.21.6", "@zag-js/popover": "1.21.6", "@zag-js/presence": "1.21.6", "@zag-js/progress": "1.21.6", "@zag-js/qr-code": "1.21.6", "@zag-js/radio-group": "1.21.6", "@zag-js/rating-group": "1.21.6", "@zag-js/scroll-area": "1.21.6", "@zag-js/select": "1.21.6", "@zag-js/signature-pad": "1.21.6", "@zag-js/slider": "1.21.6", "@zag-js/solid": "1.21.6", "@zag-js/splitter": "1.21.6", "@zag-js/steps": "1.21.6", "@zag-js/switch": "1.21.6", "@zag-js/tabs": "1.21.6", "@zag-js/tags-input": "1.21.6", "@zag-js/time-picker": "1.21.6", "@zag-js/timer": "1.21.6", "@zag-js/toast": "1.21.6", "@zag-js/toggle": "1.21.6", "@zag-js/toggle-group": "1.21.6", "@zag-js/tooltip": "1.21.6", "@zag-js/tour": "1.21.6", "@zag-js/tree-view": "1.21.6", "@zag-js/types": "1.21.6", "@zag-js/utils": "1.21.6" }, "peerDependencies": { "solid-js": ">=1.6.0" } }, "sha512-k/fHhcm/+qA9/v67zZraovAtIrZeuh6gLbhwBSCmHruJltkUsWnuvZQHnSgs7kaiQ+6o5n+QGlnBLyeNNYlymA=="],
 
-    "@auth/core": ["@auth/core@0.39.1", "", { "dependencies": { "@panva/hkdf": "^1.2.1", "jose": "^6.0.6", "oauth4webapi": "^3.3.0", "preact": "10.24.3", "preact-render-to-string": "6.5.11" }, "peerDependencies": { "@simplewebauthn/browser": "^9.0.1", "@simplewebauthn/server": "^9.0.2", "nodemailer": "^6.8.0" }, "optionalPeers": ["@simplewebauthn/browser", "@simplewebauthn/server", "nodemailer"] }, "sha512-McD8slui0oOA1pjR5sPjLPl5Zm//nLP/8T3kr8hxIsvNLvsiudYvPHhDFPjh1KcZ2nFxCkZmP6bRxaaPd/AnLA=="],
-
     "@aws-crypto/sha256-browser": ["@aws-crypto/sha256-browser@5.2.0", "", { "dependencies": { "@aws-crypto/sha256-js": "^5.2.0", "@aws-crypto/supports-web-crypto": "^5.2.0", "@aws-crypto/util": "^5.2.0", "@aws-sdk/types": "^3.222.0", "@aws-sdk/util-locate-window": "^3.0.0", "@smithy/util-utf8": "^2.0.0", "tslib": "^2.6.2" } }, "sha512-AXfN/lGotSQwu6HNcEsIASo7kWXZ5HYWvfOmSNKDsEqC4OashTp8alTmaz+F7TC2L083SFv5RdB+qU3Vs1kZqw=="],
 
     "@aws-crypto/sha256-js": ["@aws-crypto/sha256-js@5.2.0", "", { "dependencies": { "@aws-crypto/util": "^5.2.0", "@aws-sdk/types": "^3.222.0", "tslib": "^2.6.2" } }, "sha512-FFQQyu7edu4ufvIZ+OadFpHHOt+eSTBaYaki44c+akjg7qZg9oOQeLlk77F6tSYqjDAFClrHJk9tMf0HdVyOvA=="],
@@ -1573,6 +1572,16 @@
 
     "@base-ui-components/utils": ["@base-ui-components/utils@0.1.2", "", { "dependencies": { "@babel/runtime": "^7.28.4", "@floating-ui/utils": "^0.2.10", "reselect": "^5.1.1", "use-sync-external-store": "^1.5.0" }, "peerDependencies": { "@types/react": "^17 || ^18 || ^19", "react": "^17 || ^18 || ^19", "react-dom": "^17 || ^18 || ^19" }, "optionalPeers": ["@types/react"] }, "sha512-aEitDGpMsYO2qnSpYOwZNykn9Rzn2ioyEVk2fyDRH7t+TIHVKpp9CeV7SPTq43M9mMSDxQ+7UeZJVkrj2dCVIQ=="],
 
+    "@better-auth/core": ["@better-auth/core@1.4.10", "", { "dependencies": { "@standard-schema/spec": "^1.0.0", "zod": "^4.1.12" }, "peerDependencies": { "@better-auth/utils": "0.3.0", "@better-fetch/fetch": "1.1.21", "better-call": "1.1.7", "jose": "^6.1.0", "kysely": "^0.28.5", "nanostores": "^1.0.1" } }, "sha512-AThrfb6CpG80wqkanfrbN2/fGOYzhGladHFf3JhaWt/3/Vtf4h084T6PJLrDE7M/vCCGYvDI1DkvP3P1OB2HAg=="],
+
+    "@better-auth/expo": ["@better-auth/expo@1.4.10", "", { "dependencies": { "@better-fetch/fetch": "1.1.21", "better-call": "1.1.7", "zod": "^4.1.12" }, "peerDependencies": { "@better-auth/core": "1.4.10", "better-auth": "1.4.10", "expo-constants": ">=17.0.0", "expo-linking": ">=7.0.0", "expo-network": "^8.0.7", "expo-web-browser": ">=14.0.0" }, "optionalPeers": ["expo-constants", "expo-linking", "expo-network", "expo-web-browser"] }, "sha512-dTRschxNgOVlT1hhuXJa41eF4prAqEJYznqyTEf1DYgWHRGHDczVZhqPAswUqIBSQR22y9PhQwyVGWG3hADEKg=="],
+
+    "@better-auth/telemetry": ["@better-auth/telemetry@1.4.10", "", { "dependencies": { "@better-auth/utils": "0.3.0", "@better-fetch/fetch": "1.1.21" }, "peerDependencies": { "@better-auth/core": "1.4.10" } }, "sha512-Dq4XJX6EKsUu0h3jpRagX739p/VMOTcnJYWRrLtDYkqtZFg+sFiFsSWVcfapZoWpRSUGYX9iKwl6nDHn6Ju2oQ=="],
+
+    "@better-auth/utils": ["@better-auth/utils@0.3.0", "", {}, "sha512-W+Adw6ZA6mgvnSnhOki270rwJ42t4XzSK6YWGF//BbVXL6SwCLWfyzBc1lN2m/4RM28KubdBKQ4X5VMoLRNPQw=="],
+
+    "@better-fetch/fetch": ["@better-fetch/fetch@1.1.21", "", {}, "sha512-/ImESw0sskqlVR94jB+5+Pxjf+xBwDZF/N5+y2/q4EqD7IARUTSpPfIo8uf39SYpCxyOCtbyYpUrZ3F/k0zT4A=="],
+
     "@biomejs/biome": ["@biomejs/biome@2.3.7", "", { "optionalDependencies": { "@biomejs/cli-darwin-arm64": "2.3.7", "@biomejs/cli-darwin-x64": "2.3.7", "@biomejs/cli-linux-arm64": "2.3.7", "@biomejs/cli-linux-arm64-musl": "2.3.7", "@biomejs/cli-linux-x64": "2.3.7", "@biomejs/cli-linux-x64-musl": "2.3.7", "@biomejs/cli-win32-arm64": "2.3.7", "@biomejs/cli-win32-x64": "2.3.7" }, "bin": { "biome": "bin/biome" } }, "sha512-CTbAS/jNAiUc6rcq94BrTB8z83O9+BsgWj2sBCQg9rD6Wkh2gjfR87usjx0Ncx0zGXP1NKgT7JNglay5Zfs9jw=="],
 
     "@biomejs/cli-darwin-arm64": ["@biomejs/cli-darwin-arm64@2.3.7", "", { "os": "darwin", "cpu": "arm64" }, "sha512-LirkamEwzIUULhXcf2D5b+NatXKeqhOwilM+5eRkbrnr6daKz9rsBL0kNZ16Hcy4b8RFq22SG4tcLwM+yx/wFA=="],
@@ -2003,6 +2012,8 @@
 
     "@nextjournal/lezer-clojure": ["@nextjournal/lezer-clojure@1.0.0", "", { "dependencies": { "@lezer/lr": "^1.0.0" } }, "sha512-VZyuGu4zw5mkTOwQBTaGVNWmsOZAPw5ZRxu1/Knk/Xfs7EDBIogwIs5UXTYkuECX5ZQB8eOB+wKA2pc7VyqaZQ=="],
 
+    "@noble/ciphers": ["@noble/ciphers@2.1.1", "", {}, "sha512-bysYuiVfhxNJuldNXlFEitTVdNnYUc+XNJZd7Qm2a5j1vZHgY+fazadNFWFaMK/2vye0JVlxV3gHmC0WDfAOQw=="],
+
     "@noble/hashes": ["@noble/hashes@1.8.0", "", {}, "sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A=="],
 
     "@nodelib/fs.scandir": ["@nodelib/fs.scandir@2.1.5", "", { "dependencies": { "@nodelib/fs.stat": "2.0.5", "run-parallel": "^1.1.9" } }, "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g=="],
@@ -2241,8 +2252,6 @@
 
     "@orpc/zod": ["@orpc/zod@1.12.3", "", { "dependencies": { "@orpc/json-schema": "1.12.3", "@orpc/openapi": "1.12.3", "@orpc/shared": "1.12.3", "escape-string-regexp": "^5.0.0", "wildcard-match": "^5.1.3" }, "peerDependencies": { "@orpc/contract": "1.12.3", "@orpc/server": "1.12.3", "zod": ">=3.25.0" } }, "sha512-u/toZgIXDbTUHjb7xuEM3ktUaD/2AxTo8x7BndGlZM7uP+XpzsUzYHW128i9fsyYF55QQc0nXcGir99NmOSFzw=="],
 
-    "@panva/hkdf": ["@panva/hkdf@1.2.1", "", {}, "sha512-6oclG6Y3PiDFcoyk8srjLfVKyMfVCKJ27JwNPViuXziFpmdz+MZnZN/aKY0JGXgYuO/VghU0jcOAZgWXZ1Dmrw=="],
-
     "@paralleldrive/cuid2": ["@paralleldrive/cuid2@2.2.1", "", { "dependencies": { "@noble/hashes": "^1.1.5" } }, "sha512-GJhHYlMhyT2gWemDL7BGMWfTNhspJKkikLKh9wAy3z4GTTINvTYALkUd+eGQK7aLeVkVzPuSA0VCT3H5eEWbbw=="],
 
     "@parcel/watcher": ["@parcel/watcher@2.5.1", "", { "dependencies": { "detect-libc": "^1.0.3", "is-glob": "^4.0.3", "micromatch": "^4.0.5", "node-addon-api": "^7.0.0" }, "optionalDependencies": { "@parcel/watcher-android-arm64": "2.5.1", "@parcel/watcher-darwin-arm64": "2.5.1", "@parcel/watcher-darwin-x64": "2.5.1", "@parcel/watcher-freebsd-x64": "2.5.1", "@parcel/watcher-linux-arm-glibc": "2.5.1", "@parcel/watcher-linux-arm-musl": "2.5.1", "@parcel/watcher-linux-arm64-glibc": "2.5.1", "@parcel/watcher-linux-arm64-musl": "2.5.1", "@parcel/watcher-linux-x64-glibc": "2.5.1", "@parcel/watcher-linux-x64-musl": "2.5.1", "@parcel/watcher-win32-arm64": "2.5.1", "@parcel/watcher-win32-ia32": "2.5.1", "@parcel/watcher-win32-x64": "2.5.1" } }, "sha512-dfUnCxiN9H4ap84DvD2ubjw+3vUNpstxa0TneY/Paat8a3R4uQZDLSvWjmznAY/DoahqTHl9V46HF/Zs3F29pg=="],
@@ -3471,6 +3480,10 @@
 
     "before-after-hook": ["before-after-hook@2.2.3", "", {}, "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="],
 
+    "better-auth": ["better-auth@1.4.10", "", { "dependencies": { "@better-auth/core": "1.4.10", "@better-auth/telemetry": "1.4.10", "@better-auth/utils": "0.3.0", "@better-fetch/fetch": "1.1.21", "@noble/ciphers": "^2.0.0", "@noble/hashes": "^2.0.0", "better-call": "1.1.7", "defu": "^6.1.4", "jose": "^6.1.0", "kysely": "^0.28.5", "nanostores": "^1.0.1", "zod": "^4.1.12" }, "peerDependencies": { "@lynx-js/react": "*", "@prisma/client": "^5.0.0 || ^6.0.0 || ^7.0.0", "@sveltejs/kit": "^2.0.0", "@tanstack/react-start": "^1.0.0", "better-sqlite3": "^12.0.0", "drizzle-kit": ">=0.31.4", "drizzle-orm": ">=0.41.0", "mongodb": "^6.0.0 || ^7.0.0", "mysql2": "^3.0.0", "next": "^14.0.0 || ^15.0.0 || ^16.0.0", "pg": "^8.0.0", "prisma": "^5.0.0 || ^6.0.0 || ^7.0.0", "react": "^18.0.0 || ^19.0.0", "react-dom": "^18.0.0 || ^19.0.0", "solid-js": "^1.0.0", "svelte": "^4.0.0 || ^5.0.0", "vitest": "^2.0.0 || ^3.0.0 || ^4.0.0", "vue": "^3.0.0" }, "optionalPeers": ["@lynx-js/react", "@prisma/client", "@sveltejs/kit", "@tanstack/react-start", "better-sqlite3", "drizzle-kit", "drizzle-orm", "mongodb", "mysql2", "next", "pg", "prisma", "react", "react-dom", "solid-js", "svelte", "vitest", "vue"] }, "sha512-0kqwEBJLe8eyFzbUspRG/htOriCf9uMLlnpe34dlIJGdmDfPuQISd4shShvUrvIVhPxsY1dSTXdXPLpqISYOYg=="],
+
+    "better-call": ["better-call@1.1.7", "", { "dependencies": { "@better-auth/utils": "^0.3.0", "@better-fetch/fetch": "^1.1.4", "rou3": "^0.7.10", "set-cookie-parser": "^2.7.1" }, "peerDependencies": { "zod": "^4.0.0" }, "optionalPeers": ["zod"] }, "sha512-6gaJe1bBIEgVebQu/7q9saahVzvBsGaByEnE8aDVncZEDiJO7sdNB28ot9I6iXSbR25egGmmZ6aIURXyQHRraQ=="],
+
     "bignumber.js": ["bignumber.js@9.3.1", "", {}, "sha512-Ko0uX15oIUS7wJ3Rb30Fs6SkVbLmPBAKdlm7q9+ak9bbIeFf0MwuBsQV6z7+X768/cHsfg+WlysDWJcmthjsjQ=="],
 
     "binary-extensions": ["binary-extensions@2.3.0", "", {}, "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw=="],
@@ -4413,6 +4426,8 @@
 
     "ky": ["ky@1.2.4", "", {}, "sha512-CfSrf4a0yj1n6WgPT6kQNQOopIGLkQzqSAXo05oKByaH7G3SiqW4a8jGox0p9whMXqO49H7ljgigivrMyycAVA=="],
 
+    "kysely": ["kysely@0.28.9", "", {}, "sha512-3BeXMoiOhpOwu62CiVpO6lxfq4eS6KMYfQdMsN/2kUCRNuF2YiEr7u0HLHaQU+O4Xu8YXE3bHVkwaQ85i72EuA=="],
+
     "landing-page": ["landing-page@workspace:apps/landing-page"],
 
     "lazystream": ["lazystream@1.0.1", "", { "dependencies": { "readable-stream": "^2.0.5" } }, "sha512-b94GiNHQNy6JNTrt5w6zNyffMrNkXZb3KTkCZJb2V1xaEGCk093vkZ2jk3tpaeP33/OiXC+WvK9AxUebnf5nbw=="],
@@ -4735,6 +4750,8 @@
 
     "nanoid": ["nanoid@5.1.5", "", { "bin": { "nanoid": "bin/nanoid.js" } }, "sha512-Ir/+ZpE9fDsNH0hQ3C68uyThDXzYcim2EqcZ8zn8Chtt1iylPT9xXJB0kPCnqzgcEGikO9RxSrh63MsmVCU7Fw=="],
 
+    "nanostores": ["nanostores@1.1.0", "", {}, "sha512-yJBmDJr18xy47dbNVlHcgdPrulSn1nhSE6Ns9vTG+Nx9VPT6iV1MD6aQFp/t52zpf82FhLLTXAXr30NuCnxvwA=="],
+
     "napi-build-utils": ["napi-build-utils@2.0.0", "", {}, "sha512-GEbrYkbfF7MoNaoh2iGG84Mnf/WZfB0GdGEsM8wz7Expx/LlWf5U8t9nvJKXSp3qr5IsEbK04cBGhol/KwOsWA=="],
 
     "negotiator": ["negotiator@0.6.3", "", {}, "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg=="],
@@ -4745,8 +4762,6 @@
 
     "next": ["next@15.5.9", "", { "dependencies": { "@next/env": "15.5.9", "@swc/helpers": "0.5.15", "caniuse-lite": "^1.0.30001579", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "15.5.7", "@next/swc-darwin-x64": "15.5.7", "@next/swc-linux-arm64-gnu": "15.5.7", "@next/swc-linux-arm64-musl": "15.5.7", "@next/swc-linux-x64-gnu": "15.5.7", "@next/swc-linux-x64-musl": "15.5.7", "@next/swc-win32-arm64-msvc": "15.5.7", "@next/swc-win32-x64-msvc": "15.5.7", "sharp": "^0.34.3" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", "@playwright/test": "^1.51.1", "babel-plugin-react-compiler": "*", "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "react-dom": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "sass": "^1.3.0" }, "optionalPeers": ["@opentelemetry/api", "@playwright/test", "babel-plugin-react-compiler", "sass"], "bin": { "next": "dist/bin/next" } }, "sha512-agNLK89seZEtC5zUHwtut0+tNrc0Xw4FT/Dg+B/VLEo9pAcS9rtTKpek3V6kVcVwsB2YlqMaHdfZL4eLEVYuCg=="],
 
-    "next-auth": ["next-auth@5.0.0-beta.28", "", { "dependencies": { "@auth/core": "0.39.1" }, "peerDependencies": { "@simplewebauthn/browser": "^9.0.1", "@simplewebauthn/server": "^9.0.2", "next": "^14.0.0-0 || ^15.0.0-0", "nodemailer": "^6.6.5", "react": "^18.2.0 || ^19.0.0-0" }, "optionalPeers": ["@simplewebauthn/browser", "@simplewebauthn/server", "nodemailer"] }, "sha512-2RDR1h3DJb4nizcd5UBBwC2gtyP7j/jTvVLvEtDaFSKUWNfou3Gek2uTNHSga/Q4I/GF+OJobA4mFbRaWJgIDQ=="],
-
     "next-mdx-remote": ["next-mdx-remote@4.4.1", "", { "dependencies": { "@mdx-js/mdx": "^2.2.1", "@mdx-js/react": "^2.2.1", "vfile": "^5.3.0", "vfile-matter": "^3.0.1" }, "peerDependencies": { "react": ">=16.x <=18.x", "react-dom": ">=16.x <=18.x" } }, "sha512-1BvyXaIou6xy3XoNF4yaMZUCb6vD2GTAa5ciOa6WoO+gAUTYsb1K4rI/HSC2ogAWLrb/7VSV52skz07vOzmqIQ=="],
 
     "next-runtime-env": ["next-runtime-env@1.6.2", "", { "dependencies": { "chalk": "^4.1.2" } }, "sha512-JETzGBe4v1gjb3dbu3unZ/kUPEOgtyz+R5YJNTfdVpWFK8YotyM9sitj1/NPNZ7knjmLDVrljnwvamjBT7UALQ=="],
@@ -4801,8 +4816,6 @@
 
     "nypm": ["nypm@0.6.0", "", { "dependencies": { "citty": "^0.1.6", "consola": "^3.4.0", "pathe": "^2.0.3", "pkg-types": "^2.0.0", "tinyexec": "^0.3.2" }, "bin": { "nypm": "dist/cli.mjs" } }, "sha512-mn8wBFV9G9+UFHIrq+pZ2r2zL4aPau/by3kJb3cM7+5tQHMt6HGQB8FDIeKFYp8o0D2pnH6nVsO88N4AmUxIWg=="],
 
-    "oauth4webapi": ["oauth4webapi@3.8.1", "", {}, "sha512-olkZDELNycOWQf9LrsELFq8n05LwJgV8UkrS0cburk6FOwf8GvLam+YB+Uj5Qvryee+vwWOfQVeI5Vm0MVg7SA=="],
-
     "object-assign": ["object-assign@4.1.1", "", {}, "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg=="],
 
     "object-hash": ["object-hash@3.0.0", "", {}, "sha512-RSn9F68PjH9HqtltsSnqYC1XXoWe9Bju5+213R98cNGttag9q9yAOTzdbsqvIa7aNm5WffBZFpWYr2aWrklWAw=="],
@@ -4967,10 +4980,6 @@
 
     "posthog-node": ["posthog-node@5.8.2", "", { "dependencies": { "@posthog/core": "1.0.2" } }, "sha512-z3XRvYwnc3T/1999FKzv16YTpxERQqLunULl2vkOPfgbCXUGNyJWLgcbTcED2ZIDE11jjZhrSph4De6OSMLphw=="],
 
-    "preact": ["preact@10.24.3", "", {}, "sha512-Z2dPnBnMUfyQfSQ+GBdsGa16hz35YmLmtTLhM169uW944hYL6xzTYkJjC07j+Wosz733pMWx0fgON3JNw1jJQA=="],
-
-    "preact-render-to-string": ["preact-render-to-string@6.5.11", "", { "peerDependencies": { "preact": ">=10" } }, "sha512-ubnauqoGczeGISiOh6RjX0/cdaF8v/oDXIjO85XALCQjwQP+SB4RDXXtvZ6yTYSjG+PC1QRP2AhPgCEsM2EvUw=="],
-
     "prebuild-install": ["prebuild-install@7.1.3", "", { "dependencies": { "detect-libc": "^2.0.0", "expand-template": "^2.0.3", "github-from-package": "0.0.0", "minimist": "^1.2.3", "mkdirp-classic": "^0.5.3", "napi-build-utils": "^2.0.0", "node-abi": "^3.3.0", "pump": "^3.0.0", "rc": "^1.2.7", "simple-get": "^4.0.0", "tar-fs": "^2.0.0", "tunnel-agent": "^0.6.0" }, "bin": { "prebuild-install": "bin.js" } }, "sha512-8Mf2cbV7x1cXPUILADGI3wuhfqWvtiLA1iclTDbFRZkgRQS0NqsPZphna9V+HyTEadheuPmjaJMsbzKQFOzLug=="],
 
     "prettier": ["prettier@2.8.8", "", { "bin": { "prettier": "bin-prettier.js" } }, "sha512-tdN8qQGvNjw4CHbY+XXk0JgCXn9QiF21a55rBe5LJAU+kDyC4WQn4+awm2Xfk2lQMk5fKup9XgzTZtGkjBdP9Q=="],
@@ -5245,6 +5254,8 @@
 
     "set-blocking": ["set-blocking@2.0.0", "", {}, "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw=="],
 
+    "set-cookie-parser": ["set-cookie-parser@2.7.2", "", {}, "sha512-oeM1lpU/UvhTxw+g3cIfxXHyJRc/uidd3yK1P242gzHds0udQBYzs3y8j4gCCW+ZJ7ad0yctld8RYO+bdurlvw=="],
+
     "set-function-length": ["set-function-length@1.2.2", "", { "dependencies": { "define-data-property": "^1.1.4", "es-errors": "^1.3.0", "function-bind": "^1.1.2", "get-intrinsic": "^1.2.4", "gopd": "^1.0.1", "has-property-descriptors": "^1.0.2" } }, "sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg=="],
 
     "set-harmonic-interval": ["set-harmonic-interval@1.0.1", "", {}, "sha512-AhICkFV84tBP1aWqPwLZqFvAwqEoVA9kxNMniGEUvzOlm4vLmOFLiTT3UZ6bziJTy4bOVpzWGTfSCbmaayGx8g=="],
@@ -5823,10 +5834,6 @@
 
     "@ai-sdk/vue/@ai-sdk/ui-utils": ["@ai-sdk/ui-utils@0.0.36", "", { "dependencies": { "@ai-sdk/provider": "0.0.21", "@ai-sdk/provider-utils": "1.0.15", "json-schema": "0.4.0", "secure-json-parse": "2.7.0", "zod-to-json-schema": "3.23.2" }, "peerDependencies": { "zod": "^3.0.0" }, "optionalPeers": ["zod"] }, "sha512-aaVQFFp2jzmTezIf+1r1Oj0F6IXMYwT1Bx2w7nLTEeoQDxPriLL/I+0nJJWUMPztAJhmZEx5WRaPMVC4Y5tm2Q=="],
 
-    "@auth/core/jose": ["jose@6.1.0", "", {}, "sha512-TTQJyoEoKcC1lscpVDCSsVgYzUDg/0Bt3WE//WiTPK6uOCQC2KZS4MpugbMWt/zyjkopgZoXhZuCi00gLudfUA=="],
-
-    "@auth/core/nodemailer": ["nodemailer@6.9.15", "", {}, "sha512-AHf04ySLC6CIfuRtRiEYtGEXgRfa6INgWGluDhnxTZhHSKvrBu7lc1VVchQ0d8nPc4cFaZoPq8vkyNoZr0TpGQ=="],
-
     "@aws-crypto/sha256-browser/@smithy/util-utf8": ["@smithy/util-utf8@2.3.0", "", { "dependencies": { "@smithy/util-buffer-from": "^2.2.0", "tslib": "^2.6.2" } }, "sha512-R8Rdn8Hy72KKcebgLiv8jQcQkXoLMOGGv5uI1/k0l+snqkOzQ1R0ChUBCxWMlBsFMekWjq0wRudIweFs7sKT5A=="],
 
     "@aws-crypto/util/@smithy/util-utf8": ["@smithy/util-utf8@2.3.0", "", { "dependencies": { "@smithy/util-buffer-from": "^2.2.0", "tslib": "^2.6.2" } }, "sha512-R8Rdn8Hy72KKcebgLiv8jQcQkXoLMOGGv5uI1/k0l+snqkOzQ1R0ChUBCxWMlBsFMekWjq0wRudIweFs7sKT5A=="],
@@ -5883,6 +5890,12 @@
 
     "@base-ui-components/utils/@babel/runtime": ["@babel/runtime@7.28.4", "", {}, "sha512-Q/N6JNWvIvPnLDvjlE1OUBLPQHH6l3CltCEsHIujp45zQUSSh8K+gHnaEX45yAT1nyngnINhvWtzN+Nb9D8RAQ=="],
 
+    "@better-auth/core/jose": ["jose@6.1.0", "", {}, "sha512-TTQJyoEoKcC1lscpVDCSsVgYzUDg/0Bt3WE//WiTPK6uOCQC2KZS4MpugbMWt/zyjkopgZoXhZuCi00gLudfUA=="],
+
+    "@better-auth/core/zod": ["zod@4.3.5", "", {}, "sha512-k7Nwx6vuWx1IJ9Bjuf4Zt1PEllcwe7cls3VNzm4CQ1/hgtFUK2bRNG3rvnpPUhFjmqJKAKtjV576KnUkHocg/g=="],
+
+    "@better-auth/expo/zod": ["zod@4.3.5", "", {}, "sha512-k7Nwx6vuWx1IJ9Bjuf4Zt1PEllcwe7cls3VNzm4CQ1/hgtFUK2bRNG3rvnpPUhFjmqJKAKtjV576KnUkHocg/g=="],
+
     "@bundled-es-modules/cookie/cookie": ["cookie@0.7.2", "", {}, "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w=="],
 
     "@cloudflare/kv-asset-handler/mime": ["mime@3.0.0", "", { "bin": { "mime": "cli.js" } }, "sha512-jSCU7/VB1loIWBZe14aEYHU/+1UMEHoaO7qxCOVJOw9GgH72VAWppxNcjU+x9a2k3GSIBXNKxXQFqRvvZ7vr3A=="],
@@ -6391,6 +6404,12 @@
 
     "babel-plugin-jsx-dom-expressions/html-entities": ["html-entities@2.3.3", "", {}, "sha512-DV5Ln36z34NNTDgnz0EWGBLZENelNAtkiFA4kyNOG2tDI6Mz1uSWiq1wAKdyjnJwyDiDO7Fa2SO1CTxPXL8VxA=="],
 
+    "better-auth/@noble/hashes": ["@noble/hashes@2.0.1", "", {}, "sha512-XlOlEbQcE9fmuXxrVTXCTlG2nlRXa9Rj3rr5Ue/+tX+nmkgbX720YHh0VR3hBF9xDvwnb8D2shVGOwNx+ulArw=="],
+
+    "better-auth/jose": ["jose@6.1.0", "", {}, "sha512-TTQJyoEoKcC1lscpVDCSsVgYzUDg/0Bt3WE//WiTPK6uOCQC2KZS4MpugbMWt/zyjkopgZoXhZuCi00gLudfUA=="],
+
+    "better-auth/zod": ["zod@4.3.5", "", {}, "sha512-k7Nwx6vuWx1IJ9Bjuf4Zt1PEllcwe7cls3VNzm4CQ1/hgtFUK2bRNG3rvnpPUhFjmqJKAKtjV576KnUkHocg/g=="],
+
     "bl/buffer": ["buffer@5.7.1", "", { "dependencies": { "base64-js": "^1.3.1", "ieee754": "^1.1.13" } }, "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ=="],
 
     "body-parser/bytes": ["bytes@3.1.2", "", {}, "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg=="],
@@ -6653,8 +6672,6 @@
 
     "next/sharp": ["sharp@0.34.3", "", { "dependencies": { "color": "^4.2.3", "detect-libc": "^2.0.4", "semver": "^7.7.2" }, "optionalDependencies": { "@img/sharp-darwin-arm64": "0.34.3", "@img/sharp-darwin-x64": "0.34.3", "@img/sharp-libvips-darwin-arm64": "1.2.0", "@img/sharp-libvips-darwin-x64": "1.2.0", "@img/sharp-libvips-linux-arm": "1.2.0", "@img/sharp-libvips-linux-arm64": "1.2.0", "@img/sharp-libvips-linux-ppc64": "1.2.0", "@img/sharp-libvips-linux-s390x": "1.2.0", "@img/sharp-libvips-linux-x64": "1.2.0", "@img/sharp-libvips-linuxmusl-arm64": "1.2.0", "@img/sharp-libvips-linuxmusl-x64": "1.2.0", "@img/sharp-linux-arm": "0.34.3", "@img/sharp-linux-arm64": "0.34.3", "@img/sharp-linux-ppc64": "0.34.3", "@img/sharp-linux-s390x": "0.34.3", "@img/sharp-linux-x64": "0.34.3", "@img/sharp-linuxmusl-arm64": "0.34.3", "@img/sharp-linuxmusl-x64": "0.34.3", "@img/sharp-wasm32": "0.34.3", "@img/sharp-win32-arm64": "0.34.3", "@img/sharp-win32-ia32": "0.34.3", "@img/sharp-win32-x64": "0.34.3" } }, "sha512-eX2IQ6nFohW4DbvHIOLRB3MHFpYqaqvXd3Tp5e/T/dSH83fxaNJQRvDMhASmkNTsNTVF2/OOopzRCt7xokgPfg=="],
 
-    "next-auth/nodemailer": ["nodemailer@6.9.15", "", {}, "sha512-AHf04ySLC6CIfuRtRiEYtGEXgRfa6INgWGluDhnxTZhHSKvrBu7lc1VVchQ0d8nPc4cFaZoPq8vkyNoZr0TpGQ=="],
-
     "next-mdx-remote/@mdx-js/mdx": ["@mdx-js/mdx@2.3.0", "", { "dependencies": { "@types/estree-jsx": "^1.0.0", "@types/mdx": "^2.0.0", "estree-util-build-jsx": "^2.0.0", "estree-util-is-identifier-name": "^2.0.0", "estree-util-to-js": "^1.1.0", "estree-walker": "^3.0.0", "hast-util-to-estree": "^2.0.0", "markdown-extensions": "^1.0.0", "periscopic": "^3.0.0", "remark-mdx": "^2.0.0", "remark-parse": "^10.0.0", "remark-rehype": "^10.0.0", "unified": "^10.0.0", "unist-util-position-from-estree": "^1.0.0", "unist-util-stringify-position": "^3.0.0", "unist-util-visit": "^4.0.0", "vfile": "^5.0.0" } }, "sha512-jLuwRlz8DQfQNiUCJR50Y09CGPq3fLtmtUQfVrj79E0JWu3dvsVcxVIcfhR5h0iXu+/z++zDrYeiJqifRynJkA=="],
 
     "next-mdx-remote/@mdx-js/react": ["@mdx-js/react@2.3.0", "", { "dependencies": { "@types/mdx": "^2.0.0", "@types/react": ">=16" }, "peerDependencies": { "react": ">=16" } }, "sha512-zQH//gdOmuu7nt2oJR29vFhDv88oGPmVw6BggmrHeMI+xgEkp1B2dX9/bMBSYtK0dyLX/aOmesKS09g222K1/g=="],
diff --git a/packages/env/src/index.ts b/packages/env/src/index.ts
index 96c62ed823..83ed93b929 100644
--- a/packages/env/src/index.ts
+++ b/packages/env/src/index.ts
@@ -6,7 +6,7 @@ declare const window: {
   __ENV?: any;
 };
 
-const guessNextAuthUrlForVercelPreview = (val: unknown) => {
+const guessBetterAuthUrlForVercelPreview = (val: unknown) => {
   if (
     (val && typeof val === "string" && val.length > 0) ||
     process.env.VERCEL_ENV !== "preview" ||
@@ -66,8 +66,9 @@ const baseEnv = {
       .url()
       .refine((url) => url.startsWith("postgres") || url.startsWith("mysql")),
     ENCRYPTION_SECRET: z.string().length(32),
-    NEXTAUTH_URL: z.preprocess(
-      guessNextAuthUrlForVercelPreview,
+    BETTER_AUTH_SECRET: z.string().min(32).optional(),
+    BETTER_AUTH_URL: z.preprocess(
+      guessBetterAuthUrlForVercelPreview,
       z.string().url(),
     ),
     DISABLE_SIGNUP: boolean.optional().default("false"),
@@ -112,6 +113,10 @@ const baseEnv = {
     ),
   },
   client: {
+    NEXT_PUBLIC_BETTER_AUTH_URL: z.preprocess(
+      guessBetterAuthUrlForVercelPreview,
+      z.string().url(),
+    ),
     NEXT_PUBLIC_VIEWER_URL: z.preprocess(
       guessViewerUrlForVercelPreview,
       z
@@ -120,6 +125,16 @@ const baseEnv = {
         .transform((val) => val.split(",")),
     ),
     NEXT_PUBLIC_ONBOARDING_TYPEBOT_ID: z.string().min(1).optional(),
+    // Auth provider flags (client-side visibility for sign-in UI)
+    NEXT_PUBLIC_GITHUB_ENABLED: z.string().optional().transform(v => v === "true"),
+    NEXT_PUBLIC_GOOGLE_ENABLED: z.string().optional().transform(v => v === "true"),
+    NEXT_PUBLIC_FACEBOOK_ENABLED: z.string().optional().transform(v => v === "true"),
+    NEXT_PUBLIC_GITLAB_ENABLED: z.string().optional().transform(v => v === "true"),
+    NEXT_PUBLIC_AZURE_ENABLED: z.string().optional().transform(v => v === "true"),
+    NEXT_PUBLIC_KEYCLOAK_ENABLED: z.string().optional().transform(v => v === "true"),
+    NEXT_PUBLIC_CUSTOM_OAUTH_ENABLED: z.string().optional().transform(v => v === "true"),
+    NEXT_PUBLIC_CUSTOM_OAUTH_NAME: z.string().optional(),
+    NEXT_PUBLIC_EMAIL_ENABLED: z.string().optional().transform(v => v === "true"),
     NEXT_PUBLIC_BOT_FILE_UPLOAD_MAX_SIZE: z.coerce.number().optional(),
     NEXT_PUBLIC_CHAT_API_URL: z.string().url().optional(),
     NEXT_PUBLIC_VIEWER_404_TITLE: z.string().optional().default("404"),
@@ -129,10 +144,21 @@ const baseEnv = {
       .default("The bot you're looking for doesn't exist"),
   },
   runtimeEnv: {
+    NEXT_PUBLIC_BETTER_AUTH_URL: getRuntimeVariable("NEXT_PUBLIC_BETTER_AUTH_URL"),
     NEXT_PUBLIC_VIEWER_URL: getRuntimeVariable("NEXT_PUBLIC_VIEWER_URL"),
     NEXT_PUBLIC_ONBOARDING_TYPEBOT_ID: getRuntimeVariable(
       "NEXT_PUBLIC_ONBOARDING_TYPEBOT_ID",
     ),
+    // Auth provider flags
+    NEXT_PUBLIC_GITHUB_ENABLED: getRuntimeVariable("NEXT_PUBLIC_GITHUB_ENABLED"),
+    NEXT_PUBLIC_GOOGLE_ENABLED: getRuntimeVariable("NEXT_PUBLIC_GOOGLE_ENABLED"),
+    NEXT_PUBLIC_FACEBOOK_ENABLED: getRuntimeVariable("NEXT_PUBLIC_FACEBOOK_ENABLED"),
+    NEXT_PUBLIC_GITLAB_ENABLED: getRuntimeVariable("NEXT_PUBLIC_GITLAB_ENABLED"),
+    NEXT_PUBLIC_AZURE_ENABLED: getRuntimeVariable("NEXT_PUBLIC_AZURE_ENABLED"),
+    NEXT_PUBLIC_KEYCLOAK_ENABLED: getRuntimeVariable("NEXT_PUBLIC_KEYCLOAK_ENABLED"),
+    NEXT_PUBLIC_CUSTOM_OAUTH_ENABLED: getRuntimeVariable("NEXT_PUBLIC_CUSTOM_OAUTH_ENABLED"),
+    NEXT_PUBLIC_CUSTOM_OAUTH_NAME: getRuntimeVariable("NEXT_PUBLIC_CUSTOM_OAUTH_NAME"),
+    NEXT_PUBLIC_EMAIL_ENABLED: getRuntimeVariable("NEXT_PUBLIC_EMAIL_ENABLED"),
     NEXT_PUBLIC_BOT_FILE_UPLOAD_MAX_SIZE: getRuntimeVariable(
       "NEXT_PUBLIC_BOT_FILE_UPLOAD_MAX_SIZE",
     ),
diff --git a/packages/prisma/postgresql/schema.prisma b/packages/prisma/postgresql/schema.prisma
index 9a2e65da75..faf576dc5d 100644
--- a/packages/prisma/postgresql/schema.prisma
+++ b/packages/prisma/postgresql/schema.prisma
@@ -7,62 +7,157 @@ datasource db {
   url      = env("DATABASE_URL")
 }
 
-model Account {
-  id                       String  @id @default(cuid())
-  userId                   String
-  type                     String
-  provider                 String
-  providerAccountId        String
-  refresh_token            String?
-  access_token             String?
-  expires_at               Int?
-  token_type               String?
-  scope                    String?
-  id_token                 String?
-  session_state            String?
-  oauth_token_secret       String?
-  oauth_token              String?
-  refresh_token_expires_in Int?
-  user                     User    @relation(fields: [userId], references: [id], onDelete: Cascade)
-
-  @@unique([provider, providerAccountId])
-}
-
-model Session {
-  id           String   @id @default(cuid())
-  sessionToken String   @unique
-  userId       String
-  expires      DateTime
-  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)
-}
+// =============================================================================
+// Authentication Models (Better Auth)
+// =============================================================================
 
 model User {
-  id                          String                    @id @default(cuid())
-  createdAt                   DateTime                  @default(now())
-  updatedAt                   DateTime                  @default(now()) @updatedAt
-  lastActivityAt              DateTime                  @default(now())
-  name                        String?
-  email                       String?                   @unique
-  emailVerified               DateTime?
-  image                       String?
+  id        String   @id @default(uuid())
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Better Auth required fields
+  name          String
+  email         String  @unique
+  emailVerified Boolean @default(false)
+  image         String?
+
+  // Better Auth plugin fields
+  role                String    @default("user")
+  banned              Boolean   @default(false)
+  banReason           String?
+  banExpires          DateTime?
+  twoFactorEnabled    Boolean   @default(false)
+  phoneNumber         String?   @unique
+  phoneNumberVerified Boolean   @default(false)
+
+  // Typebot-specific fields
+  lastActivityAt              DateTime          @default(now())
   company                     String?
-  onboardingCategories        Json
+  onboardingCategories        Json              @default("{}")
   referral                    String?
   graphNavigation             GraphNavigation?
   preferredAppAppearance      String?
-  accounts                    Account[]
-  apiTokens                   ApiToken[]
-  CollaboratorsOnTypebots     CollaboratorsOnTypebots[]
-  workspaces                  MemberInWorkspace[]
-  sessions                    Session[]
-  bannedIps                   BannedIp[]
   displayedInAppNotifications Json?
-  credentials                 UserCredentials[]
   groupTitlesAutoGeneration   Json?
   preferredLanguage           String?
   termsAcceptedAt             DateTime?
+
+  // Relations
+  sessions                Session[]
+  accounts                Account[]
+  passkeys                Passkey[]
+  twoFactor               TwoFactor?
+  apiTokens               ApiToken[]
+  CollaboratorsOnTypebots CollaboratorsOnTypebots[]
+  workspaces              MemberInWorkspace[]
+  bannedIps               BannedIp[]
+  credentials             UserCredentials[]
+
+  @@index([email])
+}
+
+model Session {
+  id        String   @id @default(uuid())
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Better Auth required fields
+  token     String   @unique
+  expiresAt DateTime
+  ipAddress String?
+  userAgent String?
+
+  // Better Auth plugin fields
+  impersonatedBy String?
+
+  // Relations
+  userId String
+  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+  @@index([token])
+}
+
+model Account {
+  id        String   @id @default(uuid())
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Better Auth required fields
+  accountId    String
+  providerId   String
+  accessToken  String?
+  refreshToken String?
+  expiresAt    DateTime?
+  tokenType    String?
+  scope        String?
+  idToken      String?
+  password     String?
+
+  // Relations
+  userId String
+  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([providerId, accountId])
+  @@index([userId])
 }
 
+model Verification {
+  id         String   @id @default(uuid())
+  identifier String
+  value      String
+  expiresAt  DateTime
+  createdAt  DateTime @default(now())
+  updatedAt  DateTime @updatedAt
+
+  @@unique([identifier, value])
+}
+
+model Passkey {
+  id        String   @id @default(uuid())
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Better Auth passkey fields
+  credentialId String  @unique
+  publicKey    String
+  counter      Int     @default(0)
+  deviceType   String?
+  backedUp     Boolean @default(false)
+  transports   String?
+  name         String?
+
+  // Relations
+  userId String
+  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+}
+
+model TwoFactor {
+  id          String  @id @default(uuid())
+  secret      String?
+  backupCodes String?
+
+  userId String @unique
+  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+}
+
+model Jwks {
+  id         String   @id @default(uuid())
+  publicKey  String
+  privateKey String
+  createdAt  DateTime @default(now())
+}
+
+// =============================================================================
+// Typebot Models
+// =============================================================================
+
 model ApiToken {
   id        String   @id @default(cuid())
   createdAt DateTime @default(now())
@@ -160,15 +255,6 @@ model UserCredentials {
   user      User     @relation(fields: [userId], references: [id], onDelete: Cascade)
 }
 
-model VerificationToken {
-  identifier String
-  token      String   @unique
-  value      String?
-  expires    DateTime
-
-  @@unique([identifier, token])
-}
-
 model DashboardFolder {
   id             String            @id @default(cuid())
   createdAt      DateTime          @default(now())

From 19d025310e29b7161f5abd3af08488d971fe69b1 Mon Sep 17 00:00:00 2001
From: Brian Johnson <brianmjohnson@users.noreply.github.com>
Date: Wed, 7 Jan 2026 03:38:33 -0800
Subject: [PATCH 02/11] fix: Resolve TypeScript errors from Better Auth
 migration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Update verificationToken → verification model references
- Fix user schema to match Better Auth fields (emailVerified: boolean, etc.)
- Update workspace member schema for required name/email fields
- Add getMe TRPC query for fetching full user data
- Create getSessionFromContext helper for SSR pages
- Update UserProvider to fetch full user from DB instead of session
- Fix imports: nextAuth → Better Auth client
- Remove NextAuth SessionProvider from _app.tsx
- Update email verification flow for new schema structure

Brian Johnson in useFoundry.ai

(cherry picked from commit 5896a5444a82ce47b61c6be818a9624b11019876)
---
 .../src/app/api/s3/private/[...key]/route.ts  | 11 +++--
 .../auth/api/sendUpdateEmailVerifCodeEmail.ts | 14 +++---
 .../src/features/auth/api/updateUserEmail.ts  | 45 ++++++++++-------
 .../helpers/accountHasRequiredOAuthGroups.ts  |  9 +++-
 .../helpers/trackAnalyticsPageView.ts         |  4 +-
 .../src/features/user/UserProvider.tsx        | 48 ++++++++++++-------
 .../builder/src/features/user/server/getMe.ts | 40 ++++++++++++++++
 .../src/features/user/server/routers.ts       |  2 +
 .../whatsapp/generateVerificationToken.ts     |  8 ++--
 .../src/lib/auth/getSessionFromContext.ts     | 26 ++++++++++
 .../src/lib/auth/send-verification-email.ts   |  4 +-
 apps/builder/src/pages/_app.tsx               | 21 ++++----
 apps/builder/src/pages/feedback.tsx           |  4 +-
 .../src/pages/feedback/[feedbackId].ts        |  4 +-
 packages/env/src/index.ts                     |  5 ++
 packages/user/src/schemas.ts                  | 16 +++++--
 packages/workspaces/src/schemas.ts            |  4 +-
 17 files changed, 192 insertions(+), 73 deletions(-)
 create mode 100644 apps/builder/src/features/user/server/getMe.ts
 create mode 100644 apps/builder/src/lib/auth/getSessionFromContext.ts

diff --git a/apps/builder/src/app/api/s3/private/[...key]/route.ts b/apps/builder/src/app/api/s3/private/[...key]/route.ts
index 0bb20f748f..f2d410ba5c 100644
--- a/apps/builder/src/app/api/s3/private/[...key]/route.ts
+++ b/apps/builder/src/app/api/s3/private/[...key]/route.ts
@@ -6,13 +6,13 @@ import { getFileTempUrl } from "@typebot.io/lib/s3/getFileTempUrl";
 import prisma from "@typebot.io/prisma";
 import { isReadTypebotForbidden } from "@typebot.io/typebot/helpers/isReadTypebotForbidden";
 import type { NextRequest } from "next/server";
-import { auth } from "@/features/auth/lib/nextAuth";
+import { auth } from "@/lib/auth/config";
 
 type PathParams = Record<string, string>;
 
 type User = {
   id: string;
-  email: string | null;
+  email: string;
 };
 
 const pathAuthorizationCheckers: Record<
@@ -57,8 +57,13 @@ export const GET = async (
   req: NextRequest,
   { params }: { params: Promise<{ key: string[] }> },
 ) => {
+  // Try to get session from Better Auth
+  const session = await auth.api.getSession({
+    headers: req.headers,
+  });
+
   const user =
-    (await auth())?.user ??
+    session?.user ??
     (await authenticateByToken(extractBearerToken(req)));
 
   if (!user) return new Response("Unauthorized", { status: 401 });
diff --git a/apps/builder/src/features/auth/api/sendUpdateEmailVerifCodeEmail.ts b/apps/builder/src/features/auth/api/sendUpdateEmailVerifCodeEmail.ts
index 852e9c5ac5..ac9cad1917 100644
--- a/apps/builder/src/features/auth/api/sendUpdateEmailVerifCodeEmail.ts
+++ b/apps/builder/src/features/auth/api/sendUpdateEmailVerifCodeEmail.ts
@@ -46,18 +46,20 @@ export const sendUpdateEmailVerifCodeEmail = authenticatedProcedure
 
     const oneHourLater = new Date(Date.now() + 1000 * 60 * 60);
     const nanoid = customAlphabet("abcdefghijklmnopqrstuvwxyz", 4);
-    const verificationToken = await prisma.verificationToken.create({
+    const tokenValue = `${nanoid(4)}-${nanoid(5)}-${nanoid(4)}-${nanoid(5)}`;
+    // Encode new email in identifier since Better Auth uses 'value' for the token
+    const identifier = `${user.id}-changeEmail-${Buffer.from(formattedNewEmail).toString("base64")}`;
+    await prisma.verification.create({
       data: {
-        token: `${nanoid(4)}-${nanoid(5)}-${nanoid(4)}-${nanoid(5)}`,
-        expires: oneHourLater,
-        identifier: `${user.id}-changeEmail`,
-        value: formattedNewEmail,
+        value: tokenValue,
+        expiresAt: oneHourLater,
+        identifier,
       },
     });
 
     await sendEmail({
       to: formattedNewEmail,
-      code: verificationToken.token,
+      code: tokenValue,
     });
 
     return { status: "success" };
diff --git a/apps/builder/src/features/auth/api/updateUserEmail.ts b/apps/builder/src/features/auth/api/updateUserEmail.ts
index ac773bdc57..3349d44e50 100644
--- a/apps/builder/src/features/auth/api/updateUserEmail.ts
+++ b/apps/builder/src/features/auth/api/updateUserEmail.ts
@@ -11,27 +11,42 @@ export const updateUserEmail = authenticatedProcedure
     }),
   )
   .mutation(async ({ ctx: { user }, input: { token } }) => {
-    const verificationToken = await prisma.verificationToken.findUnique({
+    // Find verification record by searching for identifier prefix
+    // The identifier format is: ${userId}-changeEmail-${base64(newEmail)}
+    const verifications = await prisma.verification.findMany({
       where: {
-        identifier_token: {
-          token,
-          identifier: `${user.id}-changeEmail`,
+        identifier: {
+          startsWith: `${user.id}-changeEmail-`,
         },
+        value: token,
       },
       select: {
-        expires: true,
-        value: true,
+        id: true,
+        expiresAt: true,
+        identifier: true,
       },
     });
 
-    if (!verificationToken?.value)
+    const verification = verifications[0];
+
+    if (!verification)
       throw new TRPCError({
         code: "NOT_FOUND",
         message: "Token not found",
       });
 
-    if (verificationToken.expires < new Date()) {
-      await deleteToken(token);
+    // Extract new email from identifier
+    const identifierParts = verification.identifier.split("-changeEmail-");
+    if (identifierParts.length !== 2) {
+      throw new TRPCError({
+        code: "INTERNAL_SERVER_ERROR",
+        message: "Invalid verification identifier format",
+      });
+    }
+    const newEmail = Buffer.from(identifierParts[1], "base64").toString("utf-8");
+
+    if (verification.expiresAt < new Date()) {
+      await deleteVerification(verification.id);
       throw new TRPCError({
         code: "BAD_REQUEST",
         message: "Token expired",
@@ -44,7 +59,7 @@ export const updateUserEmail = authenticatedProcedure
           id: user.id,
         },
         data: {
-          email: verificationToken.value,
+          email: newEmail,
         },
       });
     } catch (error) {
@@ -59,16 +74,14 @@ export const updateUserEmail = authenticatedProcedure
       throw error;
     }
 
-    await deleteToken(token);
+    await deleteVerification(verification.id);
 
     return {
       status: "success",
     };
   });
 
-const deleteToken = (token: string) =>
-  prisma.verificationToken.delete({
-    where: {
-      token,
-    },
+const deleteVerification = (id: string) =>
+  prisma.verification.delete({
+    where: { id },
   });
diff --git a/apps/builder/src/features/auth/helpers/accountHasRequiredOAuthGroups.ts b/apps/builder/src/features/auth/helpers/accountHasRequiredOAuthGroups.ts
index 59dc8eac63..4ca0c219d2 100644
--- a/apps/builder/src/features/auth/helpers/accountHasRequiredOAuthGroups.ts
+++ b/apps/builder/src/features/auth/helpers/accountHasRequiredOAuthGroups.ts
@@ -1,8 +1,13 @@
 import { env } from "@typebot.io/env";
-import type { Account } from "next-auth";
+
+// OAuth account type for group checking
+type OAuthAccount = {
+  provider: string;
+  access_token?: string | null;
+};
 
 export const accountHasRequiredOAuthGroups = async (
-  account: Account,
+  account: OAuthAccount,
 ): Promise<boolean> => {
   const requiredGroups = getRequiredGroups(account.provider);
   if (requiredGroups.length === 0) return true;
diff --git a/apps/builder/src/features/telemetry/helpers/trackAnalyticsPageView.ts b/apps/builder/src/features/telemetry/helpers/trackAnalyticsPageView.ts
index 56081c410e..1d96493f37 100644
--- a/apps/builder/src/features/telemetry/helpers/trackAnalyticsPageView.ts
+++ b/apps/builder/src/features/telemetry/helpers/trackAnalyticsPageView.ts
@@ -2,7 +2,7 @@ import prisma from "@typebot.io/prisma";
 import { trackEvents } from "@typebot.io/telemetry/trackEvents";
 import type { User } from "@typebot.io/user/schemas";
 import type { GetServerSidePropsContext } from "next";
-import { auth } from "@/features/auth/lib/nextAuth";
+import { getSessionFromContext } from "@/lib/auth/getSessionFromContext";
 
 export const trackAnalyticsPageView = async (
   context: GetServerSidePropsContext,
@@ -14,7 +14,7 @@ export const trackAnalyticsPageView = async (
     select: { workspaceId: true },
   });
   if (!typebot) return;
-  const session = await auth(context);
+  const session = await getSessionFromContext(context);
   await trackEvents([
     {
       name: "Analytics visited",
diff --git a/apps/builder/src/features/user/UserProvider.tsx b/apps/builder/src/features/user/UserProvider.tsx
index 6c4541c911..4645f59d0e 100644
--- a/apps/builder/src/features/user/UserProvider.tsx
+++ b/apps/builder/src/features/user/UserProvider.tsx
@@ -1,13 +1,15 @@
+import { useQuery } from "@tanstack/react-query";
 import { env } from "@typebot.io/env";
 import { datesAreOnSameDay } from "@typebot.io/lib/datesAreOnSameDay";
 import { isDefined } from "@typebot.io/lib/utils";
 import type { ClientUser, UpdateUser, User } from "@typebot.io/user/schemas";
 import { useRouter } from "next/router";
-import { signOut, useSession } from "next-auth/react";
 import { useTheme } from "next-themes";
 import type { ReactNode } from "react";
 import { createContext, useEffect, useState } from "react";
 import { useDebounce } from "@/hooks/useDebounce";
+import { authClient, useSession } from "@/lib/auth/client";
+import { trpc } from "@/lib/queryClient";
 import { setLocaleInCookies } from "./helpers/setLocaleInCookies";
 import { useUpdateUserMutation } from "./hooks/useUpdateUserMutation";
 
@@ -27,11 +29,19 @@ export const userContext = createContext<{
 
 export const UserProvider = ({ children }: { children: ReactNode }) => {
   const router = useRouter();
-  const { data: session, status } = useSession();
+  const { data: session, isPending } = useSession();
+  const status = isPending ? "loading" : session?.user ? "authenticated" : "unauthenticated";
   const [currentWorkspaceId, setCurrentWorkspaceId] = useState<string>();
   const { theme, setTheme } = useTheme();
   const [localUser, setLocalUser] = useState<ClientUser>();
 
+  // Fetch full user data from database when session is available
+  const { data: fullUserData, isLoading: isUserLoading } = useQuery(
+    trpc.userInternal.getMe.queryOptions(undefined, {
+      enabled: !!session?.user?.id,
+    }),
+  );
+
   const updateUserMutation = useUpdateUserMutation();
 
   useEffect(() => {
@@ -40,11 +50,11 @@ export const UserProvider = ({ children }: { children: ReactNode }) => {
   }, [localUser?.preferredAppAppearance]);
 
   useEffect(() => {
-    if (isDefined(session?.user.id)) return;
+    if (isDefined(session?.user?.id)) return;
     setCurrentWorkspaceId(
       localStorage.getItem("currentWorkspaceId") ?? undefined,
     );
-  }, [session?.user.id]);
+  }, [session?.user?.id]);
 
   useEffect(() => {
     if (!router.isReady) return;
@@ -71,19 +81,19 @@ export const UserProvider = ({ children }: { children: ReactNode }) => {
     if (
       env.NEXT_PUBLIC_ONBOARDING_TYPEBOT_ID &&
       !router.pathname.includes("/onboarding") &&
-      !session?.user.termsAcceptedAt &&
-      session?.user.createdAt &&
-      datesAreOnSameDay(new Date(session.user.createdAt), new Date())
+      !fullUserData?.termsAcceptedAt &&
+      fullUserData?.createdAt &&
+      datesAreOnSameDay(new Date(fullUserData.createdAt), new Date())
     ) {
       router.replace("/onboarding");
     }
-  }, [router.isReady, router.pathname, status, session?.user.termsAcceptedAt]);
+  }, [router.isReady, router.pathname, status, fullUserData?.termsAcceptedAt, fullUserData?.createdAt]);
 
   useEffect(() => {
     if (!router.isReady) return;
-    if (status === "loading") return;
+    if (status === "loading" || isUserLoading) return;
 
-    const preferredLanguage = session?.user?.preferredLanguage;
+    const preferredLanguage = fullUserData?.preferredLanguage;
     const currentLocale = router.locale;
 
     if (preferredLanguage && preferredLanguage !== currentLocale) {
@@ -97,7 +107,7 @@ export const UserProvider = ({ children }: { children: ReactNode }) => {
         { locale: preferredLanguage },
       );
     }
-  }, [router.isReady, router.locale, status, session?.user?.preferredLanguage]);
+  }, [router.isReady, router.locale, status, isUserLoading, fullUserData?.preferredLanguage]);
 
   const updateUser = async (updates: Partial<User>) => {
     if (!localUser) return;
@@ -116,16 +126,22 @@ export const UserProvider = ({ children }: { children: ReactNode }) => {
   };
 
   useEffect(() => {
-    if ((!session?.user && !localUser) || (session?.user && localUser)) return;
-    setLocalUser(session?.user);
-  }, [session?.user, localUser]);
+    if ((!fullUserData && !localUser) || (fullUserData && localUser)) return;
+    setLocalUser(fullUserData);
+  }, [fullUserData, localUser]);
+
+  const handleSignOut = () => {
+    authClient.signOut().then(() => {
+      router.push("/signin");
+    });
+  };
 
   return (
     <userContext.Provider
       value={{
         user: localUser,
-        isLoading: status === "loading",
-        logOut: signOut,
+        isLoading: status === "loading" || isUserLoading,
+        logOut: handleSignOut,
         updateUser,
         currentWorkspaceId,
         updateLocalUserEmail,
diff --git a/apps/builder/src/features/user/server/getMe.ts b/apps/builder/src/features/user/server/getMe.ts
new file mode 100644
index 0000000000..41b8e39b0b
--- /dev/null
+++ b/apps/builder/src/features/user/server/getMe.ts
@@ -0,0 +1,40 @@
+import type { ClientUser } from "@typebot.io/user/schemas";
+import prisma from "@typebot.io/prisma";
+import { clientUserSchema } from "@typebot.io/user/schemas";
+import { authenticatedProcedure } from "@/helpers/server/trpc";
+
+export const getMe = authenticatedProcedure
+  .meta({
+    openapi: {
+      method: "GET",
+      path: "/v1/users/me",
+    },
+  })
+  .output(clientUserSchema)
+  .query(async ({ ctx: { user } }) => {
+    const fullUser = await prisma.user.findUniqueOrThrow({
+      where: { id: user.id },
+      select: {
+        id: true,
+        name: true,
+        email: true,
+        image: true,
+        company: true,
+        createdAt: true,
+        lastActivityAt: true,
+        graphNavigation: true,
+        preferredAppAppearance: true,
+        displayedInAppNotifications: true,
+        groupTitlesAutoGeneration: true,
+        preferredLanguage: true,
+        termsAcceptedAt: true,
+      },
+    });
+
+    // Transform Prisma Json types to proper TypeScript types
+    return {
+      ...fullUser,
+      displayedInAppNotifications: fullUser.displayedInAppNotifications as ClientUser["displayedInAppNotifications"],
+      groupTitlesAutoGeneration: fullUser.groupTitlesAutoGeneration as ClientUser["groupTitlesAutoGeneration"],
+    };
+  });
diff --git a/apps/builder/src/features/user/server/routers.ts b/apps/builder/src/features/user/server/routers.ts
index 6926971fe9..b6b1d5db95 100644
--- a/apps/builder/src/features/user/server/routers.ts
+++ b/apps/builder/src/features/user/server/routers.ts
@@ -2,6 +2,7 @@ import { router } from "@/helpers/server/trpc";
 import { acceptTerms } from "./acceptTerms";
 import { createApiToken } from "./createApiToken";
 import { deleteApiToken } from "./deleteApiToken";
+import { getMe } from "./getMe";
 import { listApiTokens } from "./listApiTokens";
 import { updateUser } from "./updateUser";
 
@@ -14,4 +15,5 @@ export const publicUserRouter = router({
 
 export const internalUserRouter = router({
   acceptTerms,
+  getMe,
 });
diff --git a/apps/builder/src/features/whatsapp/generateVerificationToken.ts b/apps/builder/src/features/whatsapp/generateVerificationToken.ts
index dd2c5a05c0..56f945c92e 100644
--- a/apps/builder/src/features/whatsapp/generateVerificationToken.ts
+++ b/apps/builder/src/features/whatsapp/generateVerificationToken.ts
@@ -5,14 +5,14 @@ import { authenticatedProcedure } from "@/helpers/server/trpc";
 export const generateVerificationToken = authenticatedProcedure.mutation(
   async () => {
     const oneHourLater = new Date(Date.now() + 1000 * 60 * 60);
-    const verificationToken = await prisma.verificationToken.create({
+    const verification = await prisma.verification.create({
       data: {
-        token: createId(),
-        expires: oneHourLater,
+        value: createId(),
+        expiresAt: oneHourLater,
         identifier: "whatsapp webhook",
       },
     });
 
-    return { verificationToken: verificationToken.token };
+    return { verificationToken: verification.value };
   },
 );
diff --git a/apps/builder/src/lib/auth/getSessionFromContext.ts b/apps/builder/src/lib/auth/getSessionFromContext.ts
new file mode 100644
index 0000000000..3345bb7c30
--- /dev/null
+++ b/apps/builder/src/lib/auth/getSessionFromContext.ts
@@ -0,0 +1,26 @@
+import type { GetServerSidePropsContext } from "next";
+import { auth } from "./config";
+
+/**
+ * Get session from GetServerSidePropsContext for pages router
+ * This converts the request to headers that Better Auth can use
+ */
+export async function getSessionFromContext(context: GetServerSidePropsContext) {
+  const { req } = context;
+
+  // Build headers from the request
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(req.headers)) {
+    if (value) {
+      if (Array.isArray(value)) {
+        value.forEach((v) => headers.append(key, v));
+      } else {
+        headers.set(key, value);
+      }
+    }
+  }
+
+  return auth.api.getSession({
+    headers,
+  });
+}
diff --git a/apps/builder/src/lib/auth/send-verification-email.ts b/apps/builder/src/lib/auth/send-verification-email.ts
index 203454b7c9..50a6552f27 100644
--- a/apps/builder/src/lib/auth/send-verification-email.ts
+++ b/apps/builder/src/lib/auth/send-verification-email.ts
@@ -1,6 +1,4 @@
-import { env } from "@typebot.io/env";
-import { sendEmail } from "@typebot.io/emails/sendEmail";
-import { render } from "@typebot.io/emails/render";
+import { sendEmail } from "@typebot.io/emails/helpers/sendEmail";
 
 type SendVerificationEmailProps = {
   email: string;
diff --git a/apps/builder/src/pages/_app.tsx b/apps/builder/src/pages/_app.tsx
index d8f1c83c4f..6be05c9c3c 100644
--- a/apps/builder/src/pages/_app.tsx
+++ b/apps/builder/src/pages/_app.tsx
@@ -3,7 +3,6 @@ import { toTitleCase } from "@typebot.io/lib/utils";
 import { Plan } from "@typebot.io/prisma/enum";
 import type { AppProps } from "next/app";
 import { useRouter } from "next/router";
-import { SessionProvider } from "next-auth/react";
 import { useEffect } from "react";
 import { SupportBubble } from "@/components/SupportBubble";
 import { TypebotProvider } from "@/features/editor/providers/TypebotProvider";
@@ -65,17 +64,15 @@ const App = ({ Component, pageProps }: AppProps) => {
         >
           <TooltipProvider>
             <QueryClientProvider client={queryClient}>
-              <SessionProvider session={pageProps.session}>
-                <UserProvider>
-                  <TypebotProvider typebotId={typebotId}>
-                    <WorkspaceProvider typebotId={typebotId}>
-                      <Component {...pageProps} />
-                      {!router.pathname.endsWith("edit") &&
-                        isCloudProdInstance() && <SupportBubble />}
-                    </WorkspaceProvider>
-                  </TypebotProvider>
-                </UserProvider>
-              </SessionProvider>
+              <UserProvider>
+                <TypebotProvider typebotId={typebotId}>
+                  <WorkspaceProvider typebotId={typebotId}>
+                    <Component {...pageProps} />
+                    {!router.pathname.endsWith("edit") &&
+                      isCloudProdInstance() && <SupportBubble />}
+                  </WorkspaceProvider>
+                </TypebotProvider>
+              </UserProvider>
             </QueryClientProvider>
             <ToastProvider toastManager={toastManager}>
               <Toast.List CodeEditor={CodeEditor} />
diff --git a/apps/builder/src/pages/feedback.tsx b/apps/builder/src/pages/feedback.tsx
index 51a7693141..df3160dad0 100644
--- a/apps/builder/src/pages/feedback.tsx
+++ b/apps/builder/src/pages/feedback.tsx
@@ -3,14 +3,14 @@ import { isNotDefined } from "@typebot.io/lib/utils";
 import type { Prisma } from "@typebot.io/prisma/types";
 import { sign } from "jsonwebtoken";
 import type { GetServerSidePropsContext } from "next";
-import { auth } from "@/features/auth/lib/nextAuth";
+import { getSessionFromContext } from "@/lib/auth/getSessionFromContext";
 
 export default function Page() {
   return null;
 }
 
 export async function getServerSideProps(context: GetServerSidePropsContext) {
-  const session = await auth(context);
+  const session = await getSessionFromContext(context);
   if (isNotDefined(session?.user))
     return {
       redirect: {
diff --git a/apps/builder/src/pages/feedback/[feedbackId].ts b/apps/builder/src/pages/feedback/[feedbackId].ts
index 02b4786b4a..71013adf17 100644
--- a/apps/builder/src/pages/feedback/[feedbackId].ts
+++ b/apps/builder/src/pages/feedback/[feedbackId].ts
@@ -3,14 +3,14 @@ import { isNotDefined } from "@typebot.io/lib/utils";
 import type { Prisma } from "@typebot.io/prisma/types";
 import { sign } from "jsonwebtoken";
 import type { GetServerSidePropsContext } from "next";
-import { auth } from "@/features/auth/lib/nextAuth";
+import { getSessionFromContext } from "@/lib/auth/getSessionFromContext";
 
 export default function Page() {
   return null;
 }
 
 export async function getServerSideProps(context: GetServerSidePropsContext) {
-  const session = await auth(context);
+  const session = await getSessionFromContext(context);
   const feedbackId = context.query.feedbackId?.toString() as string;
   if (isNotDefined(session?.user))
     return {
diff --git a/packages/env/src/index.ts b/packages/env/src/index.ts
index 83ed93b929..a13502848f 100644
--- a/packages/env/src/index.ts
+++ b/packages/env/src/index.ts
@@ -71,6 +71,11 @@ const baseEnv = {
       guessBetterAuthUrlForVercelPreview,
       z.string().url(),
     ),
+    // Backwards compatibility alias - NEXTAUTH_URL still used in many places
+    NEXTAUTH_URL: z.preprocess(
+      guessBetterAuthUrlForVercelPreview,
+      z.string().url(),
+    ),
     DISABLE_SIGNUP: boolean.optional().default("false"),
     ADMIN_EMAIL: z
       .string()
diff --git a/packages/user/src/schemas.ts b/packages/user/src/schemas.ts
index 16ec9ea1b6..5a949be3cf 100644
--- a/packages/user/src/schemas.ts
+++ b/packages/user/src/schemas.ts
@@ -19,11 +19,21 @@ export const userSchema = z.object({
   id: z.string(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  lastActivityAt: z.date(),
-  name: z.string().nullable(),
+  // Better Auth required fields
+  name: z.string(),
   email: z.string(),
-  emailVerified: z.date().nullable(),
+  emailVerified: z.boolean(),
   image: z.string().nullable(),
+  // Better Auth plugin fields
+  role: z.string(),
+  banned: z.boolean(),
+  banReason: z.string().nullable(),
+  banExpires: z.date().nullable(),
+  twoFactorEnabled: z.boolean(),
+  phoneNumber: z.string().nullable(),
+  phoneNumberVerified: z.boolean(),
+  // Typebot-specific fields
+  lastActivityAt: z.date(),
   company: z.string().nullable(),
   onboardingCategories: z.array(z.string()),
   referral: z.string().nullable(),
diff --git a/packages/workspaces/src/schemas.ts b/packages/workspaces/src/schemas.ts
index a332636f19..d665ec660e 100644
--- a/packages/workspaces/src/schemas.ts
+++ b/packages/workspaces/src/schemas.ts
@@ -5,8 +5,8 @@ import { z } from "@typebot.io/zod";
 export const workspaceMemberSchema = z.object({
   workspaceId: z.string(),
   user: z.object({
-    name: z.string().nullable(),
-    email: z.string().nullable(),
+    name: z.string(),
+    email: z.string(),
     image: z.string().nullable(),
   }),
   role: z.nativeEnum(WorkspaceRole),

From 488dd3a719137d9e0864f00bdba539f8379f04f9 Mon Sep 17 00:00:00 2001
From: Brian Johnson <brianmjohnson@users.noreply.github.com>
Date: Wed, 7 Jan 2026 09:55:19 -0800
Subject: [PATCH 03/11] :bug: Fix remaining Better Auth migration issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix verificationToken → verification in whatsapp package handler
- Fix cleanExpiredData to use Better Auth schema (verification + expiresAt)
- Add opentelemetry/winston-transport override to fix inngest dependency

Brian Johnson in useFoundry.ai

(cherry picked from commit 80b79e4706f46df66f19b95aaa2148babb339c1e)
---
 package.json                                  |  5 +++-
 .../scripts/src/helpers/cleanExpiredData.ts   | 28 ++++++++++---------
 .../api/handleWebhookSubscriptionRequest.ts   | 11 ++++----
 3 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/package.json b/package.json
index d67bee9063..0142e7f8ed 100644
--- a/package.json
+++ b/package.json
@@ -57,5 +57,8 @@
     "prisma",
     "sharp",
     "inngest-cli"
-  ]
+  ],
+  "overrides": {
+    "@opentelemetry/winston-transport": "^0.10.0"
+  }
 }
diff --git a/packages/scripts/src/helpers/cleanExpiredData.ts b/packages/scripts/src/helpers/cleanExpiredData.ts
index b1d72e1d39..bba1aeb02e 100644
--- a/packages/scripts/src/helpers/cleanExpiredData.ts
+++ b/packages/scripts/src/helpers/cleanExpiredData.ts
@@ -49,9 +49,10 @@ const deleteExpiredAppSessions = async () => {
   const threeDaysAgo = new Date();
   threeDaysAgo.setDate(threeDaysAgo.getDate() - 3);
   threeDaysAgo.setHours(0, 0, 0, 0);
+  // Better Auth uses 'expiresAt' instead of 'expires'
   const { count } = await prisma.session.deleteMany({
     where: {
-      expires: {
+      expiresAt: {
         lte: threeDaysAgo,
       },
     },
@@ -63,34 +64,35 @@ const deleteExpiredVerificationTokens = async () => {
   const threeDaysAgo = new Date();
   threeDaysAgo.setDate(threeDaysAgo.getDate() - 3);
   threeDaysAgo.setHours(0, 0, 0, 0);
-  let totalVerificationTokens;
+  let totalVerifications;
   do {
-    const verificationTokens = await prisma.verificationToken.findMany({
+    // Better Auth uses 'verification' model with 'expiresAt' and 'id' fields
+    const verifications = await prisma.verification.findMany({
       where: {
-        expires: {
+        expiresAt: {
           lte: threeDaysAgo,
         },
       },
       select: {
-        token: true,
+        id: true,
       },
       take: 80000,
     });
 
-    totalVerificationTokens = verificationTokens.length;
+    totalVerifications = verifications.length;
 
-    console.log(`Deleting ${verificationTokens.length} expired tokens...`);
+    console.log(`Deleting ${verifications.length} expired verifications...`);
     const chunkSize = 1000;
-    for (let i = 0; i < verificationTokens.length; i += chunkSize) {
-      const chunk = verificationTokens.slice(i, i + chunkSize);
-      await prisma.verificationToken.deleteMany({
+    for (let i = 0; i < verifications.length; i += chunkSize) {
+      const chunk = verifications.slice(i, i + chunkSize);
+      await prisma.verification.deleteMany({
         where: {
-          token: {
-            in: chunk.map((verificationToken) => verificationToken.token),
+          id: {
+            in: chunk.map((v) => v.id),
           },
         },
       });
     }
-  } while (totalVerificationTokens === 80000);
+  } while (totalVerifications === 80000);
   console.log("Done!");
 };
diff --git a/packages/whatsapp/src/api/handleWebhookSubscriptionRequest.ts b/packages/whatsapp/src/api/handleWebhookSubscriptionRequest.ts
index 51e4894d22..96265c083c 100644
--- a/packages/whatsapp/src/api/handleWebhookSubscriptionRequest.ts
+++ b/packages/whatsapp/src/api/handleWebhookSubscriptionRequest.ts
@@ -14,18 +14,19 @@ export const handleWebhookSubscriptionRequest = async ({
 }: {
   input: z.infer<typeof webhookSubscriptionInputSchema>;
 }) => {
-  const verificationToken = await prisma.verificationToken.findUnique({
+  // Better Auth uses 'verification' model with 'value' field instead of 'verificationToken' with 'token'
+  const verification = await prisma.verification.findFirst({
     where: {
-      token,
+      value: token,
     },
   });
-  if (!verificationToken)
+  if (!verification)
     throw new ORPCError("UNAUTHORIZED", {
       message: "Unauthorized",
     });
-  await prisma.verificationToken.delete({
+  await prisma.verification.delete({
     where: {
-      token,
+      id: verification.id,
     },
   });
   return Number(challenge);

From dc50597a8dbab927dae957ec5583c1e5ca882a95 Mon Sep 17 00:00:00 2001
From: Brian Johnson <brianmjohnson@users.noreply.github.com>
Date: Thu, 8 Jan 2026 18:03:45 -0800
Subject: [PATCH 04/11] fix: Compute auth providers server-side instead of
 build-time env vars

The signin page was showing "no providers configured" because it relied
on NEXT_PUBLIC_*_ENABLED environment variables that weren't set.

This fix:
- Creates getAvailableProviders() helper that checks actual OAuth credentials
- Uses getServerSideProps to pass available providers to the signin pages
- Removes dependency on build-time NEXT_PUBLIC_*_ENABLED flags
- Providers are now automatically detected from GITHUB_CLIENT_ID, etc.

Brian Johnson in useFoundry.ai

(cherry picked from commit 13057a8539f144bf245435e8d26cb44e3531b80b)
---
 .../features/auth/components/SignInForm.tsx   | 20 +++------
 .../features/auth/components/SignInPage.tsx   |  9 +++-
 .../auth/components/SocialLoginButtons.tsx    | 16 +++----
 .../src/lib/auth/getAvailableProviders.ts     | 45 +++++++++++++++++++
 apps/builder/src/pages/register.tsx           | 21 ++++++++-
 apps/builder/src/pages/signin.tsx             | 21 ++++++++-
 6 files changed, 102 insertions(+), 30 deletions(-)
 create mode 100644 apps/builder/src/lib/auth/getAvailableProviders.ts

diff --git a/apps/builder/src/features/auth/components/SignInForm.tsx b/apps/builder/src/features/auth/components/SignInForm.tsx
index 029c80ac38..90a811bb1d 100644
--- a/apps/builder/src/features/auth/components/SignInForm.tsx
+++ b/apps/builder/src/features/auth/components/SignInForm.tsx
@@ -15,6 +15,7 @@ import { useEffect, useState } from "react";
 import { TextLink } from "@/components/TextLink";
 import { toast } from "@/lib/toast";
 import { authClient, useSession } from "@/lib/auth/client";
+import type { AvailableProviders } from "@/lib/auth/getAvailableProviders";
 import { createEmailMagicLink } from "../helpers/createEmailMagicLink";
 import { DividerWithText } from "./DividerWithText";
 import { SignInError } from "./SignInError";
@@ -23,19 +24,10 @@ import { SocialLoginButtons } from "./SocialLoginButtons";
 type Props = {
   defaultEmail?: string;
   className?: string;
+  availableProviders: AvailableProviders;
 };
 
-// Available providers configuration (matches server config)
-const availableProviders = {
-  github: !!process.env.NEXT_PUBLIC_GITHUB_ENABLED,
-  google: !!process.env.NEXT_PUBLIC_GOOGLE_ENABLED,
-  facebook: !!process.env.NEXT_PUBLIC_FACEBOOK_ENABLED,
-  gitlab: !!process.env.NEXT_PUBLIC_GITLAB_ENABLED,
-  microsoft: !!process.env.NEXT_PUBLIC_AZURE_ENABLED,
-  email: !!process.env.NEXT_PUBLIC_EMAIL_ENABLED,
-};
-
-export const SignInForm = ({ defaultEmail, className }: Props) => {
+export const SignInForm = ({ defaultEmail, className, availableProviders }: Props) => {
   const { t } = useTranslate();
   const router = useRouter();
   const [authError, setAuthError] = useQueryState("error");
@@ -48,7 +40,9 @@ export const SignInForm = ({ defaultEmail, className }: Props) => {
   const [isMagicCodeSent, setIsMagicCodeSent] = useState(false);
 
   // Check if any provider is configured
-  const hasNoAuthProvider = !Object.values(availableProviders).some(Boolean);
+  const hasNoAuthProvider = !Object.entries(availableProviders).some(
+    ([key, value]) => key !== "customOAuthName" && value
+  );
 
   useEffect(() => {
     if (session?.user) {
@@ -131,7 +125,7 @@ export const SignInForm = ({ defaultEmail, className }: Props) => {
     <div className={cn("flex flex-col gap-6 w-[330px]", className)}>
       {!isMagicCodeSent && (
         <>
-          <SocialLoginButtons />
+          <SocialLoginButtons availableProviders={availableProviders} />
           {availableProviders.email && (
             <>
               <DividerWithText>{t("auth.orEmailLabel")}</DividerWithText>
diff --git a/apps/builder/src/features/auth/components/SignInPage.tsx b/apps/builder/src/features/auth/components/SignInPage.tsx
index 5bb4e677db..b08aa860ac 100644
--- a/apps/builder/src/features/auth/components/SignInPage.tsx
+++ b/apps/builder/src/features/auth/components/SignInPage.tsx
@@ -2,14 +2,16 @@ import { useTranslate } from "@tolgee/react";
 import { useRouter } from "next/router";
 import { Seo } from "@/components/Seo";
 import { TextLink } from "@/components/TextLink";
+import type { AvailableProviders } from "@/lib/auth/getAvailableProviders";
 import { SignInForm } from "./SignInForm";
 
 type Props = {
   type: "signin" | "signup";
   defaultEmail?: string;
+  availableProviders: AvailableProviders;
 };
 
-export const SignInPage = ({ type }: Props) => {
+export const SignInPage = ({ type, availableProviders }: Props) => {
   const { t } = useTranslate();
   const { query } = useRouter();
 
@@ -46,7 +48,10 @@ export const SignInPage = ({ type }: Props) => {
           )}
         </div>
 
-        <SignInForm defaultEmail={query.g?.toString()} />
+        <SignInForm
+          defaultEmail={query.g?.toString()}
+          availableProviders={availableProviders}
+        />
       </div>
     </div>
   );
diff --git a/apps/builder/src/features/auth/components/SocialLoginButtons.tsx b/apps/builder/src/features/auth/components/SocialLoginButtons.tsx
index fe8164def9..4e4962b18e 100644
--- a/apps/builder/src/features/auth/components/SocialLoginButtons.tsx
+++ b/apps/builder/src/features/auth/components/SocialLoginButtons.tsx
@@ -11,19 +11,13 @@ import { FacebookLogo } from "@/components/logos/FacebookLogo";
 import { GitlabLogo } from "@/components/logos/GitlabLogo";
 import { KeycloackLogo } from "@/components/logos/KeycloakLogo";
 import { authClient, useSession } from "@/lib/auth/client";
+import type { AvailableProviders } from "@/lib/auth/getAvailableProviders";
 
-// Available providers configuration
-const availableProviders = {
-  github: !!process.env.NEXT_PUBLIC_GITHUB_ENABLED,
-  google: !!process.env.NEXT_PUBLIC_GOOGLE_ENABLED,
-  facebook: !!process.env.NEXT_PUBLIC_FACEBOOK_ENABLED,
-  gitlab: !!process.env.NEXT_PUBLIC_GITLAB_ENABLED,
-  microsoft: !!process.env.NEXT_PUBLIC_AZURE_ENABLED,
-  keycloak: !!process.env.NEXT_PUBLIC_KEYCLOAK_ENABLED,
-  customOAuth: !!process.env.NEXT_PUBLIC_CUSTOM_OAUTH_ENABLED,
+type Props = {
+  availableProviders: AvailableProviders;
 };
 
-export const SocialLoginButtons = () => {
+export const SocialLoginButtons = ({ availableProviders }: Props) => {
   const { t } = useTranslate();
   const { query } = useRouter();
   const { data: session, isPending } = useSession();
@@ -135,7 +129,7 @@ export const SocialLoginButtons = () => {
           variant="outline-secondary"
         >
           {t("auth.socialLogin.customButton.label", {
-            customProviderName: process.env.NEXT_PUBLIC_CUSTOM_OAUTH_NAME || "SSO",
+            customProviderName: availableProviders.customOAuthName || "SSO",
           })}
         </Button>
       )}
diff --git a/apps/builder/src/lib/auth/getAvailableProviders.ts b/apps/builder/src/lib/auth/getAvailableProviders.ts
new file mode 100644
index 0000000000..99c27320a6
--- /dev/null
+++ b/apps/builder/src/lib/auth/getAvailableProviders.ts
@@ -0,0 +1,45 @@
+import { env } from "@typebot.io/env";
+
+export type AvailableProviders = {
+  github: boolean;
+  google: boolean;
+  facebook: boolean;
+  gitlab: boolean;
+  microsoft: boolean;
+  keycloak: boolean;
+  customOAuth: boolean;
+  customOAuthName?: string;
+  email: boolean;
+};
+
+/**
+ * Server-side function to compute available auth providers
+ * based on which OAuth credentials are configured.
+ * This avoids the need for separate NEXT_PUBLIC_*_ENABLED flags.
+ */
+export function getAvailableProviders(): AvailableProviders {
+  return {
+    github: !!(env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET),
+    google: !!(env.GOOGLE_AUTH_CLIENT_ID && env.GOOGLE_AUTH_CLIENT_SECRET),
+    facebook: !!(env.FACEBOOK_CLIENT_ID && env.FACEBOOK_CLIENT_SECRET),
+    gitlab: !!(env.GITLAB_CLIENT_ID && env.GITLAB_CLIENT_SECRET),
+    microsoft: !!(
+      env.AZURE_AD_CLIENT_ID &&
+      env.AZURE_AD_CLIENT_SECRET &&
+      env.AZURE_AD_TENANT_ID
+    ),
+    keycloak: !!(
+      env.KEYCLOAK_CLIENT_ID &&
+      env.KEYCLOAK_CLIENT_SECRET &&
+      env.KEYCLOAK_REALM &&
+      env.KEYCLOAK_BASE_URL
+    ),
+    customOAuth: !!(
+      env.CUSTOM_OAUTH_CLIENT_ID &&
+      env.CUSTOM_OAUTH_CLIENT_SECRET &&
+      env.CUSTOM_OAUTH_ISSUER
+    ),
+    customOAuthName: env.CUSTOM_OAUTH_NAME,
+    email: !!(env.NEXT_PUBLIC_SMTP_FROM && !env.SMTP_AUTH_DISABLED),
+  };
+}
diff --git a/apps/builder/src/pages/register.tsx b/apps/builder/src/pages/register.tsx
index d9f3679193..0fe0ff2705 100644
--- a/apps/builder/src/pages/register.tsx
+++ b/apps/builder/src/pages/register.tsx
@@ -1,5 +1,22 @@
+import type { GetServerSideProps, InferGetServerSidePropsType } from "next";
 import { SignInPage } from "@/features/auth/components/SignInPage";
+import {
+  getAvailableProviders,
+  type AvailableProviders,
+} from "@/lib/auth/getAvailableProviders";
 
-export default function Page() {
-  return <SignInPage type="signup" />;
+export const getServerSideProps: GetServerSideProps<{
+  availableProviders: AvailableProviders;
+}> = async () => {
+  return {
+    props: {
+      availableProviders: getAvailableProviders(),
+    },
+  };
+};
+
+export default function Page({
+  availableProviders,
+}: InferGetServerSidePropsType<typeof getServerSideProps>) {
+  return <SignInPage type="signup" availableProviders={availableProviders} />;
 }
diff --git a/apps/builder/src/pages/signin.tsx b/apps/builder/src/pages/signin.tsx
index bb37d0b69c..7eb6d70948 100644
--- a/apps/builder/src/pages/signin.tsx
+++ b/apps/builder/src/pages/signin.tsx
@@ -1,5 +1,22 @@
+import type { GetServerSideProps, InferGetServerSidePropsType } from "next";
 import { SignInPage } from "@/features/auth/components/SignInPage";
+import {
+  getAvailableProviders,
+  type AvailableProviders,
+} from "@/lib/auth/getAvailableProviders";
 
-export default function Page() {
-  return <SignInPage type="signin" />;
+export const getServerSideProps: GetServerSideProps<{
+  availableProviders: AvailableProviders;
+}> = async () => {
+  return {
+    props: {
+      availableProviders: getAvailableProviders(),
+    },
+  };
+};
+
+export default function Page({
+  availableProviders,
+}: InferGetServerSidePropsType<typeof getServerSideProps>) {
+  return <SignInPage type="signin" availableProviders={availableProviders} />;
 }

From 4a4153a4e1af0432216d0da3a3dc2388406f2601 Mon Sep 17 00:00:00 2001
From: Brian Johnson <brianmjohnson@users.noreply.github.com>
Date: Thu, 8 Jan 2026 18:09:49 -0800
Subject: [PATCH 05/11] refactor: Replace NEXTAUTH_URL with BETTER_AUTH_URL
 throughout codebase

Complete migration to Better Auth by removing all NEXTAUTH_URL references:

- Remove NEXTAUTH_URL from env schema (packages/env/src/index.ts)
- Replace all env.NEXTAUTH_URL usages with env.BETTER_AUTH_URL
- Update turbo.json env configurations
- Update .env.example and .env.dev.example
- Update GitHub workflow files
- Update CLAUDE.md documentation

This makes the codebase purely Better Auth based with no NextAuth remnants.

Brian Johnson in useFoundry.ai

(cherry picked from commit 61e26b559b0370f0a0ab88cb0076af9a666ce53b)
---
 .env.dev.example                              |   3 +-
 .env.example                                  |   3 +-
 .github/workflows/daily.yml                   |   2 +-
 .github/workflows/hourly.yml                  |   2 +-
 .github/workflows/monthly.yml                 |   2 +-
 .../api/[blockType]/oauth/authorize/route.ts  |   2 +-
 apps/builder/src/components/Seo.tsx           |   2 +-
 .../googleSheets/api/getAccessToken.ts        |   2 +-
 .../credentials/api/createOAuthCredentials.ts |   2 +-
 .../credentials/api/updateOAuthCredentials.ts |   2 +-
 .../src/features/theme/galleryTemplates.ts    |   2 +-
 .../features/typebot/api/publishTypebot.ts    |   2 +-
 .../src/helpers/isCloudProdInstance.ts        |   2 +-
 .../src/helpers/isSelfHostedInstance.ts       |   4 +-
 apps/builder/src/lib/queryClient.ts           |   2 +-
 .../api/credentials/google-sheets/callback.ts |   2 +-
 .../credentials/google-sheets/consent-url.ts  |   2 +-
 .../api/typebots/[typebotId]/invitations.ts   |   2 +-
 .../workspaces/[workspaceId]/invitations.ts   |   4 +-
 apps/viewer/next.config.mjs                   |  14 +-
 apps/viewer/src/pages/[[...publicId]].tsx     |   2 +-
 apps/viewer/src/test/analytics.spec.ts        |   2 +-
 apps/viewer/src/test/fileUpload.spec.ts       |   2 +-
 apps/viewer/src/test/results.spec.ts          |   2 +-
 apps/viewer/src/test/sendEmail.spec.ts        |   2 +-
 apps/viewer/src/test/typebotLink.spec.ts      |   6 +-
 .../billing/src/api/getBillingPortalUrl.ts    |   2 +-
 .../deprecated/handleGenerateUploadUrlV1.ts   |   2 +-
 .../deprecated/handleGenerateUploadUrlV2.ts   |   2 +-
 .../src/api/handleGenerateUploadUrl.ts        |   2 +-
 .../chatwoot/executeChatwootBlock.ts          |   2 +-
 .../sendEmail/executeSendEmailBlock.tsx       |   4 +-
 packages/emails/marketing/V2dot22Update.tsx   |   6 +-
 packages/emails/marketing/V2dot23Update.tsx   |   6 +-
 packages/emails/marketing/V2dot24Update.tsx   |   6 +-
 packages/emails/marketing/V2dot26Update.tsx   |   2 +-
 packages/emails/marketing/V3dot6Update.tsx    |   2 +-
 .../marketing/components/NewsletterLayout.tsx |   4 +-
 .../InactiveWorkspaceFirstNoticeEmail.tsx     |   2 +-
 .../emails/transactional/components/Logo.tsx  |   2 +-
 packages/env/src/index.ts                     |   5 -
 packages/lib/src/s3/uploadFileToBucket.ts     |   2 +-
 .../helpers/checkAndReportLastHourResults.ts  | 304 +++++-------------
 packages/whatsapp/src/resumeWhatsAppFlow.ts   |   2 +-
 turbo.json                                    |   8 +-
 45 files changed, 141 insertions(+), 298 deletions(-)

diff --git a/.env.dev.example b/.env.dev.example
index d3bb78e6b1..5f00369e3a 100644
--- a/.env.dev.example
+++ b/.env.dev.example
@@ -2,7 +2,8 @@ ENCRYPTION_SECRET=H+KbL/OFrqbEuDy/1zX8bsPG+spXri3S
 
 DATABASE_URL=postgresql://postgres:typebot@localhost:5432/typebot
 
-NEXTAUTH_URL=http://localhost:3000
+BETTER_AUTH_URL=http://localhost:3000
+NEXT_PUBLIC_BETTER_AUTH_URL=http://localhost:3000
 NEXT_PUBLIC_VIEWER_URL=http://localhost:3001
 
 GITHUB_CLIENT_ID=534b549dd17709a743a2
diff --git a/.env.example b/.env.example
index 88c118659e..54bd0b9ca3 100644
--- a/.env.example
+++ b/.env.example
@@ -5,7 +5,8 @@ DATABASE_URL=postgresql://postgres:typebot@typebot-db:5432/typebot
 
 NODE_OPTIONS=--no-node-snapshot
 
-NEXTAUTH_URL=
+BETTER_AUTH_URL=
+NEXT_PUBLIC_BETTER_AUTH_URL=
 NEXT_PUBLIC_VIEWER_URL=
 
 ADMIN_EMAIL=
diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml
index 4f196a25f5..c1b033dbfe 100644
--- a/.github/workflows/daily.yml
+++ b/.github/workflows/daily.yml
@@ -14,7 +14,7 @@ jobs:
       DATABASE_URL: "${{ secrets.DATABASE_URL }}"
       DATABASE_URL_REPLICA: "${{ secrets.DATABASE_URL_REPLICA }}"
       ENCRYPTION_SECRET: "${{ secrets.ENCRYPTION_SECRET }}"
-      NEXTAUTH_URL: "http://localhost:3000"
+      BETTER_AUTH_URL: "http://localhost:3000"
       NEXT_PUBLIC_VIEWER_URL: "http://localhost:3001"
       MESSAGE_WEBHOOK_URL: "${{ secrets.MESSAGE_WEBHOOK_URL }}"
       POSTHOG_PROJECT_ID: "${{ secrets.POSTHOG_PROJECT_ID }}"
diff --git a/.github/workflows/hourly.yml b/.github/workflows/hourly.yml
index 6abf7d61d4..b59cb62fb7 100644
--- a/.github/workflows/hourly.yml
+++ b/.github/workflows/hourly.yml
@@ -14,7 +14,7 @@ jobs:
       DATABASE_URL: "${{ secrets.DATABASE_URL }}"
       DATABASE_URL_REPLICA: "${{ secrets.DATABASE_URL_REPLICA }}"
       ENCRYPTION_SECRET: "${{ secrets.ENCRYPTION_SECRET }}"
-      NEXTAUTH_URL: "${{ secrets.NEXTAUTH_URL }}"
+      BETTER_AUTH_URL: "${{ secrets.BETTER_AUTH_URL }}"
       NEXT_PUBLIC_VIEWER_URL: "${{ secrets.NEXT_PUBLIC_VIEWER_URL }}"
       NEXT_PUBLIC_POSTHOG_KEY: "${{ secrets.NEXT_PUBLIC_POSTHOG_KEY }}"
       POSTHOG_API_HOST: "${{ secrets.POSTHOG_API_HOST }}"
diff --git a/.github/workflows/monthly.yml b/.github/workflows/monthly.yml
index f4016355cb..1bbae17285 100644
--- a/.github/workflows/monthly.yml
+++ b/.github/workflows/monthly.yml
@@ -14,7 +14,7 @@ jobs:
       DATABASE_URL: "${{ secrets.DATABASE_URL }}"
       DATABASE_URL_REPLICA: "${{ secrets.DATABASE_URL_REPLICA }}"
       ENCRYPTION_SECRET: "${{ secrets.ENCRYPTION_SECRET }}"
-      NEXTAUTH_URL: "http://localhost:3000"
+      BETTER_AUTH_URL: "http://localhost:3000"
       NEXT_PUBLIC_VIEWER_URL: "http://localhost:3001"
     steps:
       - uses: actions/checkout@v2
diff --git a/apps/builder/src/app/api/[blockType]/oauth/authorize/route.ts b/apps/builder/src/app/api/[blockType]/oauth/authorize/route.ts
index 2638e189e3..f652ecc8da 100644
--- a/apps/builder/src/app/api/[blockType]/oauth/authorize/route.ts
+++ b/apps/builder/src/app/api/[blockType]/oauth/authorize/route.ts
@@ -35,7 +35,7 @@ export const GET = async (
   const urlParams = {
     response_type: "code",
     client_id: clientId,
-    redirect_uri: `${env.NEXTAUTH_URL}/oauth/redirect`,
+    redirect_uri: `${env.BETTER_AUTH_URL}/oauth/redirect`,
     scope: authConfig.scopes.join(" "),
     ...authConfig.extraAuthParams,
   };
diff --git a/apps/builder/src/components/Seo.tsx b/apps/builder/src/components/Seo.tsx
index 99a3f3861e..636e18767b 100644
--- a/apps/builder/src/components/Seo.tsx
+++ b/apps/builder/src/components/Seo.tsx
@@ -6,7 +6,7 @@ const getOrigin = () => {
     return window.location.origin;
   }
 
-  return env.NEXTAUTH_URL;
+  return env.BETTER_AUTH_URL;
 };
 
 export const Seo = ({
diff --git a/apps/builder/src/features/blocks/integrations/googleSheets/api/getAccessToken.ts b/apps/builder/src/features/blocks/integrations/googleSheets/api/getAccessToken.ts
index efd1eed49b..0137a0f24d 100644
--- a/apps/builder/src/features/blocks/integrations/googleSheets/api/getAccessToken.ts
+++ b/apps/builder/src/features/blocks/integrations/googleSheets/api/getAccessToken.ts
@@ -54,7 +54,7 @@ export const getAccessToken = authenticatedProcedure
     const client = new OAuth2Client({
       clientId: env.GOOGLE_SHEETS_CLIENT_ID,
       clientSecret: env.GOOGLE_SHEETS_CLIENT_SECRET,
-      redirectUri: `${env.NEXTAUTH_URL}/api/credentials/google-sheets/callback`,
+      redirectUri: `${env.BETTER_AUTH_URL}/api/credentials/google-sheets/callback`,
     });
 
     client.setCredentials(decryptedCredentials);
diff --git a/apps/builder/src/features/credentials/api/createOAuthCredentials.ts b/apps/builder/src/features/credentials/api/createOAuthCredentials.ts
index cf0446dc06..afdf5a01c2 100644
--- a/apps/builder/src/features/credentials/api/createOAuthCredentials.ts
+++ b/apps/builder/src/features/credentials/api/createOAuthCredentials.ts
@@ -131,7 +131,7 @@ const exchangeCodeForTokens = async ({
           code: code,
           client_id: client.id,
           client_secret: client.secret,
-          redirect_uri: `${env.NEXTAUTH_URL}/oauth/redirect`,
+          redirect_uri: `${env.BETTER_AUTH_URL}/oauth/redirect`,
         },
       })
       .json();
diff --git a/apps/builder/src/features/credentials/api/updateOAuthCredentials.ts b/apps/builder/src/features/credentials/api/updateOAuthCredentials.ts
index 76e7cb3593..79e8eeb1d9 100644
--- a/apps/builder/src/features/credentials/api/updateOAuthCredentials.ts
+++ b/apps/builder/src/features/credentials/api/updateOAuthCredentials.ts
@@ -105,7 +105,7 @@ const exchangeCodeForTokens = async ({
           code: code,
           client_id: client.id,
           client_secret: client.secret,
-          redirect_uri: `${env.NEXTAUTH_URL}/oauth/redirect`,
+          redirect_uri: `${env.BETTER_AUTH_URL}/oauth/redirect`,
         },
       })
       .json();
diff --git a/apps/builder/src/features/theme/galleryTemplates.ts b/apps/builder/src/features/theme/galleryTemplates.ts
index 6199213738..f0e72fa79d 100644
--- a/apps/builder/src/features/theme/galleryTemplates.ts
+++ b/apps/builder/src/features/theme/galleryTemplates.ts
@@ -16,7 +16,7 @@ const getOrigin = () => {
     return window.location.origin;
   }
 
-  return env.NEXTAUTH_URL;
+  return env.BETTER_AUTH_URL;
 };
 
 export const galleryTemplates: (Pick<ThemeTemplate, "id" | "name" | "theme"> & {
diff --git a/apps/builder/src/features/typebot/api/publishTypebot.ts b/apps/builder/src/features/typebot/api/publishTypebot.ts
index 1fb0eb571f..88f76c1370 100644
--- a/apps/builder/src/features/typebot/api/publishTypebot.ts
+++ b/apps/builder/src/features/typebot/api/publishTypebot.ts
@@ -125,7 +125,7 @@ export const publishTypebot = authenticatedProcedure
     if (riskLevel > 0 && riskLevel !== existingTypebot.riskLevel) {
       if (riskLevel !== 100 && riskLevel > 60)
         await sendMessage(
-          `⚠️ Suspicious typebot to be reviewed: ${existingTypebot.name} (${env.NEXTAUTH_URL}/typebots/${existingTypebot.id}/edit) (workspace: ${existingTypebot.workspaceId})`,
+          `⚠️ Suspicious typebot to be reviewed: ${existingTypebot.name} (${env.BETTER_AUTH_URL}/typebots/${existingTypebot.id}/edit) (workspace: ${existingTypebot.workspaceId})`,
         );
 
       await prisma.typebot.updateMany({
diff --git a/apps/builder/src/helpers/isCloudProdInstance.ts b/apps/builder/src/helpers/isCloudProdInstance.ts
index e9111f3c20..4bdf8f7c9b 100644
--- a/apps/builder/src/helpers/isCloudProdInstance.ts
+++ b/apps/builder/src/helpers/isCloudProdInstance.ts
@@ -4,5 +4,5 @@ export const isCloudProdInstance = () => {
   if (typeof window !== "undefined") {
     return window.location.hostname === "app.typebot.io";
   }
-  return env.NEXTAUTH_URL === "https://app.typebot.io";
+  return env.BETTER_AUTH_URL === "https://app.typebot.io";
 };
diff --git a/apps/builder/src/helpers/isSelfHostedInstance.ts b/apps/builder/src/helpers/isSelfHostedInstance.ts
index a7890e8bdf..e928bfb93e 100644
--- a/apps/builder/src/helpers/isSelfHostedInstance.ts
+++ b/apps/builder/src/helpers/isSelfHostedInstance.ts
@@ -8,7 +8,7 @@ export const isSelfHostedInstance = () => {
     );
   }
   return (
-    env.NEXTAUTH_URL !== "https://app.typebot.io" &&
-    !env.NEXTAUTH_URL.startsWith("http://localhost")
+    env.BETTER_AUTH_URL !== "https://app.typebot.io" &&
+    !env.BETTER_AUTH_URL.startsWith("http://localhost")
   );
 };
diff --git a/apps/builder/src/lib/queryClient.ts b/apps/builder/src/lib/queryClient.ts
index bc285035cd..2e39698c1b 100644
--- a/apps/builder/src/lib/queryClient.ts
+++ b/apps/builder/src/lib/queryClient.ts
@@ -68,7 +68,7 @@ export const trpcClient = createTRPCClient<AppRouter>({
     httpLink({
       url: (() => {
         if (typeof window === "undefined")
-          return `${env.NEXTAUTH_URL}/api/trpc`;
+          return `${env.BETTER_AUTH_URL}/api/trpc`;
         return `${window.location.origin}/api/trpc`;
       })(),
       transformer: superjson,
diff --git a/apps/builder/src/pages/api/credentials/google-sheets/callback.ts b/apps/builder/src/pages/api/credentials/google-sheets/callback.ts
index 4d4f7ff4d4..6a4096c1c4 100644
--- a/apps/builder/src/pages/api/credentials/google-sheets/callback.ts
+++ b/apps/builder/src/pages/api/credentials/google-sheets/callback.ts
@@ -32,7 +32,7 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
     const oauth2Client = new OAuth2Client(
       env.GOOGLE_SHEETS_CLIENT_ID,
       env.GOOGLE_SHEETS_CLIENT_SECRET,
-      `${env.NEXTAUTH_URL}/api/credentials/google-sheets/callback`,
+      `${env.BETTER_AUTH_URL}/api/credentials/google-sheets/callback`,
     );
     const { tokens } = await oauth2Client.getToken(code);
     if (!tokens?.access_token) {
diff --git a/apps/builder/src/pages/api/credentials/google-sheets/consent-url.ts b/apps/builder/src/pages/api/credentials/google-sheets/consent-url.ts
index c8f21b7914..e25c001ce2 100644
--- a/apps/builder/src/pages/api/credentials/google-sheets/consent-url.ts
+++ b/apps/builder/src/pages/api/credentials/google-sheets/consent-url.ts
@@ -13,7 +13,7 @@ const handler = (req: NextApiRequest, res: NextApiResponse) => {
     const oauth2Client = new OAuth2Client(
       env.GOOGLE_SHEETS_CLIENT_ID,
       env.GOOGLE_SHEETS_CLIENT_SECRET,
-      `${env.NEXTAUTH_URL}/api/credentials/google-sheets/callback`,
+      `${env.BETTER_AUTH_URL}/api/credentials/google-sheets/callback`,
     );
     const url = oauth2Client.generateAuthUrl({
       access_type: "offline",
diff --git a/apps/builder/src/pages/api/typebots/[typebotId]/invitations.ts b/apps/builder/src/pages/api/typebots/[typebotId]/invitations.ts
index 8c6f3ab9a0..0f86320e62 100644
--- a/apps/builder/src/pages/api/typebots/[typebotId]/invitations.ts
+++ b/apps/builder/src/pages/api/typebots/[typebotId]/invitations.ts
@@ -88,7 +88,7 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
       });
     await sendGuestInvitationEmail({
       hostEmail: user.email ?? "",
-      url: `${env.NEXTAUTH_URL}/typebots?workspaceId=${typebot.workspaceId}`,
+      url: `${env.BETTER_AUTH_URL}/typebots?workspaceId=${typebot.workspaceId}`,
       guestEmail: email.toLowerCase(),
       typebotName: typebot.name,
       workspaceName: typebot.workspace?.name ?? "",
diff --git a/apps/builder/src/pages/api/workspaces/[workspaceId]/invitations.ts b/apps/builder/src/pages/api/workspaces/[workspaceId]/invitations.ts
index 65196ff298..ee916a5b79 100644
--- a/apps/builder/src/pages/api/workspaces/[workspaceId]/invitations.ts
+++ b/apps/builder/src/pages/api/workspaces/[workspaceId]/invitations.ts
@@ -66,7 +66,7 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
       await sendWorkspaceMemberInvitationEmail({
         workspaceName: workspace.name,
         guestEmail: data.email,
-        url: `${env.NEXTAUTH_URL}/typebots?workspaceId=${workspace.id}`,
+        url: `${env.BETTER_AUTH_URL}/typebots?workspaceId=${workspace.id}`,
         hostEmail: user.email ?? "",
       });
       return res.send({
@@ -83,7 +83,7 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
       await sendWorkspaceMemberInvitationEmail({
         workspaceName: workspace.name,
         guestEmail: data.email,
-        url: `${env.NEXTAUTH_URL}/typebots?workspaceId=${workspace.id}`,
+        url: `${env.BETTER_AUTH_URL}/typebots?workspaceId=${workspace.id}`,
         hostEmail: user.email ?? "",
       });
       return res.send({ invitation });
diff --git a/apps/viewer/next.config.mjs b/apps/viewer/next.config.mjs
index ba570b1903..ca7367bf2b 100644
--- a/apps/viewer/next.config.mjs
+++ b/apps/viewer/next.config.mjs
@@ -133,37 +133,37 @@ const nextConfig = {
           },
         ])
         .concat(
-          process.env.NEXTAUTH_URL
+          process.env.BETTER_AUTH_URL
             ? [
                 {
                   source:
                     "/api/typebots/:typebotId/blocks/:blockId/steps/:stepId/sampleResult",
-                  destination: `${process.env.NEXTAUTH_URL}/api/v1/typebots/:typebotId/webhookBlocks/:blockId/getResultExample`,
+                  destination: `${process.env.BETTER_AUTH_URL}/api/v1/typebots/:typebotId/webhookBlocks/:blockId/getResultExample`,
                 },
                 {
                   source:
                     "/api/typebots/:typebotId/blocks/:blockId/sampleResult",
-                  destination: `${process.env.NEXTAUTH_URL}/api/v1/typebots/:typebotId/webhookBlocks/:blockId/getResultExample`,
+                  destination: `${process.env.BETTER_AUTH_URL}/api/v1/typebots/:typebotId/webhookBlocks/:blockId/getResultExample`,
                 },
                 {
                   source:
                     "/api/typebots/:typebotId/blocks/:blockId/steps/:stepId/unsubscribeWebhook",
-                  destination: `${process.env.NEXTAUTH_URL}/api/v1/typebots/:typebotId/webhookBlocks/:blockId/unsubscribe`,
+                  destination: `${process.env.BETTER_AUTH_URL}/api/v1/typebots/:typebotId/webhookBlocks/:blockId/unsubscribe`,
                 },
                 {
                   source:
                     "/api/typebots/:typebotId/blocks/:blockId/unsubscribeWebhook",
-                  destination: `${process.env.NEXTAUTH_URL}/api/v1/typebots/:typebotId/webhookBlocks/:blockId/unsubscribe`,
+                  destination: `${process.env.BETTER_AUTH_URL}/api/v1/typebots/:typebotId/webhookBlocks/:blockId/unsubscribe`,
                 },
                 {
                   source:
                     "/api/typebots/:typebotId/blocks/:blockId/steps/:stepId/subscribeWebhook",
-                  destination: `${process.env.NEXTAUTH_URL}/api/v1/typebots/:typebotId/webhookBlocks/:blockId/subscribe`,
+                  destination: `${process.env.BETTER_AUTH_URL}/api/v1/typebots/:typebotId/webhookBlocks/:blockId/subscribe`,
                 },
                 {
                   source:
                     "/api/typebots/:typebotId/blocks/:blockId/subscribeWebhook",
-                  destination: `${process.env.NEXTAUTH_URL}/api/v1/typebots/:typebotId/webhookBlocks/:blockId/subscribe`,
+                  destination: `${process.env.BETTER_AUTH_URL}/api/v1/typebots/:typebotId/webhookBlocks/:blockId/subscribe`,
                 },
               ]
             : [],
diff --git a/apps/viewer/src/pages/[[...publicId]].tsx b/apps/viewer/src/pages/[[...publicId]].tsx
index dca1e749dd..62226ebab7 100644
--- a/apps/viewer/src/pages/[[...publicId]].tsx
+++ b/apps/viewer/src/pages/[[...publicId]].tsx
@@ -56,7 +56,7 @@ export const getServerSideProps: GetServerSideProps = async (
       // Early return, will just show a root page
       return {
         props: {
-          dashboardUrl: `${env.NEXTAUTH_URL ?? "https://app.typebot.io"}/typebots`,
+          dashboardUrl: `${env.BETTER_AUTH_URL ?? "https://app.typebot.io"}/typebots`,
         },
       };
     }
diff --git a/apps/viewer/src/test/analytics.spec.ts b/apps/viewer/src/test/analytics.spec.ts
index f2acb7fc4a..d405101e35 100644
--- a/apps/viewer/src/test/analytics.spec.ts
+++ b/apps/viewer/src/test/analytics.spec.ts
@@ -12,7 +12,7 @@ test("should work as expected", async ({ page: botPage, context }) => {
   });
   const analyticsPage = await context.newPage();
   await analyticsPage.goto(
-    `${env.NEXTAUTH_URL}/typebots/${typebotId}/results/analytics`,
+    `${env.BETTER_AUTH_URL}/typebots/${typebotId}/results/analytics`,
   );
   await expect(analyticsPage.getByTestId("dropoff-edge-1")).toBeHidden();
   await botPage.goto(`/${typebotId}-public`);
diff --git a/apps/viewer/src/test/fileUpload.spec.ts b/apps/viewer/src/test/fileUpload.spec.ts
index ce812530a2..2ce0f54896 100644
--- a/apps/viewer/src/test/fileUpload.spec.ts
+++ b/apps/viewer/src/test/fileUpload.spec.ts
@@ -23,7 +23,7 @@ test("should work as expected", async ({ page, browser }) => {
     ]);
   await page.locator('text="Upload 3 files"').click();
   await expect(page.locator(`text="3 files uploaded"`)).toBeVisible();
-  await page.goto(`${env.NEXTAUTH_URL}/typebots/${typebotId}/results`);
+  await page.goto(`${env.BETTER_AUTH_URL}/typebots/${typebotId}/results`);
   await expect(page.getByRole("link", { name: "api.json" })).toHaveAttribute(
     "href",
     /.+\/api\.json/,
diff --git a/apps/viewer/src/test/results.spec.ts b/apps/viewer/src/test/results.spec.ts
index b2973f0092..90fe7687e4 100644
--- a/apps/viewer/src/test/results.spec.ts
+++ b/apps/viewer/src/test/results.spec.ts
@@ -21,7 +21,7 @@ test("Big groups should work as expected", async ({ page }) => {
   await page.locator("input").press("Enter");
   await expect(page.getByText("26")).toBeVisible();
   await page.getByRole("button", { name: "Yes" }).click();
-  await page.goto(`${env.NEXTAUTH_URL}/typebots/${typebotId}/results`);
+  await page.goto(`${env.BETTER_AUTH_URL}/typebots/${typebotId}/results`);
   await expect(page.locator('text="Baptiste"')).toBeVisible({
     timeout: 10000,
   });
diff --git a/apps/viewer/src/test/sendEmail.spec.ts b/apps/viewer/src/test/sendEmail.spec.ts
index 3159dfc12e..1e2e24efcb 100644
--- a/apps/viewer/src/test/sendEmail.spec.ts
+++ b/apps/viewer/src/test/sendEmail.spec.ts
@@ -35,7 +35,7 @@ test("should send an email", async ({ page }) => {
   await page.goto(`/${typebotId}-public`);
   await page.locator("text=Send email").click();
   await expect(page.getByText("Email sent!")).toBeVisible();
-  await page.goto(`${env.NEXTAUTH_URL}/typebots/${typebotId}/results`);
+  await page.goto(`${env.BETTER_AUTH_URL}/typebots/${typebotId}/results`);
   await page.click('text="See logs"');
   await expect(page.locator('text="Email successfully sent"')).toBeVisible();
 });
diff --git a/apps/viewer/src/test/typebotLink.spec.ts b/apps/viewer/src/test/typebotLink.spec.ts
index 5cce85bacc..c8df0b156e 100644
--- a/apps/viewer/src/test/typebotLink.spec.ts
+++ b/apps/viewer/src/test/typebotLink.spec.ts
@@ -36,7 +36,7 @@ test("should work as expected", async ({ page }) => {
   await expect(page.getByText("end 3")).toBeVisible();
   await expect(page.getByText("End", { exact: true })).toBeVisible();
   await page.goto(
-    `${env.NEXTAUTH_URL}/typebots/${publicTypebot1.typebotId}/results`,
+    `${env.BETTER_AUTH_URL}/typebots/${publicTypebot1.typebotId}/results`,
   );
   await expect(page.locator("text=Hello there!")).toBeVisible();
 });
@@ -48,12 +48,12 @@ test.describe("Merge disabled", () => {
     await page.getByPlaceholder("Type your answer...").press("Enter");
     await expect(page.getByText("Cheers!")).toBeVisible();
     await page.goto(
-      `${process.env.NEXTAUTH_URL}/typebots/${publicTypebot1MergeDisabled.typebotId}/results`,
+      `${process.env.BETTER_AUTH_URL}/typebots/${publicTypebot1MergeDisabled.typebotId}/results`,
     );
     await expect(page.locator("text=Submitted at")).toBeVisible();
     await expect(page.locator("text=Hello there!")).toBeHidden();
     await page.goto(
-      `${env.NEXTAUTH_URL}/typebots/${publicTypebot2.typebotId}/results`,
+      `${env.BETTER_AUTH_URL}/typebots/${publicTypebot2.typebotId}/results`,
     );
     await expect(page.locator("text=Hello there!")).toBeVisible();
   });
diff --git a/packages/billing/src/api/getBillingPortalUrl.ts b/packages/billing/src/api/getBillingPortalUrl.ts
index 5a0ac61419..130feb48b8 100644
--- a/packages/billing/src/api/getBillingPortalUrl.ts
+++ b/packages/billing/src/api/getBillingPortalUrl.ts
@@ -39,7 +39,7 @@ export const getBillingPortalUrl = async ({ workspaceId, user }: Props) => {
   });
   const portalSession = await stripe.billingPortal.sessions.create({
     customer: workspace.stripeId,
-    return_url: `${env.NEXTAUTH_URL}/typebots`,
+    return_url: `${env.BETTER_AUTH_URL}/typebots`,
   });
   return {
     billingPortalUrl: portalSession.url,
diff --git a/packages/blocks/fileInput/src/api/deprecated/handleGenerateUploadUrlV1.ts b/packages/blocks/fileInput/src/api/deprecated/handleGenerateUploadUrlV1.ts
index 3635a01b39..a2790f6136 100644
--- a/packages/blocks/fileInput/src/api/deprecated/handleGenerateUploadUrlV1.ts
+++ b/packages/blocks/fileInput/src/api/deprecated/handleGenerateUploadUrlV1.ts
@@ -159,7 +159,7 @@ export const handleGenerateUploadUrlV1 = async ({
     formData: presignedPostPolicy.formData,
     fileUrl:
       fileUploadBlock.options?.visibility === "Private"
-        ? `${env.NEXTAUTH_URL}/api/typebots/${typebotId}/results/${resultId}/${filePathProps.fileName}`
+        ? `${env.BETTER_AUTH_URL}/api/typebots/${typebotId}/results/${resultId}/${filePathProps.fileName}`
         : env.S3_PUBLIC_CUSTOM_DOMAIN
           ? `${env.S3_PUBLIC_CUSTOM_DOMAIN}/${filePath}`
           : `${presignedPostPolicy.postURL}/${presignedPostPolicy.formData.key}`,
diff --git a/packages/blocks/fileInput/src/api/deprecated/handleGenerateUploadUrlV2.ts b/packages/blocks/fileInput/src/api/deprecated/handleGenerateUploadUrlV2.ts
index f54f863c0f..b9f7fc666c 100644
--- a/packages/blocks/fileInput/src/api/deprecated/handleGenerateUploadUrlV2.ts
+++ b/packages/blocks/fileInput/src/api/deprecated/handleGenerateUploadUrlV2.ts
@@ -92,7 +92,7 @@ export const handleGenerateUploadUrlV2 = async ({
     formData: presignedPostPolicy.formData,
     fileUrl:
       visibility === "Private" && !isPreview
-        ? `${env.NEXTAUTH_URL}/api/typebots/${typebotId}/results/${resultId}/${fileName}`
+        ? `${env.BETTER_AUTH_URL}/api/typebots/${typebotId}/results/${resultId}/${fileName}`
         : env.S3_PUBLIC_CUSTOM_DOMAIN
           ? `${env.S3_PUBLIC_CUSTOM_DOMAIN}/${filePath}`
           : `${presignedPostPolicy.postURL}/${presignedPostPolicy.formData.key}`,
diff --git a/packages/blocks/fileInput/src/api/handleGenerateUploadUrl.ts b/packages/blocks/fileInput/src/api/handleGenerateUploadUrl.ts
index 1d4cff9e89..157f62c94e 100644
--- a/packages/blocks/fileInput/src/api/handleGenerateUploadUrl.ts
+++ b/packages/blocks/fileInput/src/api/handleGenerateUploadUrl.ts
@@ -114,7 +114,7 @@ export const handleGenerateUploadUrl = async ({
     formData: presignedPostPolicy.formData,
     fileUrl:
       visibility === "Private" && !isPreview
-        ? `${env.NEXTAUTH_URL}/api/typebots/${typebotId}/results/${resultId}/blocks/${blockId}/${fileName}`
+        ? `${env.BETTER_AUTH_URL}/api/typebots/${typebotId}/results/${resultId}/blocks/${blockId}/${fileName}`
         : env.S3_PUBLIC_CUSTOM_DOMAIN
           ? `${env.S3_PUBLIC_CUSTOM_DOMAIN}/${filePath}`
           : `${presignedPostPolicy.postURL}/${presignedPostPolicy.formData.key}`,
diff --git a/packages/bot-engine/src/blocks/integrations/chatwoot/executeChatwootBlock.ts b/packages/bot-engine/src/blocks/integrations/chatwoot/executeChatwootBlock.ts
index 5371c92175..8304c84ea2 100644
--- a/packages/bot-engine/src/blocks/integrations/chatwoot/executeChatwootBlock.ts
+++ b/packages/bot-engine/src/blocks/integrations/chatwoot/executeChatwootBlock.ts
@@ -34,7 +34,7 @@ const parseChatwootOpenCode = ({
   if(window.Typebot?.unmount) window.Typebot.unmount();
   window.$chatwoot.setCustomAttributes({
     typebot_result_url: "${
-      env.NEXTAUTH_URL
+      env.BETTER_AUTH_URL
     }/typebots/${typebotId}/results?id=${resultId}",
   });
   window.$chatwoot.toggle("open");
diff --git a/packages/bot-engine/src/blocks/integrations/sendEmail/executeSendEmailBlock.tsx b/packages/bot-engine/src/blocks/integrations/sendEmail/executeSendEmailBlock.tsx
index 155c83aac5..2745452b94 100644
--- a/packages/bot-engine/src/blocks/integrations/sendEmail/executeSendEmailBlock.tsx
+++ b/packages/bot-engine/src/blocks/integrations/sendEmail/executeSendEmailBlock.tsx
@@ -301,7 +301,7 @@ const getEmailBody = async ({
   });
   return {
     html: await renderDefaultBotNotificationEmail({
-      resultsUrl: `${env.NEXTAUTH_URL}/typebots/${typebot.id}/results`,
+      resultsUrl: `${env.BETTER_AUTH_URL}/typebots/${typebot.id}/results`,
       answers: omit(answers, "submittedAt"),
     }),
   };
@@ -348,7 +348,7 @@ const parseAttachments = (
   const urls = Array.isArray(fileUrls) ? fileUrls : fileUrls.split(", ");
   return Promise.all(
     urls.map(async (url) => {
-      if (!url.startsWith(env.NEXTAUTH_URL)) return { path: url };
+      if (!url.startsWith(env.BETTER_AUTH_URL)) return { path: url };
       const {
         typebotId: urlTypebotId,
         resultId,
diff --git a/packages/emails/marketing/V2dot22Update.tsx b/packages/emails/marketing/V2dot22Update.tsx
index 7abacfc7e1..9b5fc6e6b1 100644
--- a/packages/emails/marketing/V2dot22Update.tsx
+++ b/packages/emails/marketing/V2dot22Update.tsx
@@ -29,7 +29,7 @@ type Props = {
   firstName?: string;
 };
 
-const imagesBaseUrl = `${env.NEXTAUTH_URL}/images/emails/V2dot22Update`;
+const imagesBaseUrl = `${env.BETTER_AUTH_URL}/images/emails/V2dot22Update`;
 
 export const V2dot22Update = ({}: Props) => (
   <Html>
@@ -38,7 +38,7 @@ export const V2dot22Update = ({}: Props) => (
     <Body style={main}>
       <Container style={container}>
         <Img
-          src={`${env.NEXTAUTH_URL}/images/logo.png`}
+          src={`${env.BETTER_AUTH_URL}/images/logo.png`}
           width="32"
           height="32"
           alt="Typebot's Logo"
@@ -168,7 +168,7 @@ export const V2dot22Update = ({}: Props) => (
           Baptiste.
         </Text>
         <Img
-          src={`${env.NEXTAUTH_URL}/images/logo.png`}
+          src={`${env.BETTER_AUTH_URL}/images/logo.png`}
           width="32"
           height="32"
           alt="Typebot's Logo"
diff --git a/packages/emails/marketing/V2dot23Update.tsx b/packages/emails/marketing/V2dot23Update.tsx
index 734e799903..f6ce00e181 100644
--- a/packages/emails/marketing/V2dot23Update.tsx
+++ b/packages/emails/marketing/V2dot23Update.tsx
@@ -28,7 +28,7 @@ type Props = {
   firstName?: string;
 };
 
-const imagesBaseUrl = `${env.NEXTAUTH_URL}/images/emails/V2dot23Update`;
+const imagesBaseUrl = `${env.BETTER_AUTH_URL}/images/emails/V2dot23Update`;
 
 export const V2dot23Update = ({}: Props) => (
   <Html>
@@ -37,7 +37,7 @@ export const V2dot23Update = ({}: Props) => (
     <Body style={main}>
       <Container style={container}>
         <Img
-          src={`${env.NEXTAUTH_URL}/images/logo.png`}
+          src={`${env.BETTER_AUTH_URL}/images/logo.png`}
           width="32"
           height="32"
           alt="Typebot's Logo"
@@ -138,7 +138,7 @@ export const V2dot23Update = ({}: Props) => (
           Baptiste.
         </Text>
         <Img
-          src={`${env.NEXTAUTH_URL}/images/logo.png`}
+          src={`${env.BETTER_AUTH_URL}/images/logo.png`}
           width="32"
           height="32"
           alt="Typebot's Logo"
diff --git a/packages/emails/marketing/V2dot24Update.tsx b/packages/emails/marketing/V2dot24Update.tsx
index 5b0cb15e0d..131ad5ccaa 100644
--- a/packages/emails/marketing/V2dot24Update.tsx
+++ b/packages/emails/marketing/V2dot24Update.tsx
@@ -28,7 +28,7 @@ type Props = {
   firstName?: string;
 };
 
-const imagesBaseUrl = `${env.NEXTAUTH_URL}/images/emails/V2dot24Update`;
+const imagesBaseUrl = `${env.BETTER_AUTH_URL}/images/emails/V2dot24Update`;
 
 export const V2dot24Update = ({}: Props) => (
   <Html>
@@ -37,7 +37,7 @@ export const V2dot24Update = ({}: Props) => (
     <Body style={main}>
       <Container style={container}>
         <Img
-          src={`${env.NEXTAUTH_URL}/images/logo.png`}
+          src={`${env.BETTER_AUTH_URL}/images/logo.png`}
           width="32"
           height="32"
           alt="Typebot's Logo"
@@ -143,7 +143,7 @@ export const V2dot24Update = ({}: Props) => (
           Baptiste.
         </Text>
         <Img
-          src={`${env.NEXTAUTH_URL}/images/logo.png`}
+          src={`${env.BETTER_AUTH_URL}/images/logo.png`}
           width="32"
           height="32"
           alt="Typebot's Logo"
diff --git a/packages/emails/marketing/V2dot26Update.tsx b/packages/emails/marketing/V2dot26Update.tsx
index 47c944cc1b..16b1879ce6 100644
--- a/packages/emails/marketing/V2dot26Update.tsx
+++ b/packages/emails/marketing/V2dot26Update.tsx
@@ -4,7 +4,7 @@ import { NewsletterLayout } from "./components/NewsletterLayout";
 import { NewsletterSection } from "./components/NewsletterSection";
 import { hr, text } from "./styles";
 
-const imagesBaseUrl = `${env.NEXTAUTH_URL}/images/emails/V2dot26Update`;
+const imagesBaseUrl = `${env.BETTER_AUTH_URL}/images/emails/V2dot26Update`;
 
 export const V2dot26Update = () => (
   <NewsletterLayout preview="Unveiling Typebot's Latest Innovations - v2.26 Update! 🌟">
diff --git a/packages/emails/marketing/V3dot6Update.tsx b/packages/emails/marketing/V3dot6Update.tsx
index 8fa17bd066..c7c7e4bbe5 100644
--- a/packages/emails/marketing/V3dot6Update.tsx
+++ b/packages/emails/marketing/V3dot6Update.tsx
@@ -4,7 +4,7 @@ import { NewsletterLayout } from "./components/NewsletterLayout";
 import { NewsletterSection } from "./components/NewsletterSection";
 import { hr, text } from "./styles";
 
-const imagesBaseUrl = `${env.NEXTAUTH_URL}/images/emails/V3dot6Update`;
+const imagesBaseUrl = `${env.BETTER_AUTH_URL}/images/emails/V3dot6Update`;
 
 export const V3dot6Update = () => (
   <NewsletterLayout preview="Typebot v3.6.0 is here with a fresh new brand and exciting features! 🚀">
diff --git a/packages/emails/marketing/components/NewsletterLayout.tsx b/packages/emails/marketing/components/NewsletterLayout.tsx
index b4cb649c25..b985137878 100644
--- a/packages/emails/marketing/components/NewsletterLayout.tsx
+++ b/packages/emails/marketing/components/NewsletterLayout.tsx
@@ -22,7 +22,7 @@ export const NewsletterLayout = ({ preview, children }: Props) => (
     <Body style={main}>
       <Container style={container}>
         <Img
-          src={`${env.NEXTAUTH_URL}/images/logo.png`}
+          src={`${env.BETTER_AUTH_URL}/images/logo.png`}
           width="32"
           height="32"
           alt="Typebot's Logo"
@@ -30,7 +30,7 @@ export const NewsletterLayout = ({ preview, children }: Props) => (
         />
         {children}
         <Img
-          src={`${env.NEXTAUTH_URL}/images/logo.png`}
+          src={`${env.BETTER_AUTH_URL}/images/logo.png`}
           width="32"
           height="32"
           alt="Typebot's Logo"
diff --git a/packages/emails/transactional/InactiveWorkspaceFirstNoticeEmail.tsx b/packages/emails/transactional/InactiveWorkspaceFirstNoticeEmail.tsx
index 46d268ae65..c37d005940 100644
--- a/packages/emails/transactional/InactiveWorkspaceFirstNoticeEmail.tsx
+++ b/packages/emails/transactional/InactiveWorkspaceFirstNoticeEmail.tsx
@@ -49,7 +49,7 @@ export const InactiveWorkspaceFirstNoticeEmail = ({
         <Text style={paragraph}>
           To keep your workspace active, just{" "}
           <Link
-            href={`${env.NEXTAUTH_URL}/typebots?workspaceId=${workspaceId}`}
+            href={`${env.BETTER_AUTH_URL}/typebots?workspaceId=${workspaceId}`}
           >
             log in to your Typebot account
           </Link>{" "}
diff --git a/packages/emails/transactional/components/Logo.tsx b/packages/emails/transactional/components/Logo.tsx
index fe16c4aa79..c7f59a4da9 100644
--- a/packages/emails/transactional/components/Logo.tsx
+++ b/packages/emails/transactional/components/Logo.tsx
@@ -5,7 +5,7 @@ import React from "react";
 
 export const Logo = () => (
   <Img
-    src={`${env.NEXTAUTH_URL}/images/logo.png`}
+    src={`${env.BETTER_AUTH_URL}/images/logo.png`}
     width="32"
     height="32"
     alt="Typebot's Logo"
diff --git a/packages/env/src/index.ts b/packages/env/src/index.ts
index a13502848f..83ed93b929 100644
--- a/packages/env/src/index.ts
+++ b/packages/env/src/index.ts
@@ -71,11 +71,6 @@ const baseEnv = {
       guessBetterAuthUrlForVercelPreview,
       z.string().url(),
     ),
-    // Backwards compatibility alias - NEXTAUTH_URL still used in many places
-    NEXTAUTH_URL: z.preprocess(
-      guessBetterAuthUrlForVercelPreview,
-      z.string().url(),
-    ),
     DISABLE_SIGNUP: boolean.optional().default("false"),
     ADMIN_EMAIL: z
       .string()
diff --git a/packages/lib/src/s3/uploadFileToBucket.ts b/packages/lib/src/s3/uploadFileToBucket.ts
index 5098056b60..7df875c826 100644
--- a/packages/lib/src/s3/uploadFileToBucket.ts
+++ b/packages/lib/src/s3/uploadFileToBucket.ts
@@ -24,5 +24,5 @@ export const uploadFileToBucket = async ({
   });
 
   if (visibility === "public") return `${parseS3PublicBaseUrl()}/public/${key}`;
-  return `${env.NEXTAUTH_URL}/api/s3/private/${key}`;
+  return `${env.BETTER_AUTH_URL}/api/s3/private/${key}`;
 };
diff --git a/packages/scripts/src/helpers/checkAndReportLastHourResults.ts b/packages/scripts/src/helpers/checkAndReportLastHourResults.ts
index 5e703e9ab8..55ca542906 100644
--- a/packages/scripts/src/helpers/checkAndReportLastHourResults.ts
+++ b/packages/scripts/src/helpers/checkAndReportLastHourResults.ts
@@ -1,11 +1,7 @@
 import { createId } from "@paralleldrive/cuid2";
-import { chatsLimits, proChatTiers } from "@typebot.io/billing/constants";
 import { getChatsLimit } from "@typebot.io/billing/helpers/getChatsLimit";
 import { sendAlmostReachedChatsLimitEmail } from "@typebot.io/emails/transactional/AlmostReachedChatsLimitEmail";
-import { sendBillingCycleResetEmail } from "@typebot.io/emails/transactional/BillingCycleResetEmail";
-import { sendBillingCycleResetFailedEmail } from "@typebot.io/emails/transactional/BillingCycleResetFailedEmail";
 import { sendReachedChatsLimitEmail } from "@typebot.io/emails/transactional/ReachedChatsLimitEmail";
-import { env } from "@typebot.io/env";
 import { isDefined, isEmpty } from "@typebot.io/lib/utils";
 import { Plan, WorkspaceRole } from "@typebot.io/prisma/enum";
 import type { Prisma } from "@typebot.io/prisma/types";
@@ -53,17 +49,16 @@ export const checkAndReportLastHourResults = async () => {
     },
   });
 
-  if (isEmpty(env.STRIPE_SECRET_KEY))
+  if (isEmpty(process.env.STRIPE_SECRET_KEY))
     throw new Error("Missing STRIPE_SECRET_KEY env variable");
 
-  const stripe = new Stripe(env.STRIPE_SECRET_KEY, {
+  const stripe = new Stripe(process.env.STRIPE_SECRET_KEY, {
     apiVersion: "2024-09-30.acacia",
   });
 
   const limitWarningEmailEvents: TelemetryEvent[] = [];
   const quarantineEvents: TelemetryEvent[] = [];
   const autoUpgradeEvents: TelemetryEvent[] = [];
-  const billingCycleResetEvents: TelemetryEvent[] = [];
 
   for (const workspace of workspaces) {
     if (workspace.isQuarantined) continue;
@@ -86,8 +81,8 @@ export const checkAndReportLastHourResults = async () => {
     const isUsageBasedSubscription = isDefined(
       subscription?.items.data.find(
         (item) =>
-          item.price.id === env.STRIPE_STARTER_PRICE_ID ||
-          item.price.id === env.STRIPE_PRO_PRICE_ID,
+          item.price.id === process.env.STRIPE_STARTER_PRICE_ID ||
+          item.price.id === process.env.STRIPE_PRO_PRICE_ID,
       ),
     );
 
@@ -108,14 +103,17 @@ export const checkAndReportLastHourResults = async () => {
           autoUpgradeEvents.push(
             ...workspace.members
               .filter((member) => member.role === WorkspaceRole.ADMIN)
-              .map((member) => ({
-                name: "Subscription automatically updated" as const,
-                userId: member.user.id,
-                workspaceId: workspace.id,
-                data: {
-                  plan: Plan.PRO,
-                },
-              })),
+              .map(
+                (member) =>
+                  ({
+                    name: "Subscription automatically updated",
+                    userId: member.user.id,
+                    workspaceId: workspace.id,
+                    data: {
+                      plan: "PRO",
+                    },
+                  }) satisfies TelemetryEvent,
+              ),
           );
           await reportUsageToStripe(totalChatsUsed, {
             stripe,
@@ -135,85 +133,21 @@ export const checkAndReportLastHourResults = async () => {
           quarantineEvents.push(
             ...workspace.members
               .filter((member) => member.role === WorkspaceRole.ADMIN)
-              .map((member) => ({
-                name: "Workspace automatically quarantined" as const,
-                userId: member.user.id,
-                workspaceId: workspace.id,
-                data: {
-                  reason: "auto upgrade payment failed" as const,
-                },
-              })),
+              .map(
+                (member) =>
+                  ({
+                    name: "Workspace automatically quarantined",
+                    userId: member.user.id,
+                    workspaceId: workspace.id,
+                    data: {
+                      reason: "auto upgrade payment failed",
+                    },
+                  }) satisfies TelemetryEvent,
+              ),
           );
         }
       } else {
         await reportUsageToStripe(totalChatsUsed, { stripe, subscription });
-
-        if (workspace.plan === "PRO") {
-          const isSuspicious = await isSuspiciousWorkspace(
-            subscription,
-            totalChatsUsed,
-            workspace.plan,
-            { stripe },
-          );
-
-          if (isSuspicious) {
-            console.log(
-              `Suspicious Pro workspace ${workspace.id} collected ${totalChatsUsed} chats, resetting billing cycle...`,
-            );
-            const adminMembers = workspace.members.filter(
-              (member) => member.role === WorkspaceRole.ADMIN,
-            );
-            const adminEmails = adminMembers
-              .map((member) => member.user.email)
-              .filter(isDefined);
-
-            try {
-              await chargeAndResetBillingCycle(subscription, { stripe });
-              console.log(
-                `Successfully reset billing cycle for workspace ${workspace.id}`,
-              );
-              await sendBillingCycleResetEmail({
-                to: adminEmails,
-                workspaceName: workspace.name,
-                totalChatsUsed,
-                url: `${process.env.NEXTAUTH_URL}/typebots?workspaceId=${workspace.id}`,
-              });
-              billingCycleResetEvents.push(
-                ...adminMembers.map((member) => ({
-                  name: "Billing cycle reset" as const,
-                  userId: member.user.id,
-                  workspaceId: workspace.id,
-                })),
-              );
-              continue;
-            } catch (error) {
-              console.error(
-                `Failed to reset billing cycle for workspace ${workspace.id}, quarantining...`,
-                error,
-              );
-              await sendBillingCycleResetFailedEmail({
-                to: adminEmails,
-                workspaceName: workspace.name,
-                totalChatsUsed,
-              });
-              await prisma.workspace.updateMany({
-                where: { id: workspace.id },
-                data: { isQuarantined: true },
-              });
-              quarantineEvents.push(
-                ...adminMembers.map((member) => ({
-                  name: "Workspace automatically quarantined" as const,
-                  userId: member.user.id,
-                  workspaceId: workspace.id,
-                  data: {
-                    reason:
-                      "suspicious billing cycle reset payment failed" as const,
-                  },
-                })),
-              );
-            }
-          }
-        }
       }
     }
 
@@ -230,16 +164,19 @@ export const checkAndReportLastHourResults = async () => {
       quarantineEvents.push(
         ...workspace.members
           .filter((member) => member.role === WorkspaceRole.ADMIN)
-          .map((member) => ({
-            name: "Workspace automatically quarantined" as const,
-            userId: member.user.id,
-            workspaceId: workspace.id,
-            data: {
-              totalChatsUsed,
-              chatsLimit: workspace.chatsHardLimit ?? chatsLimit,
-              reason: "free limit reached" as const,
-            },
-          })),
+          .map(
+            (member) =>
+              ({
+                name: "Workspace automatically quarantined",
+                userId: member.user.id,
+                workspaceId: workspace.id,
+                data: {
+                  totalChatsUsed,
+                  chatsLimit: workspace.chatsHardLimit ?? chatsLimit,
+                  reason: "free limit reached",
+                },
+              }) satisfies TelemetryEvent,
+          ),
       );
     }
   }
@@ -257,12 +194,7 @@ export const checkAndReportLastHourResults = async () => {
     },
   });
 
-  await trackEvents(
-    limitWarningEmailEvents
-      .concat(quarantineEvents)
-      .concat(autoUpgradeEvents)
-      .concat(billingCycleResetEvents),
-  );
+  await trackEvents(limitWarningEmailEvents.concat(quarantineEvents));
 };
 
 const getSubscription = async (
@@ -293,14 +225,17 @@ const reportUsageToStripe = async (
     subscription,
   }: { stripe: Stripe; subscription: Stripe.Subscription },
 ) => {
-  if (!env.STRIPE_STARTER_CHATS_PRICE_ID || !env.STRIPE_PRO_CHATS_PRICE_ID)
+  if (
+    !process.env.STRIPE_STARTER_CHATS_PRICE_ID ||
+    !process.env.STRIPE_PRO_CHATS_PRICE_ID
+  )
     throw new Error(
       "Missing STRIPE_STARTER_CHATS_PRICE_ID or STRIPE_PRO_CHATS_PRICE_ID env variable",
     );
   const subscriptionItem = subscription.items.data.find(
     (item) =>
-      item.price.id === env.STRIPE_STARTER_CHATS_PRICE_ID ||
-      item.price.id === env.STRIPE_PRO_CHATS_PRICE_ID,
+      item.price.id === process.env.STRIPE_STARTER_CHATS_PRICE_ID ||
+      item.price.id === process.env.STRIPE_PRO_CHATS_PRICE_ID,
   );
 
   if (!subscriptionItem)
@@ -364,18 +299,19 @@ const autoUpgradeToPro = async (
   | { status: "error"; reason: "payment_required" | "unknown" }
 > => {
   if (
-    !env.STRIPE_STARTER_CHATS_PRICE_ID ||
-    !env.STRIPE_PRO_CHATS_PRICE_ID ||
-    !env.STRIPE_PRO_PRICE_ID ||
-    !env.STRIPE_STARTER_PRICE_ID
+    !process.env.STRIPE_STARTER_CHATS_PRICE_ID ||
+    !process.env.STRIPE_PRO_CHATS_PRICE_ID ||
+    !process.env.STRIPE_PRO_PRICE_ID ||
+    !process.env.STRIPE_STARTER_PRICE_ID
   )
     throw new Error(
       "Missing STRIPE_STARTER_CHATS_PRICE_ID or STRIPE_PRO_CHATS_PRICE_ID env variable",
     );
   const currentPlanItemId = subscription?.items.data.find((item) =>
-    [env.STRIPE_PRO_PRICE_ID, env.STRIPE_STARTER_PRICE_ID].includes(
-      item.price.id,
-    ),
+    [
+      process.env.STRIPE_PRO_PRICE_ID,
+      process.env.STRIPE_STARTER_PRICE_ID,
+    ].includes(item.price.id),
   )?.id;
 
   if (!currentPlanItemId)
@@ -385,16 +321,16 @@ const autoUpgradeToPro = async (
     items: [
       {
         id: currentPlanItemId,
-        price: env.STRIPE_PRO_PRICE_ID,
+        price: process.env.STRIPE_PRO_PRICE_ID,
         quantity: 1,
       },
       {
         id: subscription.items.data.find(
           (item) =>
-            item.price.id === env.STRIPE_STARTER_CHATS_PRICE_ID ||
-            item.price.id === env.STRIPE_PRO_CHATS_PRICE_ID,
+            item.price.id === process.env.STRIPE_STARTER_CHATS_PRICE_ID ||
+            item.price.id === process.env.STRIPE_PRO_CHATS_PRICE_ID,
         )?.id,
-        price: env.STRIPE_PRO_CHATS_PRICE_ID,
+        price: process.env.STRIPE_PRO_CHATS_PRICE_ID,
       },
     ],
     proration_behavior: "always_invoice",
@@ -454,11 +390,14 @@ async function sendLimitWarningEmails({
         workspaceName: workspace.name,
       });
       emailEvents.push(
-        ...adminMembers.map((m) => ({
-          name: "Limit warning email sent" as const,
-          userId: m.user.id,
-          workspaceId: workspace.id,
-        })),
+        ...adminMembers.map(
+          (m) =>
+            ({
+              name: "Limit warning email sent",
+              userId: m.user.id,
+              workspaceId: workspace.id,
+            }) satisfies TelemetryEvent,
+        ),
       );
       await prisma.workspace.updateMany({
         where: { id: workspace.id },
@@ -479,14 +418,17 @@ async function sendLimitWarningEmails({
       await sendReachedChatsLimitEmail({
         to,
         chatsLimit: limit,
-        url: `${env.NEXTAUTH_URL}/typebots?workspaceId=${workspace.id}`,
+        url: `${process.env.BETTER_AUTH_URL}/typebots?workspaceId=${workspace.id}`,
       });
       emailEvents.push(
-        ...adminMembers.map((m) => ({
-          name: "Limit reached email sent" as const,
-          userId: m.user.id,
-          workspaceId: workspace.id,
-        })),
+        ...adminMembers.map(
+          (m) =>
+            ({
+              name: "Limit reached email sent",
+              userId: m.user.id,
+              workspaceId: workspace.id,
+            }) satisfies TelemetryEvent,
+        ),
       );
       await prisma.workspace.updateMany({
         where: { id: workspace.id },
@@ -545,99 +487,3 @@ export const getLastHourActiveTypebotIds = async () => {
 
   return results.map((r) => r.typebotId);
 };
-
-const isSuspiciousWorkspace = async (
-  subscription: Stripe.Subscription,
-  totalChatsUsed: number,
-  plan: "STARTER" | "PRO",
-  { stripe }: { stripe: Stripe },
-) => {
-  if (plan !== "PRO" || !env.STRIPE_PRO_CHATS_PRICE_ID) return false;
-
-  const proLimit = chatsLimits[Plan.PRO];
-  if (totalChatsUsed < proLimit) return false;
-
-  const daysSincePeriodStart = Math.max(
-    (Date.now() / 1000 - subscription.current_period_start) / 86400,
-    1,
-  );
-  const dailyAverage = totalChatsUsed / daysSincePeriodStart;
-  const expectedDailyRate = proLimit / 30;
-
-  if (dailyAverage <= expectedDailyRate * 3) return false;
-
-  const invoices = await stripe.invoices.list({
-    subscription: subscription.id,
-    status: "paid",
-    limit: 12,
-    expand: ["data.lines"],
-  });
-
-  const { totalPaidOverageCents, paidInvoiceWithOverageCount } =
-    invoices.data.reduce(
-      (acc, invoice) => {
-        const overageLines = invoice.lines.data.filter(
-          (line) =>
-            line.price?.id === env.STRIPE_PRO_CHATS_PRICE_ID && line.amount > 0,
-        );
-        const overageAmount = overageLines.reduce(
-          (sum, line) => sum + line.amount,
-          0,
-        );
-        return {
-          totalPaidOverageCents: acc.totalPaidOverageCents + overageAmount,
-          paidInvoiceWithOverageCount:
-            acc.paidInvoiceWithOverageCount + (overageLines.length > 0 ? 1 : 0),
-        };
-      },
-      { totalPaidOverageCents: 0, paidInvoiceWithOverageCount: 0 },
-    );
-
-  // Multiple invoices with overage payments establishes a payment pattern
-  if (paidInvoiceWithOverageCount >= 2) return false;
-
-  const currentOverageValueCents = computeProPlanChatsCost(totalChatsUsed);
-
-  // Trust if they've historically paid at least 30% of equivalent current overage
-  if (
-    totalPaidOverageCents > 0 &&
-    totalPaidOverageCents >= currentOverageValueCents * 0.3
-  ) {
-    return false;
-  }
-
-  // Trust if subscription is at least 2 months old with at least one paid overage
-  const cycleLength = 30 * 24 * 60 * 60;
-  const monthsActive = (Date.now() / 1000 - subscription.created) / cycleLength;
-  if (monthsActive >= 2 && paidInvoiceWithOverageCount >= 1) return false;
-
-  return true;
-};
-
-const chargeAndResetBillingCycle = async (
-  subscription: Stripe.Subscription,
-  { stripe }: { stripe: Stripe },
-) =>
-  stripe.subscriptions.update(subscription.id, {
-    billing_cycle_anchor: "now",
-    proration_behavior: "create_prorations",
-    payment_behavior: "error_if_incomplete",
-  });
-
-const computeProPlanChatsCost = (totalChatsUsed: number): number => {
-  for (const tier of proChatTiers) {
-    if (tier.up_to === "inf") {
-      const previousTierLimit =
-        proChatTiers[proChatTiers.indexOf(tier) - 1]?.up_to;
-      if (typeof previousTierLimit !== "number") return 0;
-      const chatsInThisTier = totalChatsUsed - previousTierLimit;
-      const unitAmount =
-        "unit_amount_decimal" in tier ? tier.unit_amount_decimal : 0;
-      return chatsInThisTier * Number(unitAmount);
-    }
-    if (totalChatsUsed <= tier.up_to) {
-      return "flat_amount" in tier ? tier.flat_amount : 0;
-    }
-  }
-  return 0;
-};
diff --git a/packages/whatsapp/src/resumeWhatsAppFlow.ts b/packages/whatsapp/src/resumeWhatsAppFlow.ts
index 017836933b..2b3653a01a 100644
--- a/packages/whatsapp/src/resumeWhatsAppFlow.ts
+++ b/packages/whatsapp/src/resumeWhatsAppFlow.ts
@@ -263,7 +263,7 @@ const convertWhatsAppMessageToTypebotMessage = async ({
             ? extensionFromMimeType[mimeType]
             : undefined;
           fileUrl =
-            env.NEXTAUTH_URL +
+            env.BETTER_AUTH_URL +
             `/api/typebots/${typebotId}/whatsapp/media/${
               workspaceId ? `` : "preview/"
             }${mediaId}${extension ? `.${extension}` : ""}`;
diff --git a/turbo.json b/turbo.json
index 46c1f4a3e0..73ff41ffb1 100644
--- a/turbo.json
+++ b/turbo.json
@@ -18,7 +18,7 @@
       "persistent": true
     },
     "build": {
-      "env": ["VERCEL_*", "NEXTAUTH_URL", "SENTRY_*", "LANDING_PAGE_URL"],
+      "env": ["VERCEL_*", "BETTER_AUTH_URL", "SENTRY_*", "LANDING_PAGE_URL"],
       "dependsOn": ["^build", "^db:generate"],
       "outputs": [
         ".next/**",
@@ -53,17 +53,17 @@
       "cache": false
     },
     "cron:hourly": {
-      "env": ["STRIPE_*", "NEXTAUTH_URL", "SMTP_*"],
+      "env": ["STRIPE_*", "BETTER_AUTH_URL", "SMTP_*"],
       "dependsOn": ["@typebot.io/prisma#db:generate"],
       "cache": false
     },
     "cron:daily": {
-      "env": ["NEXTAUTH_URL"],
+      "env": ["BETTER_AUTH_URL"],
       "dependsOn": ["@typebot.io/prisma#db:generate"],
       "cache": false
     },
     "cron:monthly": {
-      "env": ["NEXTAUTH_URL"],
+      "env": ["BETTER_AUTH_URL"],
       "dependsOn": ["@typebot.io/prisma#db:generate"],
       "cache": false
     },

From e9e179ecb27ec218e96906bae457fe01fe819d75 Mon Sep 17 00:00:00 2001
From: Brian Johnson <brianmjohnson@users.noreply.github.com>
Date: Thu, 8 Jan 2026 22:56:31 -0800
Subject: [PATCH 06/11] fix: Update Account schema to match Better Auth field
 names

- Rename expiresAt to accessTokenExpiresAt
- Add refreshTokenExpiresAt field

Brian Johnson in useFoundry.ai

(cherry picked from commit 8461b8c5a45034f77b73dbaee426c3971efad402)
---
 packages/prisma/postgresql/schema.prisma | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/packages/prisma/postgresql/schema.prisma b/packages/prisma/postgresql/schema.prisma
index faf576dc5d..7851825934 100644
--- a/packages/prisma/postgresql/schema.prisma
+++ b/packages/prisma/postgresql/schema.prisma
@@ -85,15 +85,16 @@ model Account {
   updatedAt DateTime @updatedAt
 
   // Better Auth required fields
-  accountId    String
-  providerId   String
-  accessToken  String?
-  refreshToken String?
-  expiresAt    DateTime?
-  tokenType    String?
-  scope        String?
-  idToken      String?
-  password     String?
+  accountId             String
+  providerId            String
+  accessToken           String?
+  refreshToken          String?
+  accessTokenExpiresAt  DateTime?
+  refreshTokenExpiresAt DateTime?
+  tokenType             String?
+  scope                 String?
+  idToken               String?
+  password              String?
 
   // Relations
   userId String

From 04e2e7948638c0578c97019ce861ca71194493e0 Mon Sep 17 00:00:00 2001
From: Brian Johnson <brianmjohnson@users.noreply.github.com>
Date: Thu, 8 Jan 2026 23:01:28 -0800
Subject: [PATCH 07/11] fix: Add BUILDER_URL env var and proper Account schema
 migration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add BUILDER_URL env var for viewer to link to builder dashboard
- Create proper Prisma migration for Account schema changes:
  - Rename expiresAt → accessTokenExpiresAt
  - Add refreshTokenExpiresAt field

Brian Johnson in useFoundry.ai

(cherry picked from commit 7b28e6623d3e9abe8915992df3d20524121ad680)
---
 apps/viewer/src/pages/[[...publicId]].tsx                     | 4 +++-
 packages/env/src/index.ts                                     | 2 ++
 .../migration.sql                                             | 3 +++
 3 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 packages/prisma/postgresql/migrations/20260109070000_fix_account_token_expires_fields/migration.sql

diff --git a/apps/viewer/src/pages/[[...publicId]].tsx b/apps/viewer/src/pages/[[...publicId]].tsx
index 62226ebab7..fe31d03a8a 100644
--- a/apps/viewer/src/pages/[[...publicId]].tsx
+++ b/apps/viewer/src/pages/[[...publicId]].tsx
@@ -54,9 +54,11 @@ export const getServerSideProps: GetServerSideProps = async (
     log(`isMatchingViewerUrl: ${isMatchingViewerUrl}`);
     if (isMatchingViewerUrl && pathname === "/") {
       // Early return, will just show a root page
+      // Use BUILDER_URL if set, otherwise fall back to BETTER_AUTH_URL
+      const builderUrl = env.BUILDER_URL ?? env.BETTER_AUTH_URL ?? "https://app.typebot.io";
       return {
         props: {
-          dashboardUrl: `${env.BETTER_AUTH_URL ?? "https://app.typebot.io"}/typebots`,
+          dashboardUrl: `${builderUrl}/typebots`,
         },
       };
     }
diff --git a/packages/env/src/index.ts b/packages/env/src/index.ts
index 83ed93b929..0e30cf4d3f 100644
--- a/packages/env/src/index.ts
+++ b/packages/env/src/index.ts
@@ -71,6 +71,8 @@ const baseEnv = {
       guessBetterAuthUrlForVercelPreview,
       z.string().url(),
     ),
+    // Builder app URL (for viewer to link back to dashboard)
+    BUILDER_URL: z.string().url().optional(),
     DISABLE_SIGNUP: boolean.optional().default("false"),
     ADMIN_EMAIL: z
       .string()
diff --git a/packages/prisma/postgresql/migrations/20260109070000_fix_account_token_expires_fields/migration.sql b/packages/prisma/postgresql/migrations/20260109070000_fix_account_token_expires_fields/migration.sql
new file mode 100644
index 0000000000..36f3417898
--- /dev/null
+++ b/packages/prisma/postgresql/migrations/20260109070000_fix_account_token_expires_fields/migration.sql
@@ -0,0 +1,3 @@
+-- AlterTable: Rename expiresAt to accessTokenExpiresAt and add refreshTokenExpiresAt
+ALTER TABLE "Account" RENAME COLUMN "expiresAt" TO "accessTokenExpiresAt";
+ALTER TABLE "Account" ADD COLUMN IF NOT EXISTS "refreshTokenExpiresAt" TIMESTAMP;

From cf82ea51ae716d27e7fbe9103ffde233057822de Mon Sep 17 00:00:00 2001
From: Brian Johnson <brianmjohnson@users.noreply.github.com>
Date: Thu, 8 Jan 2026 23:07:37 -0800
Subject: [PATCH 08/11] refactor: Remove hardcoded branding, use env vars
 instead

- Add AUTH_COOKIE_DOMAIN env var for cross-subdomain SSO
- Add APP_NAME env var for email branding (defaults to "Typebot")
- Remove hardcoded ".usefoundry.ai" cookie domain
- Remove hardcoded "Foundry" branding in emails

This makes the fork upstream-friendly with no internal references.

Brian Johnson in useFoundry.ai

(cherry picked from commit 527b9a59fb16593b2ba45220f0975b04de65e77d)
---
 apps/builder/src/lib/auth/config.ts                  | 10 ++++++----
 apps/builder/src/lib/auth/send-verification-email.ts |  6 ++++--
 apps/viewer/src/lib/auth/config.ts                   | 10 ++++++----
 packages/env/src/index.ts                            |  4 ++++
 4 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/apps/builder/src/lib/auth/config.ts b/apps/builder/src/lib/auth/config.ts
index 28f25cd019..b113b10766 100644
--- a/apps/builder/src/lib/auth/config.ts
+++ b/apps/builder/src/lib/auth/config.ts
@@ -18,10 +18,12 @@ export const auth = betterAuth({
 
   // Cross-subdomain SSO configuration
   advanced: {
-    crossSubDomainCookies: {
-      enabled: true,
-      domain: ".usefoundry.ai",
-    },
+    crossSubDomainCookies: env.AUTH_COOKIE_DOMAIN
+      ? {
+          enabled: true,
+          domain: env.AUTH_COOKIE_DOMAIN,
+        }
+      : { enabled: false },
     defaultCookieAttributes: {
       sameSite: "lax",
       secure: process.env.NODE_ENV === "production",
diff --git a/apps/builder/src/lib/auth/send-verification-email.ts b/apps/builder/src/lib/auth/send-verification-email.ts
index 50a6552f27..e8f5f8c854 100644
--- a/apps/builder/src/lib/auth/send-verification-email.ts
+++ b/apps/builder/src/lib/auth/send-verification-email.ts
@@ -1,4 +1,5 @@
 import { sendEmail } from "@typebot.io/emails/helpers/sendEmail";
+import { env } from "@typebot.io/env";
 
 type SendVerificationEmailProps = {
   email: string;
@@ -11,9 +12,10 @@ export async function sendVerificationEmail({
   url,
   otp,
 }: SendVerificationEmailProps): Promise<void> {
+  const appName = env.APP_NAME;
   const subject = otp
     ? `Your verification code: ${otp}`
-    : "Sign in to your account";
+    : `Sign in to ${appName}`;
 
   const body = otp
     ? `Your verification code is: <strong>${otp}</strong><br/><br/>This code expires in 5 minutes.`
@@ -24,7 +26,7 @@ export async function sendVerificationEmail({
     subject,
     html: `
       <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto;">
-        <h2>Sign in to Foundry</h2>
+        <h2>Sign in to ${appName}</h2>
         <p>${body}</p>
         <p style="color: #666; font-size: 12px;">
           If you did not request this, you can safely ignore this email.
diff --git a/apps/viewer/src/lib/auth/config.ts b/apps/viewer/src/lib/auth/config.ts
index 21ed9137a8..d5296056dd 100644
--- a/apps/viewer/src/lib/auth/config.ts
+++ b/apps/viewer/src/lib/auth/config.ts
@@ -12,10 +12,12 @@ export const auth = betterAuth({
 
   // Cross-subdomain SSO configuration (shared with builder)
   advanced: {
-    crossSubDomainCookies: {
-      enabled: true,
-      domain: ".usefoundry.ai",
-    },
+    crossSubDomainCookies: env.AUTH_COOKIE_DOMAIN
+      ? {
+          enabled: true,
+          domain: env.AUTH_COOKIE_DOMAIN,
+        }
+      : { enabled: false },
     defaultCookieAttributes: {
       sameSite: "lax",
       secure: process.env.NODE_ENV === "production",
diff --git a/packages/env/src/index.ts b/packages/env/src/index.ts
index 0e30cf4d3f..69258b1bb0 100644
--- a/packages/env/src/index.ts
+++ b/packages/env/src/index.ts
@@ -73,6 +73,10 @@ const baseEnv = {
     ),
     // Builder app URL (for viewer to link back to dashboard)
     BUILDER_URL: z.string().url().optional(),
+    // Cookie domain for cross-subdomain SSO (e.g., ".example.com")
+    AUTH_COOKIE_DOMAIN: z.string().optional(),
+    // App name for branding in emails
+    APP_NAME: z.string().optional().default("Typebot"),
     DISABLE_SIGNUP: boolean.optional().default("false"),
     ADMIN_EMAIL: z
       .string()

From 039bb3ab838d3a8024d3349c9896f00db029f858 Mon Sep 17 00:00:00 2001
From: Brian Johnson <brianmjohnson@users.noreply.github.com>
Date: Thu, 8 Jan 2026 23:46:09 -0800
Subject: [PATCH 09/11] fix: Create workspace for new users via Better Auth
 hooks

- Fixed getAuthenticatedUser to fetch full user from DB (Better Auth
  session only returns basic fields, causing schema validation errors)
- Added workspace creation in Better Auth's databaseHooks.user.create.after
- Fixed onboardingCategories default from "{}" to "[]" (must be array)
- Added createMissingWorkspaces script to fix existing users without workspaces

This resolves the 500 errors on /api/trpc routes and the "upgrade plan
to create folders" issue caused by missing workspace records.

Brian Johnson in useFoundry.ai

(cherry picked from commit f0da2b3d297d04b7093f06b3ed64bd8ef1c2ad53)
---
 .../auth/helpers/getAuthenticatedUser.ts      |  14 ++-
 apps/builder/src/lib/auth/config.ts           | 106 ++++++++++++++----
 packages/prisma/postgresql/schema.prisma      |   2 +-
 .../scripts/src/createMissingWorkspaces.ts    |  61 ++++++++++
 4 files changed, 159 insertions(+), 24 deletions(-)
 create mode 100644 packages/scripts/src/createMissingWorkspaces.ts

diff --git a/apps/builder/src/features/auth/helpers/getAuthenticatedUser.ts b/apps/builder/src/features/auth/helpers/getAuthenticatedUser.ts
index 820d95d302..e71347457b 100644
--- a/apps/builder/src/features/auth/helpers/getAuthenticatedUser.ts
+++ b/apps/builder/src/features/auth/helpers/getAuthenticatedUser.ts
@@ -3,7 +3,6 @@ import prisma from "@typebot.io/prisma";
 import { type ClientUser, clientUserSchema } from "@typebot.io/user/schemas";
 import type { NextApiRequest, NextApiResponse } from "next";
 import { auth } from "@/lib/auth/config";
-import { headers } from "next/headers";
 
 export const getAuthenticatedUser = async (
   req: NextApiRequest,
@@ -19,10 +18,17 @@ export const getAuthenticatedUser = async (
     }),
   });
 
-  if (!session?.user) return undefined;
+  if (!session?.user?.id) return undefined;
 
-  Sentry.setUser({ id: session.user.id });
-  return clientUserSchema.parse(session.user);
+  // Fetch full user from database (Better Auth session only has basic fields)
+  const user = await prisma.user.findUnique({
+    where: { id: session.user.id },
+  });
+
+  if (!user) return undefined;
+
+  Sentry.setUser({ id: user.id });
+  return clientUserSchema.parse(user);
 };
 
 const authenticateByToken = async (
diff --git a/apps/builder/src/lib/auth/config.ts b/apps/builder/src/lib/auth/config.ts
index b113b10766..27a46dee75 100644
--- a/apps/builder/src/lib/auth/config.ts
+++ b/apps/builder/src/lib/auth/config.ts
@@ -1,13 +1,50 @@
 import { betterAuth } from "better-auth";
 import { prismaAdapter } from "better-auth/adapters/prisma";
-import { magicLink } from "better-auth/plugins/magic-link";
-import { emailOTP } from "better-auth/plugins/email-otp";
 import { admin } from "better-auth/plugins/admin";
 import { genericOAuth } from "better-auth/plugins/generic-oauth";
+import { magicLink } from "better-auth/plugins/magic-link";
+import { APIError } from "better-auth/api";
 import { env } from "@typebot.io/env";
 import prisma from "@typebot.io/prisma";
-import { sendVerificationEmail } from "./send-verification-email";
+import { Plan } from "@typebot.io/prisma/enum";
 import { getOAuthProviders } from "./providers";
+import { sendVerificationEmail } from "./send-verification-email";
+
+/**
+ * Determines the default workspace plan for a new user.
+ * Admin emails get UNLIMITED, otherwise uses DEFAULT_WORKSPACE_PLAN or FREE.
+ */
+function getDefaultWorkspacePlan(userEmail: string): Plan {
+  if (env.ADMIN_EMAIL?.some((email) => email === userEmail)) {
+    return Plan.UNLIMITED;
+  }
+  const defaultPlan = env.DEFAULT_WORKSPACE_PLAN as Plan;
+  if (defaultPlan && Object.values(Plan).includes(defaultPlan)) {
+    return defaultPlan;
+  }
+  return Plan.FREE;
+}
+
+/**
+ * Validates if an email domain is allowed based on ALLOWED_EMAIL_DOMAINS env var.
+ * When ALLOWED_EMAIL_DOMAINS is set, only emails from those domains can sign in.
+ * When not set, all email domains are allowed.
+ */
+function isEmailDomainAllowed(email: string): boolean {
+  const allowedDomains = env.ALLOWED_EMAIL_DOMAINS;
+
+  // If no domains configured, allow all
+  if (!allowedDomains || allowedDomains.length === 0) {
+    return true;
+  }
+
+  const emailDomain = email.split("@")[1]?.toLowerCase();
+  if (!emailDomain) {
+    return false;
+  }
+
+  return allowedDomains.includes(emailDomain);
+}
 
 export const auth = betterAuth({
   database: prismaAdapter(prisma, {
@@ -40,36 +77,28 @@ export const auth = betterAuth({
   },
 
   emailAndPassword: {
-    enabled: false, // Using magic link instead
+    enabled: false, // ALWAYS disabled - passwordless only (OAuth + magic link)
   },
 
   socialProviders: getOAuthProviders(),
 
   plugins: [
-    // Magic link email authentication
-    ...(env.NEXT_PUBLIC_SMTP_FROM && !env.SMTP_AUTH_DISABLED
+    // Admin plugin for user management
+    admin({
+      defaultRole: "user",
+    }),
+
+    // Magic link plugin for email-based signin (when EMAIL_LOGIN_ENABLED=true)
+    ...(env.EMAIL_LOGIN_ENABLED
       ? [
           magicLink({
             sendMagicLink: async ({ email, url }) => {
               await sendVerificationEmail({ email, url });
             },
-            expiresIn: 60 * 5, // 5 minutes
-          }),
-          emailOTP({
-            sendVerificationOTP: async ({ email, otp }) => {
-              await sendVerificationEmail({ email, otp });
-            },
-            otpLength: 6,
-            expiresIn: 60 * 5, // 5 minutes
           }),
         ]
       : []),
 
-    // Admin plugin for user management
-    admin({
-      defaultRole: "user",
-    }),
-
     // Generic OAuth for custom OIDC providers
     ...(env.CUSTOM_OAUTH_ISSUER
       ? [
@@ -117,6 +146,45 @@ export const auth = betterAuth({
       trustedProviders: ["github", "google", "facebook", "gitlab", "azure-ad", "keycloak", "custom-oauth"],
     },
   },
+
+  // Database hooks for domain filtering and workspace creation
+  databaseHooks: {
+    user: {
+      create: {
+        before: async (user) => {
+          if (!user.email) {
+            throw new APIError("BAD_REQUEST", {
+              message: "Email is required",
+            });
+          }
+
+          if (!isEmailDomainAllowed(user.email)) {
+            const allowedDomains = env.ALLOWED_EMAIL_DOMAINS?.join(", ");
+            throw new APIError("FORBIDDEN", {
+              message: `Sign-in is restricted to authorized email domains: ${allowedDomains}`,
+            });
+          }
+
+          return { data: user };
+        },
+        after: async (user) => {
+          // Create initial workspace for new users
+          const plan = getDefaultWorkspacePlan(user.email);
+          const workspaceName = user.name ? `${user.name}'s workspace` : "My workspace";
+
+          await prisma.workspace.create({
+            data: {
+              name: workspaceName,
+              plan,
+              members: {
+                create: [{ role: "ADMIN", userId: user.id }],
+              },
+            },
+          });
+        },
+      },
+    },
+  },
 });
 
 export type Auth = typeof auth;
diff --git a/packages/prisma/postgresql/schema.prisma b/packages/prisma/postgresql/schema.prisma
index 7851825934..c1a13b69cf 100644
--- a/packages/prisma/postgresql/schema.prisma
+++ b/packages/prisma/postgresql/schema.prisma
@@ -34,7 +34,7 @@ model User {
   // Typebot-specific fields
   lastActivityAt              DateTime          @default(now())
   company                     String?
-  onboardingCategories        Json              @default("{}")
+  onboardingCategories        Json              @default("[]")
   referral                    String?
   graphNavigation             GraphNavigation?
   preferredAppAppearance      String?
diff --git a/packages/scripts/src/createMissingWorkspaces.ts b/packages/scripts/src/createMissingWorkspaces.ts
new file mode 100644
index 0000000000..5ffb8238d8
--- /dev/null
+++ b/packages/scripts/src/createMissingWorkspaces.ts
@@ -0,0 +1,61 @@
+import prisma from "@typebot.io/prisma";
+import { Plan } from "@typebot.io/prisma/enum";
+import { promptAndSetEnvironment } from "./utils";
+
+/**
+ * Creates workspaces for users who don't have any workspace.
+ * This is needed after migrating from NextAuth to Better Auth,
+ * as the workspace creation hook was not in place for existing users.
+ */
+const createMissingWorkspaces = async () => {
+  await promptAndSetEnvironment("production");
+
+  // Find all users who don't have any workspace
+  const usersWithoutWorkspaces = await prisma.user.findMany({
+    where: {
+      workspaces: {
+        none: {},
+      },
+    },
+    select: {
+      id: true,
+      email: true,
+      name: true,
+    },
+  });
+
+  console.log(
+    `Found ${usersWithoutWorkspaces.length} users without workspaces`,
+  );
+
+  if (usersWithoutWorkspaces.length === 0) {
+    console.log("No users need workspace creation");
+    return;
+  }
+
+  const adminEmails = process.env.ADMIN_EMAIL?.split(",") || [];
+  const defaultPlan = (process.env.DEFAULT_WORKSPACE_PLAN as Plan) || Plan.FREE;
+
+  for (const user of usersWithoutWorkspaces) {
+    const plan = adminEmails.includes(user.email) ? Plan.UNLIMITED : defaultPlan;
+    const workspaceName = user.name ? `${user.name}'s workspace` : "My workspace";
+
+    console.log(`Creating workspace for ${user.email} with plan ${plan}...`);
+
+    await prisma.workspace.create({
+      data: {
+        name: workspaceName,
+        plan,
+        members: {
+          create: [{ role: "ADMIN", userId: user.id }],
+        },
+      },
+    });
+
+    console.log(`  ✓ Created workspace "${workspaceName}"`);
+  }
+
+  console.log("Done!");
+};
+
+createMissingWorkspaces();

From 1a93091f609dc1cc4099a699bddd4918aa2adbb2 Mon Sep 17 00:00:00 2001
From: Brian Johnson <brianmjohnson@users.noreply.github.com>
Date: Tue, 20 Jan 2026 18:04:45 -0800
Subject: [PATCH 10/11] fix: Remove domain filtering code (reserved for
 separate PR)

The domain filtering functionality (ALLOWED_EMAIL_DOMAINS and
EMAIL_LOGIN_ENABLED) will be submitted in a separate follow-up PR.
This commit keeps the core Better Auth migration clean and focused.

Brian Johnson in useFoundry.ai
---
 .../src/app/api/auth/[...all]/route.ts        |  2 +-
 .../src/app/api/s3/private/[...key]/route.ts  |  3 +-
 .../src/features/auth/api/updateUserEmail.ts  |  4 +-
 .../features/auth/components/SignInForm.tsx   | 16 ++--
 .../auth/components/SocialLoginButtons.tsx    |  4 +-
 .../auth/helpers/getAuthenticatedUser.ts      |  2 +-
 .../src/features/user/UserProvider.tsx        | 22 +++++-
 .../builder/src/features/user/server/getMe.ts |  8 +-
 apps/builder/src/lib/auth/client.ts           | 18 ++---
 apps/builder/src/lib/auth/config.ts           | 76 ++++++-------------
 .../src/lib/auth/getSessionFromContext.ts     |  4 +-
 apps/builder/src/pages/register.tsx           |  2 +-
 apps/builder/src/pages/signin.tsx             |  2 +-
 apps/docs/openapi/builder.json                | 12 +--
 .../viewer/src/app/api/auth/[...all]/route.ts |  2 +-
 apps/viewer/src/lib/auth/config.ts            |  4 +-
 apps/viewer/src/pages/[[...publicId]].tsx     |  3 +-
 bun.lock                                      | 60 +++++++++++++--
 packages/env/src/index.ts                     | 72 ++++++++++++++----
 .../scripts/src/createMissingWorkspaces.ts    |  8 +-
 20 files changed, 203 insertions(+), 121 deletions(-)

diff --git a/apps/builder/src/app/api/auth/[...all]/route.ts b/apps/builder/src/app/api/auth/[...all]/route.ts
index d441e7ea66..2a41fabc4d 100644
--- a/apps/builder/src/app/api/auth/[...all]/route.ts
+++ b/apps/builder/src/app/api/auth/[...all]/route.ts
@@ -1,4 +1,4 @@
-import { auth } from "@/lib/auth/config";
 import { toNextJsHandler } from "better-auth/next-js";
+import { auth } from "@/lib/auth/config";
 
 export const { GET, POST } = toNextJsHandler(auth);
diff --git a/apps/builder/src/app/api/s3/private/[...key]/route.ts b/apps/builder/src/app/api/s3/private/[...key]/route.ts
index f2d410ba5c..dafb7489ca 100644
--- a/apps/builder/src/app/api/s3/private/[...key]/route.ts
+++ b/apps/builder/src/app/api/s3/private/[...key]/route.ts
@@ -63,8 +63,7 @@ export const GET = async (
   });
 
   const user =
-    session?.user ??
-    (await authenticateByToken(extractBearerToken(req)));
+    session?.user ?? (await authenticateByToken(extractBearerToken(req)));
 
   if (!user) return new Response("Unauthorized", { status: 401 });
 
diff --git a/apps/builder/src/features/auth/api/updateUserEmail.ts b/apps/builder/src/features/auth/api/updateUserEmail.ts
index 3349d44e50..93746cdbb5 100644
--- a/apps/builder/src/features/auth/api/updateUserEmail.ts
+++ b/apps/builder/src/features/auth/api/updateUserEmail.ts
@@ -43,7 +43,9 @@ export const updateUserEmail = authenticatedProcedure
         message: "Invalid verification identifier format",
       });
     }
-    const newEmail = Buffer.from(identifierParts[1], "base64").toString("utf-8");
+    const newEmail = Buffer.from(identifierParts[1], "base64").toString(
+      "utf-8",
+    );
 
     if (verification.expiresAt < new Date()) {
       await deleteVerification(verification.id);
diff --git a/apps/builder/src/features/auth/components/SignInForm.tsx b/apps/builder/src/features/auth/components/SignInForm.tsx
index 90a811bb1d..70daea8bcb 100644
--- a/apps/builder/src/features/auth/components/SignInForm.tsx
+++ b/apps/builder/src/features/auth/components/SignInForm.tsx
@@ -13,9 +13,9 @@ import { useQueryState } from "nuqs";
 import type { FormEvent } from "react";
 import { useEffect, useState } from "react";
 import { TextLink } from "@/components/TextLink";
-import { toast } from "@/lib/toast";
 import { authClient, useSession } from "@/lib/auth/client";
 import type { AvailableProviders } from "@/lib/auth/getAvailableProviders";
+import { toast } from "@/lib/toast";
 import { createEmailMagicLink } from "../helpers/createEmailMagicLink";
 import { DividerWithText } from "./DividerWithText";
 import { SignInError } from "./SignInError";
@@ -27,21 +27,25 @@ type Props = {
   availableProviders: AvailableProviders;
 };
 
-export const SignInForm = ({ defaultEmail, className, availableProviders }: Props) => {
+export const SignInForm = ({
+  defaultEmail,
+  className,
+  availableProviders,
+}: Props) => {
   const { t } = useTranslate();
   const router = useRouter();
   const [authError, setAuthError] = useQueryState("error");
   const [redirectPath] = useQueryState("redirectPath");
   const { data: session, isPending } = useSession();
   const [authLoading, setAuthLoading] = useState(false);
-  const [isLoadingProviders, setIsLoadingProviders] = useState(false);
+  const [_isLoadingProviders, _setIsLoadingProviders] = useState(false);
 
   const [emailValue, setEmailValue] = useState(defaultEmail ?? "");
   const [isMagicCodeSent, setIsMagicCodeSent] = useState(false);
 
   // Check if any provider is configured
   const hasNoAuthProvider = !Object.entries(availableProviders).some(
-    ([key, value]) => key !== "customOAuthName" && value
+    ([key, value]) => key !== "customOAuthName" && value,
   );
 
   useEffect(() => {
@@ -88,7 +92,9 @@ export const SignInForm = ({ defaultEmail, className, availableProviders }: Prop
         else
           toast({
             description: t("errorMessage"),
-            details: error.message || "Check server logs to see relevent error message.",
+            details:
+              error.message ||
+              "Check server logs to see relevent error message.",
           });
       } else {
         setIsMagicCodeSent(true);
diff --git a/apps/builder/src/features/auth/components/SocialLoginButtons.tsx b/apps/builder/src/features/auth/components/SocialLoginButtons.tsx
index 4e4962b18e..f05ee2c20c 100644
--- a/apps/builder/src/features/auth/components/SocialLoginButtons.tsx
+++ b/apps/builder/src/features/auth/components/SocialLoginButtons.tsx
@@ -27,7 +27,9 @@ export const SocialLoginButtons = ({ availableProviders }: Props) => {
     query.callbackUrl?.toString() ??
     `/typebots?${stringify(omit(query, "error", "callbackUrl"))}`;
 
-  const handleSignIn = async (provider: "github" | "google" | "facebook" | "gitlab" | "microsoft") => {
+  const handleSignIn = async (
+    provider: "github" | "google" | "facebook" | "gitlab" | "microsoft",
+  ) => {
     setAuthLoading(provider);
     await authClient.signIn.social({
       provider,
diff --git a/apps/builder/src/features/auth/helpers/getAuthenticatedUser.ts b/apps/builder/src/features/auth/helpers/getAuthenticatedUser.ts
index e71347457b..c3801630fe 100644
--- a/apps/builder/src/features/auth/helpers/getAuthenticatedUser.ts
+++ b/apps/builder/src/features/auth/helpers/getAuthenticatedUser.ts
@@ -6,7 +6,7 @@ import { auth } from "@/lib/auth/config";
 
 export const getAuthenticatedUser = async (
   req: NextApiRequest,
-  res: NextApiResponse,
+  _res: NextApiResponse,
 ): Promise<ClientUser | undefined> => {
   const bearerToken = extractBearerToken(req);
   if (bearerToken) return authenticateByToken(bearerToken);
diff --git a/apps/builder/src/features/user/UserProvider.tsx b/apps/builder/src/features/user/UserProvider.tsx
index 4645f59d0e..51604016c1 100644
--- a/apps/builder/src/features/user/UserProvider.tsx
+++ b/apps/builder/src/features/user/UserProvider.tsx
@@ -30,7 +30,11 @@ export const userContext = createContext<{
 export const UserProvider = ({ children }: { children: ReactNode }) => {
   const router = useRouter();
   const { data: session, isPending } = useSession();
-  const status = isPending ? "loading" : session?.user ? "authenticated" : "unauthenticated";
+  const status = isPending
+    ? "loading"
+    : session?.user
+      ? "authenticated"
+      : "unauthenticated";
   const [currentWorkspaceId, setCurrentWorkspaceId] = useState<string>();
   const { theme, setTheme } = useTheme();
   const [localUser, setLocalUser] = useState<ClientUser>();
@@ -87,7 +91,13 @@ export const UserProvider = ({ children }: { children: ReactNode }) => {
     ) {
       router.replace("/onboarding");
     }
-  }, [router.isReady, router.pathname, status, fullUserData?.termsAcceptedAt, fullUserData?.createdAt]);
+  }, [
+    router.isReady,
+    router.pathname,
+    status,
+    fullUserData?.termsAcceptedAt,
+    fullUserData?.createdAt,
+  ]);
 
   useEffect(() => {
     if (!router.isReady) return;
@@ -107,7 +117,13 @@ export const UserProvider = ({ children }: { children: ReactNode }) => {
         { locale: preferredLanguage },
       );
     }
-  }, [router.isReady, router.locale, status, isUserLoading, fullUserData?.preferredLanguage]);
+  }, [
+    router.isReady,
+    router.locale,
+    status,
+    isUserLoading,
+    fullUserData?.preferredLanguage,
+  ]);
 
   const updateUser = async (updates: Partial<User>) => {
     if (!localUser) return;
diff --git a/apps/builder/src/features/user/server/getMe.ts b/apps/builder/src/features/user/server/getMe.ts
index 41b8e39b0b..288c410683 100644
--- a/apps/builder/src/features/user/server/getMe.ts
+++ b/apps/builder/src/features/user/server/getMe.ts
@@ -1,5 +1,5 @@
-import type { ClientUser } from "@typebot.io/user/schemas";
 import prisma from "@typebot.io/prisma";
+import type { ClientUser } from "@typebot.io/user/schemas";
 import { clientUserSchema } from "@typebot.io/user/schemas";
 import { authenticatedProcedure } from "@/helpers/server/trpc";
 
@@ -34,7 +34,9 @@ export const getMe = authenticatedProcedure
     // Transform Prisma Json types to proper TypeScript types
     return {
       ...fullUser,
-      displayedInAppNotifications: fullUser.displayedInAppNotifications as ClientUser["displayedInAppNotifications"],
-      groupTitlesAutoGeneration: fullUser.groupTitlesAutoGeneration as ClientUser["groupTitlesAutoGeneration"],
+      displayedInAppNotifications:
+        fullUser.displayedInAppNotifications as ClientUser["displayedInAppNotifications"],
+      groupTitlesAutoGeneration:
+        fullUser.groupTitlesAutoGeneration as ClientUser["groupTitlesAutoGeneration"],
     };
   });
diff --git a/apps/builder/src/lib/auth/client.ts b/apps/builder/src/lib/auth/client.ts
index 01119ff691..3848dd6351 100644
--- a/apps/builder/src/lib/auth/client.ts
+++ b/apps/builder/src/lib/auth/client.ts
@@ -1,10 +1,12 @@
 "use client";
 
+import {
+  adminClient,
+  emailOTPClient,
+  genericOAuthClient,
+  magicLinkClient,
+} from "better-auth/client/plugins";
 import { createAuthClient } from "better-auth/react";
-import { magicLinkClient } from "better-auth/client/plugins";
-import { emailOTPClient } from "better-auth/client/plugins";
-import { adminClient } from "better-auth/client/plugins";
-import { genericOAuthClient } from "better-auth/client/plugins";
 
 export const authClient = createAuthClient({
   baseURL: process.env.NEXT_PUBLIC_BETTER_AUTH_URL || "",
@@ -16,10 +18,4 @@ export const authClient = createAuthClient({
   ],
 });
 
-export const {
-  signIn,
-  signOut,
-  signUp,
-  useSession,
-  getSession,
-} = authClient;
+export const { signIn, signOut, signUp, useSession, getSession } = authClient;
diff --git a/apps/builder/src/lib/auth/config.ts b/apps/builder/src/lib/auth/config.ts
index 27a46dee75..e5e8aaf0dd 100644
--- a/apps/builder/src/lib/auth/config.ts
+++ b/apps/builder/src/lib/auth/config.ts
@@ -1,12 +1,11 @@
+import { env } from "@typebot.io/env";
+import prisma from "@typebot.io/prisma";
+import { Plan } from "@typebot.io/prisma/enum";
 import { betterAuth } from "better-auth";
 import { prismaAdapter } from "better-auth/adapters/prisma";
 import { admin } from "better-auth/plugins/admin";
 import { genericOAuth } from "better-auth/plugins/generic-oauth";
 import { magicLink } from "better-auth/plugins/magic-link";
-import { APIError } from "better-auth/api";
-import { env } from "@typebot.io/env";
-import prisma from "@typebot.io/prisma";
-import { Plan } from "@typebot.io/prisma/enum";
 import { getOAuthProviders } from "./providers";
 import { sendVerificationEmail } from "./send-verification-email";
 
@@ -25,27 +24,6 @@ function getDefaultWorkspacePlan(userEmail: string): Plan {
   return Plan.FREE;
 }
 
-/**
- * Validates if an email domain is allowed based on ALLOWED_EMAIL_DOMAINS env var.
- * When ALLOWED_EMAIL_DOMAINS is set, only emails from those domains can sign in.
- * When not set, all email domains are allowed.
- */
-function isEmailDomainAllowed(email: string): boolean {
-  const allowedDomains = env.ALLOWED_EMAIL_DOMAINS;
-
-  // If no domains configured, allow all
-  if (!allowedDomains || allowedDomains.length === 0) {
-    return true;
-  }
-
-  const emailDomain = email.split("@")[1]?.toLowerCase();
-  if (!emailDomain) {
-    return false;
-  }
-
-  return allowedDomains.includes(emailDomain);
-}
-
 export const auth = betterAuth({
   database: prismaAdapter(prisma, {
     provider: "postgresql",
@@ -88,16 +66,12 @@ export const auth = betterAuth({
       defaultRole: "user",
     }),
 
-    // Magic link plugin for email-based signin (when EMAIL_LOGIN_ENABLED=true)
-    ...(env.EMAIL_LOGIN_ENABLED
-      ? [
-          magicLink({
-            sendMagicLink: async ({ email, url }) => {
-              await sendVerificationEmail({ email, url });
-            },
-          }),
-        ]
-      : []),
+    // Magic link plugin for email-based signin
+    magicLink({
+      sendMagicLink: async ({ email, url }) => {
+        await sendVerificationEmail({ email, url });
+      },
+    }),
 
     // Generic OAuth for custom OIDC providers
     ...(env.CUSTOM_OAUTH_ISSUER
@@ -143,34 +117,28 @@ export const auth = betterAuth({
   account: {
     accountLinking: {
       enabled: true,
-      trustedProviders: ["github", "google", "facebook", "gitlab", "azure-ad", "keycloak", "custom-oauth"],
+      trustedProviders: [
+        "github",
+        "google",
+        "facebook",
+        "gitlab",
+        "azure-ad",
+        "keycloak",
+        "custom-oauth",
+      ],
     },
   },
 
-  // Database hooks for domain filtering and workspace creation
+  // Database hooks for workspace creation
   databaseHooks: {
     user: {
       create: {
-        before: async (user) => {
-          if (!user.email) {
-            throw new APIError("BAD_REQUEST", {
-              message: "Email is required",
-            });
-          }
-
-          if (!isEmailDomainAllowed(user.email)) {
-            const allowedDomains = env.ALLOWED_EMAIL_DOMAINS?.join(", ");
-            throw new APIError("FORBIDDEN", {
-              message: `Sign-in is restricted to authorized email domains: ${allowedDomains}`,
-            });
-          }
-
-          return { data: user };
-        },
         after: async (user) => {
           // Create initial workspace for new users
           const plan = getDefaultWorkspacePlan(user.email);
-          const workspaceName = user.name ? `${user.name}'s workspace` : "My workspace";
+          const workspaceName = user.name
+            ? `${user.name}'s workspace`
+            : "My workspace";
 
           await prisma.workspace.create({
             data: {
diff --git a/apps/builder/src/lib/auth/getSessionFromContext.ts b/apps/builder/src/lib/auth/getSessionFromContext.ts
index 3345bb7c30..ff0f2391c6 100644
--- a/apps/builder/src/lib/auth/getSessionFromContext.ts
+++ b/apps/builder/src/lib/auth/getSessionFromContext.ts
@@ -5,7 +5,9 @@ import { auth } from "./config";
  * Get session from GetServerSidePropsContext for pages router
  * This converts the request to headers that Better Auth can use
  */
-export async function getSessionFromContext(context: GetServerSidePropsContext) {
+export async function getSessionFromContext(
+  context: GetServerSidePropsContext,
+) {
   const { req } = context;
 
   // Build headers from the request
diff --git a/apps/builder/src/pages/register.tsx b/apps/builder/src/pages/register.tsx
index 0fe0ff2705..bc5d49a139 100644
--- a/apps/builder/src/pages/register.tsx
+++ b/apps/builder/src/pages/register.tsx
@@ -1,8 +1,8 @@
 import type { GetServerSideProps, InferGetServerSidePropsType } from "next";
 import { SignInPage } from "@/features/auth/components/SignInPage";
 import {
-  getAvailableProviders,
   type AvailableProviders,
+  getAvailableProviders,
 } from "@/lib/auth/getAvailableProviders";
 
 export const getServerSideProps: GetServerSideProps<{
diff --git a/apps/builder/src/pages/signin.tsx b/apps/builder/src/pages/signin.tsx
index 7eb6d70948..7cfe3c2a88 100644
--- a/apps/builder/src/pages/signin.tsx
+++ b/apps/builder/src/pages/signin.tsx
@@ -1,8 +1,8 @@
 import type { GetServerSideProps, InferGetServerSidePropsType } from "next";
 import { SignInPage } from "@/features/auth/components/SignInPage";
 import {
-  getAvailableProviders,
   type AvailableProviders,
+  getAvailableProviders,
 } from "@/lib/auth/getAvailableProviders";
 
 export const getServerSideProps: GetServerSideProps<{
diff --git a/apps/docs/openapi/builder.json b/apps/docs/openapi/builder.json
index 818a9260ad..3c4f2e9b4d 100644
--- a/apps/docs/openapi/builder.json
+++ b/apps/docs/openapi/builder.json
@@ -3031,12 +3031,10 @@
                             "type": "object",
                             "properties": {
                               "name": {
-                                "type": "string",
-                                "nullable": true
+                                "type": "string"
                               },
                               "email": {
-                                "type": "string",
-                                "nullable": true
+                                "type": "string"
                               },
                               "image": {
                                 "type": "string",
@@ -13507,8 +13505,7 @@
                         }
                       },
                       "name": {
-                        "type": "string",
-                        "nullable": true
+                        "type": "string"
                       },
                       "image": {
                         "type": "string",
@@ -13561,8 +13558,7 @@
                       "type": "string"
                     },
                     "name": {
-                      "type": "string",
-                      "nullable": true
+                      "type": "string"
                     },
                     "email": {
                       "type": "string"
diff --git a/apps/viewer/src/app/api/auth/[...all]/route.ts b/apps/viewer/src/app/api/auth/[...all]/route.ts
index d441e7ea66..2a41fabc4d 100644
--- a/apps/viewer/src/app/api/auth/[...all]/route.ts
+++ b/apps/viewer/src/app/api/auth/[...all]/route.ts
@@ -1,4 +1,4 @@
-import { auth } from "@/lib/auth/config";
 import { toNextJsHandler } from "better-auth/next-js";
+import { auth } from "@/lib/auth/config";
 
 export const { GET, POST } = toNextJsHandler(auth);
diff --git a/apps/viewer/src/lib/auth/config.ts b/apps/viewer/src/lib/auth/config.ts
index d5296056dd..a5f944939b 100644
--- a/apps/viewer/src/lib/auth/config.ts
+++ b/apps/viewer/src/lib/auth/config.ts
@@ -1,7 +1,7 @@
-import { betterAuth } from "better-auth";
-import { prismaAdapter } from "better-auth/adapters/prisma";
 import { env } from "@typebot.io/env";
 import prisma from "@typebot.io/prisma";
+import { betterAuth } from "better-auth";
+import { prismaAdapter } from "better-auth/adapters/prisma";
 
 export const auth = betterAuth({
   database: prismaAdapter(prisma, {
diff --git a/apps/viewer/src/pages/[[...publicId]].tsx b/apps/viewer/src/pages/[[...publicId]].tsx
index fe31d03a8a..6a338eda21 100644
--- a/apps/viewer/src/pages/[[...publicId]].tsx
+++ b/apps/viewer/src/pages/[[...publicId]].tsx
@@ -55,7 +55,8 @@ export const getServerSideProps: GetServerSideProps = async (
     if (isMatchingViewerUrl && pathname === "/") {
       // Early return, will just show a root page
       // Use BUILDER_URL if set, otherwise fall back to BETTER_AUTH_URL
-      const builderUrl = env.BUILDER_URL ?? env.BETTER_AUTH_URL ?? "https://app.typebot.io";
+      const builderUrl =
+        env.BUILDER_URL ?? env.BETTER_AUTH_URL ?? "https://app.typebot.io";
       return {
         props: {
           dashboardUrl: `${builderUrl}/typebots`,
diff --git a/bun.lock b/bun.lock
index 186abdaa2b..e5b2fe500c 100644
--- a/bun.lock
+++ b/bun.lock
@@ -1031,6 +1031,7 @@
         "@paralleldrive/cuid2": "^2.2.1",
         "@sentry/nextjs": "^10.32.1",
         "ioredis": "^5.4.1",
+        "ky": "^1.2.4",
         "minio": "^7.1.3",
         "next": "^15.5.9",
         "uuidv7": "^1.0.2",
@@ -1391,6 +1392,9 @@
     "prisma",
     "@sentry/cli",
   ],
+  "overrides": {
+    "@opentelemetry/winston-transport": "^0.10.0",
+  },
   "packages": {
     "@ai-sdk/anthropic": ["@ai-sdk/anthropic@1.2.12", "", { "dependencies": { "@ai-sdk/provider": "1.1.3", "@ai-sdk/provider-utils": "2.2.8" }, "peerDependencies": { "zod": "^3.0.0" } }, "sha512-YSzjlko7JvuiyQFmI9RN1tNZdEiZxc+6xld/0tq/VkJaHpEzGAb1yiNxxvmYVcjvfu/PcvCxAAYXmTYQQ63IHQ=="],
 
@@ -2066,7 +2070,7 @@
 
     "@opentelemetry/api": ["@opentelemetry/api@1.9.0", "", {}, "sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg=="],
 
-    "@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+    "@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.57.2", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-uIX52NnTM0iBh84MShlpouI7UKqkZ7MrUszTmaypHBu4r7NofznSnQRfJ+uUeDtQDj6w8eFGg5KBLDAwAPz1+A=="],
 
     "@opentelemetry/auto-instrumentations-node": ["@opentelemetry/auto-instrumentations-node@0.66.0", "", { "dependencies": { "@opentelemetry/instrumentation": "^0.207.0", "@opentelemetry/instrumentation-amqplib": "^0.54.0", "@opentelemetry/instrumentation-aws-lambda": "^0.59.0", "@opentelemetry/instrumentation-aws-sdk": "^0.63.0", "@opentelemetry/instrumentation-bunyan": "^0.53.0", "@opentelemetry/instrumentation-cassandra-driver": "^0.53.0", "@opentelemetry/instrumentation-connect": "^0.51.0", "@opentelemetry/instrumentation-cucumber": "^0.23.0", "@opentelemetry/instrumentation-dataloader": "^0.25.0", "@opentelemetry/instrumentation-dns": "^0.51.0", "@opentelemetry/instrumentation-express": "^0.56.0", "@opentelemetry/instrumentation-fastify": "^0.52.0", "@opentelemetry/instrumentation-fs": "^0.27.0", "@opentelemetry/instrumentation-generic-pool": "^0.51.0", "@opentelemetry/instrumentation-graphql": "^0.55.0", "@opentelemetry/instrumentation-grpc": "^0.207.0", "@opentelemetry/instrumentation-hapi": "^0.54.0", "@opentelemetry/instrumentation-http": "^0.207.0", "@opentelemetry/instrumentation-ioredis": "^0.55.0", "@opentelemetry/instrumentation-kafkajs": "^0.17.0", "@opentelemetry/instrumentation-knex": "^0.52.0", "@opentelemetry/instrumentation-koa": "^0.56.0", "@opentelemetry/instrumentation-lru-memoizer": "^0.52.0", "@opentelemetry/instrumentation-memcached": "^0.51.0", "@opentelemetry/instrumentation-mongodb": "^0.60.0", "@opentelemetry/instrumentation-mongoose": "^0.54.0", "@opentelemetry/instrumentation-mysql": "^0.53.0", "@opentelemetry/instrumentation-mysql2": "^0.54.0", "@opentelemetry/instrumentation-nestjs-core": "^0.54.0", "@opentelemetry/instrumentation-net": "^0.51.0", "@opentelemetry/instrumentation-openai": "^0.5.0", "@opentelemetry/instrumentation-oracledb": "^0.33.0", "@opentelemetry/instrumentation-pg": "^0.60.0", "@opentelemetry/instrumentation-pino": "^0.54.0", "@opentelemetry/instrumentation-redis": "^0.56.0", "@opentelemetry/instrumentation-restify": "^0.53.0", "@opentelemetry/instrumentation-router": "^0.52.0", "@opentelemetry/instrumentation-runtime-node": "^0.21.0", "@opentelemetry/instrumentation-socket.io": "^0.54.0", "@opentelemetry/instrumentation-tedious": "^0.26.0", "@opentelemetry/instrumentation-undici": "^0.18.0", "@opentelemetry/instrumentation-winston": "^0.52.0", "@opentelemetry/resource-detector-alibaba-cloud": "^0.31.10", "@opentelemetry/resource-detector-aws": "^2.7.0", "@opentelemetry/resource-detector-azure": "^0.15.0", "@opentelemetry/resource-detector-container": "^0.7.10", "@opentelemetry/resource-detector-gcp": "^0.42.0", "@opentelemetry/resources": "^2.0.0", "@opentelemetry/sdk-node": "^0.207.0" }, "peerDependencies": { "@opentelemetry/api": "^1.4.1", "@opentelemetry/core": "^2.0.0" } }, "sha512-WedJs0Qr6qMK/a4qv1X4L0iGAnLma33TEeUpo6Jb8JpK3ZVpm/M3kD+CSwQ6BSJQ4TMymFonGrR+xF7qpDbXUQ=="],
 
@@ -2218,7 +2222,7 @@
 
     "@opentelemetry/sql-common": ["@opentelemetry/sql-common@0.41.2", "", { "dependencies": { "@opentelemetry/core": "^2.0.0" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0" } }, "sha512-4mhWm3Z8z+i508zQJ7r6Xi7y4mmoJpdvH0fZPFRkWrdp5fq7hhZ2HhYokEOLkfqSMgPR4Z9EyB3DBkbKGOqZiQ=="],
 
-    "@opentelemetry/winston-transport": ["@opentelemetry/winston-transport@0.19.0", "", { "dependencies": { "@opentelemetry/api-logs": "^0.208.0", "winston-transport": "4.*" } }, "sha512-MeG0fGNcpAhW9J9LiHgAJqIPySzj1xHCx4F+2R0ir4fzvm0ghKQRv6iUm3u1AhyKKJzDBeoHu7W98jJHNw8dnA=="],
+    "@opentelemetry/winston-transport": ["@opentelemetry/winston-transport@0.10.1", "", { "dependencies": { "@opentelemetry/api-logs": "^0.57.1", "winston-transport": "4.*" } }, "sha512-Lr3YObi3ncWdwfrsxTKwMR9Cah3QYN21G88Ost9c7EnKtFb+H2/I0mNzyk8OqItlI4HgeBWznLlZSwcM74tDKQ=="],
 
     "@orpc/client": ["@orpc/client@1.12.3", "", { "dependencies": { "@orpc/shared": "1.12.3", "@orpc/standard-server": "1.12.3", "@orpc/standard-server-fetch": "1.12.3", "@orpc/standard-server-peer": "1.12.3" } }, "sha512-Bk0Z1k6Yiny/sRRtvPRIzPi9w2lIGXadtaTdBI6G0qkhTicKYYABi6bnkchKLN+Ud6zOqD8XwZAe/NuZPz32XQ=="],
 
@@ -7528,12 +7532,58 @@
 
     "@opentelemetry/auto-instrumentations-node/@opentelemetry/resources/@opentelemetry/semantic-conventions": ["@opentelemetry/semantic-conventions@1.36.0", "", {}, "sha512-TtxJSRD8Ohxp6bKkhrm27JRHAxPczQA7idtcTOMYI+wQRRrfgqxHv1cFbCApcSnNjtXkmzFozn6jQtFrOmbjPQ=="],
 
+    "@opentelemetry/instrumentation-amqplib/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-connect/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-dataloader/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-express/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-fs/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-generic-pool/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-graphql/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-hapi/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-http/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-ioredis/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-kafkajs/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-knex/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-koa/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-lru-memoizer/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-mongodb/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-mongoose/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-mysql/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-mysql2/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-pg/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
     "@opentelemetry/instrumentation-pino/@opentelemetry/core/@opentelemetry/semantic-conventions": ["@opentelemetry/semantic-conventions@1.36.0", "", {}, "sha512-TtxJSRD8Ohxp6bKkhrm27JRHAxPczQA7idtcTOMYI+wQRRrfgqxHv1cFbCApcSnNjtXkmzFozn6jQtFrOmbjPQ=="],
 
+    "@opentelemetry/instrumentation-redis/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-tedious/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
+    "@opentelemetry/instrumentation-undici/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
     "@opentelemetry/resource-detector-gcp/gcp-metadata/gaxios": ["gaxios@6.7.1", "", { "dependencies": { "extend": "^3.0.2", "https-proxy-agent": "^7.0.1", "is-stream": "^2.0.0", "node-fetch": "^2.6.9", "uuid": "^9.0.1" } }, "sha512-LDODD4TMYx7XXdpwxAVRAIAuB0bzv0s+ywFonY46k126qzQHT9ygyoa9tncmOiQmmDrik65UYsEkv3lbfqQ3yQ=="],
 
     "@opentelemetry/resource-detector-gcp/gcp-metadata/google-logging-utils": ["google-logging-utils@0.0.2", "", {}, "sha512-NEgUnEcBiP5HrPzufUkBzJOD/Sxsco3rLNo1F1TNf7ieU8ryUzBhqba8r756CjLX7rn3fHl6iLEwPYuqpoKgQQ=="],
 
+    "@prisma/instrumentation/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
     "@puppeteer/browsers/tar-fs/tar-stream": ["tar-stream@3.1.7", "", { "dependencies": { "b4a": "^1.6.4", "fast-fifo": "^1.2.0", "streamx": "^2.15.0" } }, "sha512-qJj60CXt7IU1Ffyc3NJMjh6EkuCFej46zUqJ4J7pqYlThyd9bO0XBTmcOIhSzZJVWfsLks0+nle/j538YAW9RQ=="],
 
     "@puppeteer/browsers/yargs/cliui": ["cliui@8.0.1", "", { "dependencies": { "string-width": "^4.2.0", "strip-ansi": "^6.0.1", "wrap-ansi": "^7.0.0" } }, "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ=="],
@@ -7594,6 +7644,8 @@
 
     "@sentry/cli/https-proxy-agent/agent-base": ["agent-base@6.0.2", "", { "dependencies": { "debug": "4" } }, "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ=="],
 
+    "@sentry/node/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.208.0", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg=="],
+
     "@tanstack/directive-functions-plugin/@babel/core/@babel/helpers": ["@babel/helpers@7.28.3", "", { "dependencies": { "@babel/template": "^7.27.2", "@babel/types": "^7.28.2" } }, "sha512-PTNtvUQihsAsDHMOP5pfobP8C6CM4JWXmP8DrEIt46c3r2bf87Ua1zoqevsMo9g+tWDwgWrFP5EIxuBx5RudAw=="],
 
     "@tanstack/directive-functions-plugin/@babel/core/@babel/parser": ["@babel/parser@7.28.3", "", { "dependencies": { "@babel/types": "^7.28.2" }, "bin": "./bin/babel-parser.js" }, "sha512-7+Ey1mAgYqFAx2h0RuoxcQT5+MlG3GTV0TQrgr7/ZliKsm/MNDxVVutlWaziMq7wJNAz8MTqz55XLpWvva6StA=="],
@@ -8476,8 +8528,6 @@
 
     "@inngest/realtime/inngest/@opentelemetry/exporter-trace-otlp-http/@opentelemetry/otlp-transformer": ["@opentelemetry/otlp-transformer@0.57.2", "", { "dependencies": { "@opentelemetry/api-logs": "0.57.2", "@opentelemetry/core": "1.30.1", "@opentelemetry/resources": "1.30.1", "@opentelemetry/sdk-logs": "0.57.2", "@opentelemetry/sdk-metrics": "1.30.1", "@opentelemetry/sdk-trace-base": "1.30.1", "protobufjs": "^7.3.0" }, "peerDependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-48IIRj49gbQVK52jYsw70+Jv+JbahT8BqT2Th7C4H7RCM9d0gZ5sgNPoMpWldmfjvIsSgiGJtjfk9MeZvjhoig=="],
 
-    "@inngest/realtime/inngest/@opentelemetry/instrumentation/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.57.2", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-uIX52NnTM0iBh84MShlpouI7UKqkZ7MrUszTmaypHBu4r7NofznSnQRfJ+uUeDtQDj6w8eFGg5KBLDAwAPz1+A=="],
-
     "@inngest/realtime/inngest/@opentelemetry/instrumentation/import-in-the-middle": ["import-in-the-middle@1.14.2", "", { "dependencies": { "acorn": "^8.14.0", "acorn-import-attributes": "^1.9.5", "cjs-module-lexer": "^1.2.2", "module-details-from-path": "^1.0.3" } }, "sha512-5tCuY9BV8ujfOpwtAGgsTx9CGUapcFMEEyByLv1B+v2+6DhAcw+Zr0nhQT7uwaZ7DiourxFEscghOR8e1aPLQw=="],
 
     "@inngest/realtime/inngest/@opentelemetry/instrumentation/require-in-the-middle": ["require-in-the-middle@7.5.2", "", { "dependencies": { "debug": "^4.3.5", "module-details-from-path": "^1.0.3", "resolve": "^1.22.8" } }, "sha512-gAZ+kLqBdHarXB64XpAe2VCjB7rIRv+mU8tfRWziHRJ5umKsIHN2tLLv6EtMw7WCdP19S0ERVMldNvxYCHnhSQ=="],
@@ -9182,8 +9232,6 @@
 
     "@inngest/realtime/inngest/@opentelemetry/exporter-trace-otlp-http/@opentelemetry/core/@opentelemetry/semantic-conventions": ["@opentelemetry/semantic-conventions@1.28.0", "", {}, "sha512-lp4qAiMTD4sNWW4DbKLBkfiMZ4jbAboJIGOQr5DvciMRI494OapieI9qiODpOt0XBr1LjIDy1xAGAnVs5supTA=="],
 
-    "@inngest/realtime/inngest/@opentelemetry/exporter-trace-otlp-http/@opentelemetry/otlp-transformer/@opentelemetry/api-logs": ["@opentelemetry/api-logs@0.57.2", "", { "dependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-uIX52NnTM0iBh84MShlpouI7UKqkZ7MrUszTmaypHBu4r7NofznSnQRfJ+uUeDtQDj6w8eFGg5KBLDAwAPz1+A=="],
-
     "@inngest/realtime/inngest/@opentelemetry/exporter-trace-otlp-http/@opentelemetry/otlp-transformer/@opentelemetry/sdk-logs": ["@opentelemetry/sdk-logs@0.57.2", "", { "dependencies": { "@opentelemetry/api-logs": "0.57.2", "@opentelemetry/core": "1.30.1", "@opentelemetry/resources": "1.30.1" }, "peerDependencies": { "@opentelemetry/api": ">=1.4.0 <1.10.0" } }, "sha512-TXFHJ5c+BKggWbdEQ/inpgIzEmS2BGQowLE9UhsMd7YYlUfBQJ4uax0VF/B5NYigdM/75OoJGhAV3upEhK+3gg=="],
 
     "@inngest/realtime/inngest/@opentelemetry/exporter-trace-otlp-http/@opentelemetry/otlp-transformer/@opentelemetry/sdk-metrics": ["@opentelemetry/sdk-metrics@1.30.1", "", { "dependencies": { "@opentelemetry/core": "1.30.1", "@opentelemetry/resources": "1.30.1" }, "peerDependencies": { "@opentelemetry/api": ">=1.3.0 <1.10.0" } }, "sha512-q9zcZ0Okl8jRgmy7eNW3Ku1XSgg3sDLa5evHZpCwjspw7E8Is4K/haRPDJrBcX3YSn/Y7gUvFnByNYEKQNbNog=="],
diff --git a/packages/env/src/index.ts b/packages/env/src/index.ts
index 69258b1bb0..aa775259cb 100644
--- a/packages/env/src/index.ts
+++ b/packages/env/src/index.ts
@@ -132,15 +132,39 @@ const baseEnv = {
     ),
     NEXT_PUBLIC_ONBOARDING_TYPEBOT_ID: z.string().min(1).optional(),
     // Auth provider flags (client-side visibility for sign-in UI)
-    NEXT_PUBLIC_GITHUB_ENABLED: z.string().optional().transform(v => v === "true"),
-    NEXT_PUBLIC_GOOGLE_ENABLED: z.string().optional().transform(v => v === "true"),
-    NEXT_PUBLIC_FACEBOOK_ENABLED: z.string().optional().transform(v => v === "true"),
-    NEXT_PUBLIC_GITLAB_ENABLED: z.string().optional().transform(v => v === "true"),
-    NEXT_PUBLIC_AZURE_ENABLED: z.string().optional().transform(v => v === "true"),
-    NEXT_PUBLIC_KEYCLOAK_ENABLED: z.string().optional().transform(v => v === "true"),
-    NEXT_PUBLIC_CUSTOM_OAUTH_ENABLED: z.string().optional().transform(v => v === "true"),
+    NEXT_PUBLIC_GITHUB_ENABLED: z
+      .string()
+      .optional()
+      .transform((v) => v === "true"),
+    NEXT_PUBLIC_GOOGLE_ENABLED: z
+      .string()
+      .optional()
+      .transform((v) => v === "true"),
+    NEXT_PUBLIC_FACEBOOK_ENABLED: z
+      .string()
+      .optional()
+      .transform((v) => v === "true"),
+    NEXT_PUBLIC_GITLAB_ENABLED: z
+      .string()
+      .optional()
+      .transform((v) => v === "true"),
+    NEXT_PUBLIC_AZURE_ENABLED: z
+      .string()
+      .optional()
+      .transform((v) => v === "true"),
+    NEXT_PUBLIC_KEYCLOAK_ENABLED: z
+      .string()
+      .optional()
+      .transform((v) => v === "true"),
+    NEXT_PUBLIC_CUSTOM_OAUTH_ENABLED: z
+      .string()
+      .optional()
+      .transform((v) => v === "true"),
     NEXT_PUBLIC_CUSTOM_OAUTH_NAME: z.string().optional(),
-    NEXT_PUBLIC_EMAIL_ENABLED: z.string().optional().transform(v => v === "true"),
+    NEXT_PUBLIC_EMAIL_ENABLED: z
+      .string()
+      .optional()
+      .transform((v) => v === "true"),
     NEXT_PUBLIC_BOT_FILE_UPLOAD_MAX_SIZE: z.coerce.number().optional(),
     NEXT_PUBLIC_CHAT_API_URL: z.string().url().optional(),
     NEXT_PUBLIC_VIEWER_404_TITLE: z.string().optional().default("404"),
@@ -150,20 +174,36 @@ const baseEnv = {
       .default("The bot you're looking for doesn't exist"),
   },
   runtimeEnv: {
-    NEXT_PUBLIC_BETTER_AUTH_URL: getRuntimeVariable("NEXT_PUBLIC_BETTER_AUTH_URL"),
+    NEXT_PUBLIC_BETTER_AUTH_URL: getRuntimeVariable(
+      "NEXT_PUBLIC_BETTER_AUTH_URL",
+    ),
     NEXT_PUBLIC_VIEWER_URL: getRuntimeVariable("NEXT_PUBLIC_VIEWER_URL"),
     NEXT_PUBLIC_ONBOARDING_TYPEBOT_ID: getRuntimeVariable(
       "NEXT_PUBLIC_ONBOARDING_TYPEBOT_ID",
     ),
     // Auth provider flags
-    NEXT_PUBLIC_GITHUB_ENABLED: getRuntimeVariable("NEXT_PUBLIC_GITHUB_ENABLED"),
-    NEXT_PUBLIC_GOOGLE_ENABLED: getRuntimeVariable("NEXT_PUBLIC_GOOGLE_ENABLED"),
-    NEXT_PUBLIC_FACEBOOK_ENABLED: getRuntimeVariable("NEXT_PUBLIC_FACEBOOK_ENABLED"),
-    NEXT_PUBLIC_GITLAB_ENABLED: getRuntimeVariable("NEXT_PUBLIC_GITLAB_ENABLED"),
+    NEXT_PUBLIC_GITHUB_ENABLED: getRuntimeVariable(
+      "NEXT_PUBLIC_GITHUB_ENABLED",
+    ),
+    NEXT_PUBLIC_GOOGLE_ENABLED: getRuntimeVariable(
+      "NEXT_PUBLIC_GOOGLE_ENABLED",
+    ),
+    NEXT_PUBLIC_FACEBOOK_ENABLED: getRuntimeVariable(
+      "NEXT_PUBLIC_FACEBOOK_ENABLED",
+    ),
+    NEXT_PUBLIC_GITLAB_ENABLED: getRuntimeVariable(
+      "NEXT_PUBLIC_GITLAB_ENABLED",
+    ),
     NEXT_PUBLIC_AZURE_ENABLED: getRuntimeVariable("NEXT_PUBLIC_AZURE_ENABLED"),
-    NEXT_PUBLIC_KEYCLOAK_ENABLED: getRuntimeVariable("NEXT_PUBLIC_KEYCLOAK_ENABLED"),
-    NEXT_PUBLIC_CUSTOM_OAUTH_ENABLED: getRuntimeVariable("NEXT_PUBLIC_CUSTOM_OAUTH_ENABLED"),
-    NEXT_PUBLIC_CUSTOM_OAUTH_NAME: getRuntimeVariable("NEXT_PUBLIC_CUSTOM_OAUTH_NAME"),
+    NEXT_PUBLIC_KEYCLOAK_ENABLED: getRuntimeVariable(
+      "NEXT_PUBLIC_KEYCLOAK_ENABLED",
+    ),
+    NEXT_PUBLIC_CUSTOM_OAUTH_ENABLED: getRuntimeVariable(
+      "NEXT_PUBLIC_CUSTOM_OAUTH_ENABLED",
+    ),
+    NEXT_PUBLIC_CUSTOM_OAUTH_NAME: getRuntimeVariable(
+      "NEXT_PUBLIC_CUSTOM_OAUTH_NAME",
+    ),
     NEXT_PUBLIC_EMAIL_ENABLED: getRuntimeVariable("NEXT_PUBLIC_EMAIL_ENABLED"),
     NEXT_PUBLIC_BOT_FILE_UPLOAD_MAX_SIZE: getRuntimeVariable(
       "NEXT_PUBLIC_BOT_FILE_UPLOAD_MAX_SIZE",
diff --git a/packages/scripts/src/createMissingWorkspaces.ts b/packages/scripts/src/createMissingWorkspaces.ts
index 5ffb8238d8..f50c83ebd0 100644
--- a/packages/scripts/src/createMissingWorkspaces.ts
+++ b/packages/scripts/src/createMissingWorkspaces.ts
@@ -37,8 +37,12 @@ const createMissingWorkspaces = async () => {
   const defaultPlan = (process.env.DEFAULT_WORKSPACE_PLAN as Plan) || Plan.FREE;
 
   for (const user of usersWithoutWorkspaces) {
-    const plan = adminEmails.includes(user.email) ? Plan.UNLIMITED : defaultPlan;
-    const workspaceName = user.name ? `${user.name}'s workspace` : "My workspace";
+    const plan = adminEmails.includes(user.email)
+      ? Plan.UNLIMITED
+      : defaultPlan;
+    const workspaceName = user.name
+      ? `${user.name}'s workspace`
+      : "My workspace";
 
     console.log(`Creating workspace for ${user.email} with plan ${plan}...`);
 

From d22fc1607d0024488a6e1eaabe65d17316c3a333 Mon Sep 17 00:00:00 2001
From: Brian Johnson <brianmjohnson@users.noreply.github.com>
Date: Thu, 8 Jan 2026 18:37:10 -0800
Subject: [PATCH 11/11] feat: Add domain filtering and passwordless email
 signin env vars

- ALLOWED_EMAIL_DOMAINS: Restrict signin to specific email domains
- EMAIL_LOGIN_ENABLED: Enable/disable magic link passwordless signin
- emailAndPassword always disabled (no passwords in system)
- Domain filtering via databaseHooks on user creation

Brian Johnson in useFoundry.ai

(cherry picked from commit acda04d207e962c8469773bab6a75adea42e319f)
---
 apps/builder/src/lib/auth/config.ts           | 56 ++++++++++++++++---
 .../src/lib/auth/getAvailableProviders.ts     |  3 +-
 packages/env/src/index.ts                     | 10 ++++
 3 files changed, 61 insertions(+), 8 deletions(-)

diff --git a/apps/builder/src/lib/auth/config.ts b/apps/builder/src/lib/auth/config.ts
index e5e8aaf0dd..185aca97e0 100644
--- a/apps/builder/src/lib/auth/config.ts
+++ b/apps/builder/src/lib/auth/config.ts
@@ -3,6 +3,7 @@ import prisma from "@typebot.io/prisma";
 import { Plan } from "@typebot.io/prisma/enum";
 import { betterAuth } from "better-auth";
 import { prismaAdapter } from "better-auth/adapters/prisma";
+import { APIError } from "better-auth/api";
 import { admin } from "better-auth/plugins/admin";
 import { genericOAuth } from "better-auth/plugins/generic-oauth";
 import { magicLink } from "better-auth/plugins/magic-link";
@@ -24,6 +25,27 @@ function getDefaultWorkspacePlan(userEmail: string): Plan {
   return Plan.FREE;
 }
 
+/**
+ * Validates if an email domain is allowed based on ALLOWED_EMAIL_DOMAINS env var.
+ * When ALLOWED_EMAIL_DOMAINS is set, only emails from those domains can sign in.
+ * When not set, all email domains are allowed.
+ */
+function isEmailDomainAllowed(email: string): boolean {
+  const allowedDomains = env.ALLOWED_EMAIL_DOMAINS;
+
+  // If no domains configured, allow all
+  if (!allowedDomains || allowedDomains.length === 0) {
+    return true;
+  }
+
+  const emailDomain = email.split("@")[1]?.toLowerCase();
+  if (!emailDomain) {
+    return false;
+  }
+
+  return allowedDomains.includes(emailDomain);
+}
+
 export const auth = betterAuth({
   database: prismaAdapter(prisma, {
     provider: "postgresql",
@@ -66,12 +88,16 @@ export const auth = betterAuth({
       defaultRole: "user",
     }),
 
-    // Magic link plugin for email-based signin
-    magicLink({
-      sendMagicLink: async ({ email, url }) => {
-        await sendVerificationEmail({ email, url });
-      },
-    }),
+    // Magic link plugin for email-based signin (when EMAIL_LOGIN_ENABLED=true)
+    ...(env.EMAIL_LOGIN_ENABLED
+      ? [
+          magicLink({
+            sendMagicLink: async ({ email, url }) => {
+              await sendVerificationEmail({ email, url });
+            },
+          }),
+        ]
+      : []),
 
     // Generic OAuth for custom OIDC providers
     ...(env.CUSTOM_OAUTH_ISSUER
@@ -129,10 +155,26 @@ export const auth = betterAuth({
     },
   },
 
-  // Database hooks for workspace creation
+  // Database hooks for domain filtering and workspace creation
   databaseHooks: {
     user: {
       create: {
+        before: async (user) => {
+          if (!user.email) {
+            throw new APIError("BAD_REQUEST", {
+              message: "Email is required",
+            });
+          }
+
+          if (!isEmailDomainAllowed(user.email)) {
+            const allowedDomains = env.ALLOWED_EMAIL_DOMAINS?.join(", ");
+            throw new APIError("FORBIDDEN", {
+              message: `Sign-in is restricted to authorized email domains: ${allowedDomains}`,
+            });
+          }
+
+          return { data: user };
+        },
         after: async (user) => {
           // Create initial workspace for new users
           const plan = getDefaultWorkspacePlan(user.email);
diff --git a/apps/builder/src/lib/auth/getAvailableProviders.ts b/apps/builder/src/lib/auth/getAvailableProviders.ts
index 99c27320a6..78be3462e4 100644
--- a/apps/builder/src/lib/auth/getAvailableProviders.ts
+++ b/apps/builder/src/lib/auth/getAvailableProviders.ts
@@ -40,6 +40,7 @@ export function getAvailableProviders(): AvailableProviders {
       env.CUSTOM_OAUTH_ISSUER
     ),
     customOAuthName: env.CUSTOM_OAUTH_NAME,
-    email: !!(env.NEXT_PUBLIC_SMTP_FROM && !env.SMTP_AUTH_DISABLED),
+    // Email/magic link controlled by EMAIL_LOGIN_ENABLED env var
+    email: env.EMAIL_LOGIN_ENABLED,
   };
 }
diff --git a/packages/env/src/index.ts b/packages/env/src/index.ts
index aa775259cb..857015bd36 100644
--- a/packages/env/src/index.ts
+++ b/packages/env/src/index.ts
@@ -78,6 +78,16 @@ const baseEnv = {
     // App name for branding in emails
     APP_NAME: z.string().optional().default("Typebot"),
     DISABLE_SIGNUP: boolean.optional().default("false"),
+    // Email domain filtering: comma-separated list of allowed domains
+    // When set, only emails from these domains can sign in
+    // When not set, all email domains are allowed
+    ALLOWED_EMAIL_DOMAINS: z
+      .string()
+      .optional()
+      .transform((val) => val?.split(",").map((d) => d.trim().toLowerCase())),
+    // Enable/disable email-based magic link signin
+    // When false or not set, only OAuth providers are available
+    EMAIL_LOGIN_ENABLED: boolean.optional().default("false"),
     ADMIN_EMAIL: z
       .string()
       .min(1)