Better Auth, by a self-taught Ethiopian dev, raises $5M from Peak XV, YC

Original Article ↗ Hacker News Discussion ↗

Product & Monetization

  • Better Auth is praised as a well-designed, embeddable TypeScript/Node auth framework that runs directly against the app’s own database, rather than as an external hosted service.
  • Commenters expect an open-core + cloud-hosting model: free self-hosted library, plus a paid managed service and enterprise features (e.g., SSO, infra add-ons).
  • Some fear “enshittification” now that VC money is involved, anticipating critical features like enterprise SSO being locked behind expensive tiers.

Technical Approach & Comparisons

  • Key selling point: no separate auth server; just your app and DB. This is compared favorably to Firebase, Auth0, Clerk, Supabase, Cognito, Ory Kratos, Keycloak, and Supertokens for single-app use cases.
  • Others argue that at scale or with multiple apps, a separate identity service is beneficial for SSO, shared identity, legal separation of PII, and independent deployment.
  • Lucia is explicitly noted as deprecated; some say its shutdown helped Better Auth gain adoption. OpenAuth’s status is debated (stalled vs “known dead”).
  • Some users dislike that Better Auth lacks a built-in dashboard and email system; needing to wire SMTP or a mail service and build admin UIs pushes them toward “all‑in‑one” services like Auth0/Clerk. Third-party UI projects and 2FA support are mentioned as partial remedies.
  • Critiques include tight coupling to Kysely and confusion about whether it’s “frontend” or “backend” focused; consensus is it’s a backend library.

How Hard Is Auth?

  • Large subthread debates whether auth is “easy” or “actually really hard”:
    • One side: auth is conceptually straightforward if you follow specs, don’t roll your own crypto, and use established hashing (bcrypt/argon2, proper nonces, expiry).
    • Other side: real-world evidence shows many teams fail even basic OAuth/OIDC and password storage; subtle mistakes quickly expose PII or tokens.
  • Distinction is made between:
    • Authentication vs authorization (authZ seen as harder).
    • Basic username/password vs OAuth/SSO and crypto.
  • Some argue outsourcing auth (Auth0, Cognito, etc.) is safer but can become expensive, inflexible, and a form of core dependency lock‑in.

OSS, VC, and Sustainability

  • Multiple commenters wrestle with OSS + VC tension: funding brings audits, longevity signals, and enterprise comfort, but also pressure for 100x returns, potential lock-in, and misalignment with community interests.
  • Several lament that many users expect high-quality auth libraries yet rarely contribute financially, making VC one of the few viable paths; others prefer bootstrapping and direct sponsorships.

Self‑Taught / Ethiopian Framing

  • Some are uneasy with “self-taught Ethiopian dev” in the headline, seeing it as clickbait or patronizing; others say it’s simply highlighting an underrepresented founder and the rarity of African VC-backed dev tools.
  • There is an extended, mixed discussion on self-taught vs CS-degree developers: many note that most practical skills are self-taught, while others emphasize the value of formal CS for deeper understanding, especially in security domains.

Developer Experiences & Gaps

  • Users report very fast integration (minutes), strong TypeScript experience, powerful plugins, and good ORM (Drizzle/Prisma) integration keeping schemas as the single source of truth.
  • Some see it as “open-source Clerk without vendor lock‑in,” ideal for early-stage products that want to own their user table.
  • Skeptics prefer batteries-included SaaS for side projects where time-to-market and zero-ops matter more than owning auth.