TanStack Start
Integrate Better Auth UI with TanStack Start
Prerequisites
Make sure you've completed the Quick Start guide first.
Integration
Configure AuthProvider
Configure AuthProvider with TanStack Router's navigation.
import { Link, useNavigate, useParams } from "@tanstack/react-router"
import { ThemeProvider, useTheme } from "next-themes"
import type { ReactNode } from "react"
import { apiKeyPlugin } from "@/lib/auth/api-key-plugin"
import { deleteUserPlugin } from "@/lib/auth/delete-user-plugin"
import { magicLinkPlugin } from "@/lib/auth/magic-link-plugin"
import { multiSessionPlugin } from "@/lib/auth/multi-session-plugin"
import { organizationPlugin } from "@/lib/auth/organization-plugin"
import { passkeyPlugin } from "@/lib/auth/passkey-plugin"
import { themePlugin } from "@/lib/auth/theme-plugin"
import { usernamePlugin } from "@/lib/auth/username-plugin"
import { authClient } from "@/lib/auth-client"
import { AuthProvider } from "./auth/auth-provider"
import { Toaster } from "./ui/sonner"
export function Providers({ children }: { children: ReactNode }) {
const navigate = useNavigate()
const { slug } = useParams({ strict: false })
return (
<ThemeProvider
attribute="class"
defaultTheme="system"
enableSystem
disableTransitionOnChange
>
<AuthProvider
authClient={authClient}
redirectTo="/settings/account"
socialProviders={["github"]}
emailAndPassword={{ requireEmailVerification: false }}
navigate={navigate}
plugins={[
usernamePlugin({
usernamePrefix: "@",
localization: { usernamePlaceholder: "username" }
}),
magicLinkPlugin(),
passkeyPlugin(),
apiKeyPlugin({ organization: true }),
themePlugin({ useTheme }),
multiSessionPlugin(),
deleteUserPlugin(),
organizationPlugin({
slugPrefix: "@",
slug: slug ?? null
})
]}
Link={({ href, ...props }) => <Link to={href} {...props} />}
>
{children}
<Toaster />
</AuthProvider>
</ThemeProvider>
)
}The navigate and Link props integrate with TanStack Router's navigation system. You can pass the navigate function directly since it accepts { to, replace } options.
Link requires a small wrapper. Better Auth UI passes its destination as an href prop (the Next.js convention), but TanStack Router's Link navigates via to. Map one to the other:
Link={({ href, ...props }) => <Link to={href} {...props} />}If you pass TanStack Router's Link directly (Link={Link}), it never receives a to, so it resolves the rendered anchor against the current route — links show the wrong URL on hover even though clicking still navigates correctly.
Update the Root Route
Wrap your application with the Providers component in your root route.
import { TanStackDevtools } from "@tanstack/react-devtools"
import type { QueryClient } from "@tanstack/react-query"
import {
createRootRouteWithContext,
HeadContent,
Scripts
} from "@tanstack/react-router"
import { TanStackRouterDevtoolsPanel } from "@tanstack/react-router-devtools"
import type { ReactNode } from "react"
import { Header } from "@/components/header"
import { Providers } from "@/components/providers"
import appCss from "@/styles/app.css?url"
export const Route = createRootRouteWithContext<{
queryClient: QueryClient
}>()({
head: () => ({
meta: [
{
charSet: "utf-8"
},
{
name: "viewport",
content: "width=device-width, initial-scale=1"
},
{
title: "Start shadcn/ui Example"
}
],
links: [
{
rel: "stylesheet",
href: appCss
}
]
}),
shellComponent: RootDocument
})
function RootDocument({ children }: { children: ReactNode }) {
return (
<html lang="en" suppressHydrationWarning>
<head>
<HeadContent />
</head>
<body className="antialiased min-h-svh flex flex-col">
<Providers>
<Header />
{children}
</Providers>
<TanStackDevtools
config={{
position: "bottom-right"
}}
plugins={[
{
name: "TanStack Router",
render: <TanStackRouterDevtoolsPanel />
}
]}
/>
<Scripts />
</body>
</html>
)
}Create the Auth Page
Install the auth components and create a dynamic auth page that renders the appropriate authentication view based on the path.
npx shadcn@latest add https://better-auth-ui.com/r/auth.jsonimport { viewPaths } from "@better-auth-ui/core"
import { createFileRoute, redirect } from "@tanstack/react-router"
import { Auth } from "@/components/auth/auth"
import { magicLinkPlugin } from "@/lib/auth/magic-link-plugin"
const validAuthPathSegments = new Set([
...Object.values(viewPaths.auth),
magicLinkPlugin().viewPaths.auth.magicLink
])
export const Route = createFileRoute("/auth/$path")({
beforeLoad({ params: { path } }) {
if (!validAuthPathSegments.has(path)) {
throw redirect({ to: "/" })
}
},
component: AuthPage
})
function AuthPage() {
const { path } = Route.useParams()
return (
<div className="flex justify-center my-auto p-4 md:p-6">
<Auth path={path} />
</div>
)
}The viewPaths.auth object contains the built-in auth paths: sign-in, sign-up, sign-out, forgot-password, and reset-password.
Create the Settings page
If you installed the settings component, create a dynamic settings route that renders the Settings component for the URL segment. Validate the segment against viewPaths.settings so unknown paths return a 404.
npx shadcn@latest add https://better-auth-ui.com/r/settings.jsonimport { viewPaths } from "@better-auth-ui/core"
import { ensureSession as ensureSessionClient } from "@better-auth-ui/react"
import { ensureSession as ensureSessionServer } from "@better-auth-ui/react/server"
import { createFileRoute, notFound, redirect } from "@tanstack/react-router"
import { createIsomorphicFn } from "@tanstack/react-start"
import { getRequestHeaders } from "@tanstack/react-start/server"
import { Settings } from "@/components/auth/settings/settings"
import { auth } from "@/lib/auth"
import { organizationPlugin } from "@/lib/auth/organization-plugin"
import { authClient } from "@/lib/auth-client"
const validSettingsPaths = [
...Object.values(viewPaths.settings),
...Object.values(organizationPlugin().viewPaths.settings)
]
export const Route = createFileRoute("/settings/$path")({
async beforeLoad({ params: { path }, context: { queryClient }, location }) {
if (!validSettingsPaths.includes(path)) {
throw notFound()
}
const ensureSession = createIsomorphicFn()
.server(() =>
ensureSessionServer(queryClient, auth, { headers: getRequestHeaders() })
)
.client(() => ensureSessionClient(queryClient, authClient))
const session = await ensureSession()
if (!session) {
throw redirect({
to: "/auth/$path",
params: { path: "sign-in" },
search: { redirectTo: location.href }
})
}
return { session }
},
component: SettingsPage
})
function SettingsPage() {
const { path } = Route.useParams()
return (
<div className="w-full max-w-3xl mx-auto p-4 md:p-6">
<Settings path={path} />
</div>
)
}The viewPaths.settings object contains valid settings path segments: account and security.
Protecting Routes
Better Auth UI supports two route protection patterns depending on whether your route is server-rendered or prerendered.
Server-rendered routes (beforeLoad)
For SSR routes, check the session in beforeLoad so unauthenticated users are redirected before any component renders — no flash of unauthenticated UI. Use createIsomorphicFn to run ensureSessionServer on the server (direct auth.api call, no HTTP hop) and ensureSessionClient on the client (goes through authClient). Both share the same TanStack Query cache under authQueryKeys.session, so the session is hydrated from SSR and reused by any child useSession call.
import { ensureSession as ensureSessionClient } from "@better-auth-ui/react"
import { ensureSession as ensureSessionServer } from "@better-auth-ui/react/server"
import { createFileRoute, Link, redirect } from "@tanstack/react-router"
import { createIsomorphicFn } from "@tanstack/react-start"
import { getRequestHeaders } from "@tanstack/react-start/server"
import { auth } from "@/lib/auth"
import { authClient } from "@/lib/auth-client"
export const Route = createFileRoute("/dashboard")({
async beforeLoad({ context: { queryClient }, location }) {
const ensureSession = createIsomorphicFn()
.server(() =>
ensureSessionServer(queryClient, auth, { headers: getRequestHeaders() })
)
.client(() => ensureSessionClient(queryClient, authClient))
const session = await ensureSession()
if (!session) {
throw redirect({
to: "/auth/$path",
params: { path: "sign-in" },
search: { redirectTo: location.href }
})
}
return { session }
},
component: Dashboard
})
function Dashboard() {
const { session } = Route.useRouteContext()
return (
<div className="flex flex-col items-center my-auto">
<h1 className="text-2xl">Hello, {session.user.email}</h1>
<Link to="/auth/$path" params={{ path: "sign-out" }}>
Sign Out
</Link>
</div>
)
}The returned { session } is available to child routes and components via Route.useRouteContext(). Because ensureSessionServer populates the query cache during SSR, downstream useSession calls render synchronously without a loading state.
Reactive protection & prerendered routes (useAuthenticate)
beforeLoad only runs when the route loads — it can't react to session changes that happen while the page is mounted (token expiry, sign-out in another tab via multiSessionPlugin, a revoked session from the server, etc.). And for statically prerendered or purely client-rendered routes there's no server to call in the first place. The useAuthenticate hook covers both: it subscribes to useSession and redirects unauthenticated users to the sign-in page the moment the session goes away, preserving the current URL as a redirectTo query param.
Use it in two situations:
- Alongside
beforeLoadfor server-rendered routes, as a second layer that keeps the UI in sync after the initial load. - On its own for statically prerendered or purely client-rendered routes (SSG output, SPA routes, marketing pages), where server-side session access isn't available.
import { useAuth, useAuthenticate } from "@better-auth-ui/react"
import { createFileRoute, Link } from "@tanstack/react-router"
import { Spinner } from "@/components/ui/spinner"
export const Route = createFileRoute("/dashboard")({
component: Dashboard
})
function Dashboard() {
const { authClient } = useAuth()
const { data: session } = useAuthenticate(authClient)
if (!session) {
return (
<div className="flex justify-center my-auto">
<Spinner color="current" />
</div>
)
}
return (
<div className="flex flex-col items-center my-auto">
<h1 className="text-2xl">Hello, {session.user.email}</h1>
<Link to="/auth/$path" params={{ path: "sign-out" }}>
Sign Out
</Link>
</div>
)
}In combination, beforeLoad handles the initial render (including SSR hydration with no auth flash) and useAuthenticate handles everything after — giving you both first-paint protection and live reactivity to session changes.
Example Project
For a complete working example, see start-shadcn-example in the repository.
Next Steps
Explore the shared React hooks and query primitives powering every Better Auth UI component.
Last updated on