StarterApp Docs
Authentication

AI Patterns

Helping AI assistants implement authentication safely

StarterApp is designed for AI-assisted development. This page shows the handful of context files, templates, and prompts that guide an assistant toward secure, production-ready authentication changes without flooding them with source code.

Layers of context

Always pair the official BetterAuth docs with the local guardrails in the llms/ folder. The combination keeps both humans and AI on the happy path.

Core references for assistants

  • BetterAuth official docshttps://www.better-auth.com/llms.txt
    Provides API signatures, provider options, and session behaviour.

  • Codebase quick referencellms/AUTH_PATTERNS.md
    Summarises our token flow (getToken(createAuth) → fetchQuery), cache exports, identity helpers, and import rules (createAuth must come from convex/lib/auth).

  • Security guardrailsllms/SECURITY.md
    Lists mandatory CSRF checks, secure response helpers, rate limiting, and header expectations.

  • Working templatesllms/templates/…
    Copy-friendly starting points for protected API routes, Convex functions, and server components.

Encourage the assistant to read these files first when working on auth-related tasks.

Typical requests & the right resources

TaskGo-to reference
Add or tweak OAuth providersconvex/lib/auth.ts, env docs, llms/AUTH_PATTERNS.md
Protect a new page or layoutpackages/app-shell/src/lib/auth/server.ts, llms/templates/auth-page-template.tsx
Build a protected API routellms/templates/auth-api-route-template.ts, llms/SECURITY.md
Secure a Convex functionconvex/lib/identity.ts, llms/templates/auth-convex-functions-template.ts
Explain how sessions workapps/docs/docs/auth/sessions.mdx, packages/app-shell/src/lib/auth/server.ts

Prompt guidance for best results

  1. Point to the right files
    “Read llms/AUTH_PATTERNS.md and convex/lib/auth.ts, then enable GitHub OAuth.”

  2. State security expectations
    “Ensure the new route uses auth.api.getSession, assertOrigin, assertFetchMetadata, and secureUserJson.”

  3. Ask for verification
    “List any cache exports or CSRF checks you added so I can confirm nothing was missed.”

  4. Highlight constraints
    “Do not create new helpers—use the existing templates in llms/templates/.”

Quick checklist for reviewers

  • Cache flags (revalidate = 0, dynamic = "force-dynamic", fetchCache = "force-no-store") present on protected pages and API routes.
  • Token flow uses getToken(createAuth) + fetchQuery (no direct HTTP calls to BetterAuth).
  • Identity helpers (getUserIdOrThrow, assertOwnerByUserId) guard Convex functions.
  • CSRF guards run on every write surface, and responses use the secure JSON helpers.
  • Environment-driven provider changes do not reintroduce secrets into the codebase.

Do not skip the guardrails

If an assistant proposes bypassing the shared helpers or templates, push back. The guardrails exist because we already hit the edge cases.

Overview

Architecture and key helpers

Protected Routes

How authentication is enforced across surfaces

Sessions

Understanding session data in different contexts

Protecting Pages

How to require authentication across pages, layouts, and APIs

Convex Data Model

How StarterApp organises Convex tables, builders, and generated types.

On this page

Core references for assistantsTypical requests & the right resourcesPrompt guidance for best resultsQuick checklist for reviewersRelated documentation