In this article
July 9, 2026
July 9, 2026

Should I migrate from Better Auth after the Vercel acquisition?

Vercel acquired Better Auth. If you run its SSO, SCIM, or enterprise plugins in production, here's the friction to weigh and how to decide whether to move.

Explore with AI
Open in ChatGPT
Open in Claude
Open in Perplexity

Vercel is acquiring Better Auth, the company behind the open source TypeScript auth library. If you build on it, nothing broke this morning. The library is still free, still MIT-licensed, still maintained by the same team. So the honest answer to "should I migrate?" is: not because you're forced to. You should migrate only if the acquisition surfaces a risk you were already carrying and hadn't priced in.

For a hobby project or an internal tool, that risk is close to zero. For a B2B product with enterprise deals in the pipeline, where auth is the thing a security reviewer pokes at hardest, the calculus is different. This post walks the specific problems a serious B2B team should weigh, and where the line sits between "stay put" and "move."

What the acquisition actually changes

Start with the facts, because the emotional version of this story ("your auth got acquired!") is misleading. On July 7, 2026, Better Auth founder Bereket Engida announced that he and the core team are joining Vercel. Vercel framed the deal as extending its open SDK strategy — software that's open by default, loosely coupled, and portable to any platform — to authentication. The library keeps its name, its MIT license, its open contribution model, and its framework support.

What changes is governance and direction. The people who set the roadmap now work for a platform company, and platform companies optimize their open source for their platform. That's not a betrayal, it's gravity. The question for you is whether your priorities and Vercel's stay pointed the same way over the next two years.

The roadmap is now aimed at agents, not your enterprise checklist

The clearest public signal of where Better Auth is headed is agent identity. The team has been building Agent Auth so that each agent carries its own scoped, revocable identity, with the user as the single point of control. That work continues at Vercel and feeds into Vercel Connect and eve.

Agent auth is a genuinely important problem. It is also probably not the problem on your Q3 roadmap. If you're a B2B SaaS team, your next auth work is more likely a SAML connection for a customer who runs Okta, a SCIM integration so that customer's IT admin can deprovision users automatically, or an audit log export for a security questionnaire. When the framework's near-term energy goes toward agent identity and Vercel's platform surface, the enterprise long tail you depend on drops down the priority list for the people maintaining it. You don't control that ranking, and now it's set inside another company's product org.

A branching roadmap diagram: the main path curves toward a cluster of autonomous agent nodes while a thinner side branch leads to enterprise building blocks, illustrating diverging priorities

"Auth you own" means you own the on-call

Better Auth's core pitch has always been that auth lives inside your app and gives you code you own. That's a real asset when you want full control. It's also a real cost, and the cost doesn't show up in a demo. It shows up at 2 a.m.

Better Auth gives you SSO, SAML 2.0, SCIM, organizations, and MFA as plugins you configure and operate across 20+ frameworks. "Configure and operate" is the load-bearing phrase. You own the database those plugins write to, the session logic, the schema migrations when a plugin updates, and the pager when a directory sync silently stops. None of that is hard on day one. All of it compounds as you add customers, each of whom brings a slightly different identity provider with slightly different quirks.

The acquisition doesn't add this burden. It was always there. But it's a good moment to ask whether running identity infrastructure is a thing your team wants to be good at, or a thing you'd rather hand off.

The plugin list looks like parity on paper, not in production

Line up Better Auth's enterprise plugins against a managed platform and the feature lists look similar. The gap is in what you can't see from a README.

There's little public evidence of who runs Better Auth's SSO, SCIM, and organizations plugins at scale, how those deployments handle the long tail of identity-provider quirks, or how they've fared in enterprise security reviews. That's not a knock on the code. It's a statement about operating history. The often-cited 4.7M+ weekly npm downloads measure the framework's overall installs across every kind of app — a strong signal for its core auth, and a much quieter one for how many teams run its B2B and enterprise features in production.

A plugin you install is not the same as infrastructure someone else runs in production for enterprise customers. The WorkOS versions of SSO, SCIM, and organizations process millions of authentications for companies including OpenAI, Cursor, Indeed, and Loom, which means the SAML edge cases, directory sync failures, and provider-specific bugs have already been hit and fixed by someone other than you.

Better Auth Infrastructure is a brand-new hosted bet

If self-hosting is the problem, the obvious response is "use their hosted product." Better Auth launched a hosted platform, Better Auth Infrastructure, on January 1. A hosted play is the right instinct. But a hosted product that launched this year, now inside a company that just acquired the team, is a young dependency to bet enterprise revenue on.

Look at the trajectory. Better Auth shipped its first release on September 28, 2024, went through Y Combinator and raised capital led by Peak XV along with more than 50 funds and angels, took over Auth.js / NextAuth.js, and launched the hosted platform months later. That's a lot of momentum in under two years, and a lot of change for something sitting on your critical path. Maturity in identity is measured in edge cases survived, not features shipped.

The security review is where it gets expensive

Enterprise deals don't die on the pricing page. They die in the security questionnaire. When a prospect's security team asks who operates your auth, how sessions are handled, how audit logs are retained, and how deprovisioning is guaranteed, "we run an open source plugin ourselves" is an answer you then have to defend with your own evidence.

With WorkOS, AuthKit handles authentication, and SSO, SCIM directory sync, RBAC, MFA, audit logs, and feature flags run as a managed platform that WorkOS operates. You wire it in once and the operational answers, including the SAML edge cases, directory sync quirks, and audit log retention, belong to the vendor whose job is to have them. That's the difference between owning a checkbox and owning a subsystem.

When you should stay on Better Auth

Migration isn't the default. Stay if:

  • Auth in your codebase, under your control, is a feature you value more than the operational cost.
  • You're early enough that enterprise SSO, SCIM, and audit demands are hypothetical rather than in your pipeline.
  • Your team genuinely wants to operate identity infrastructure and treats it as a core competency.
  • Agent identity is on your roadmap and Better Auth's direction is a tailwind, not a divergence.

The acquisition doesn't force anyone off the library, and pretending otherwise would be dishonest.

How to migrate if you decide to move

If the friction above describes your situation, the path off Better Auth is documented. WorkOS publishes a dedicated guide for migrating users and organizations from Better Auth. The move is short:

  1. Export your users and organizations from your Better Auth database.
  2. Import them into WorkOS using the Better Auth migration guide.
  3. Wire in AuthKit to handle sign-in, sessions, and the hosted UI.
  4. Turn on enterprise features — SSO, SCIM, and RBAC — from the dashboard as customers ask for them.

If your stack is mixed, WorkOS also has migration guides for Auth0, AWS Cognito, Clerk, Descope, Firebase, Stytch, and Supabase Auth, so you can consolidate more than one system in the same move.

The bottom line

The Vercel acquisition is a prompt, not a deadline. Better Auth stays open source and maintained, and for plenty of teams that's enough. But an acquisition is exactly the right moment to re-examine a dependency you've been carrying without pricing it, and to decide deliberately whether owning auth or buying it fits where your product is headed.

If you're moving upmarket, filling out security questionnaires, and would rather ship features than operate identity infrastructure, the answer to "should I migrate?" is probably yes. OpenAI, Cursor, Perplexity, Webflow, PlanetScale, Indeed, and Vercel itself buy identity from WorkOS. If you're ready to make the same call, migrating from Better Auth is a documented path, not a leap.