Most better-auth examples stop at sign-in. Orbit ships a full SaaS on top of it: magic links, OAuth, email + password with verification, admin impersonation, multi-tenant workspaces, invites, PBAC, and a settings UI — all wired up and typed end-to-end.
Magic link sign-in via Resend (or stdout in dev), Google + Apple OAuth, and email + password with a verification step that closes the pre-account-takeover window.
Wired into a real product
Auth isn't an isolated demo. Sessions are workspace-aware, invites flow through email, and the settings UI handles email change, password reset, and account deletion with verification at every step.
Admin plugin, ready to use
User search, ban / unban, and impersonation routes are mounted with permission gates. App-scoped audit log captures every admin action.
Permission-based access control
Two-scope PBAC: WorkspaceRole and TeamRole. System roles plus custom roles. Server middleware enforces; useCan() / useCanTeam() hooks gate the UI.
Prisma or Drizzle, your call
The better-auth adapter swaps with the ORM choice (@better-auth/prisma-adapter or @better-auth/drizzle-adapter). Same domain layer either way.
Rate limiting that ships
Auth and waitlist endpoints are guarded by layered per-IP and per-email limits via a RateLimiter port (memory / Upstash / Unkey). One address can't be ground down by a botnet.
No. It's a complete multi-tenant SaaS that uses better-auth for the identity layer. You get sign-in, but also workspaces, teams, invites, settings UI, audit log, and a permissions model — out of the box.
Which auth methods are supported?
Magic links (Resend or console mailer), Google OAuth, Apple OAuth, and email + password with a verification step. Sign-up is blocked until the email is verified, which closes the pre-account-takeover window.
Can I add OIDC or SAML?
better-auth supports additional OAuth / OIDC providers via plugins. The Orbit identity context is small and intentionally easy to extend — add a provider in one place, and the rest of the app picks it up.
Does it work with Drizzle as well as Prisma?
Yes. Prisma is the default; --orm-provider=drizzle swaps in the Drizzle adapter for better-auth and the rest of the data layer. Domain code is ORM-agnostic.
Is impersonation included?
Yes — better-auth's admin plugin is mounted with permission gates and every action is captured in a global app-scope audit log. Useful for support work without needing a separate tool.