For the complete documentation index, see llms.txt. Prefer markdown by appending .md to documentation URLs or sending Accept: text/markdown.

Auth & deep links

Register your app scheme in trustedOrigins, configure native OAuth carefully, and treat deep links as untrusted entry points.

Mobile auth uses the same Better Auth server as web, with Expo-specific clients and deep links for magic links and OAuth callbacks.

Trusted origins

Auth redirects and deep links must only succeed for your app scheme. Add it to Better Auth trustedOrigins on the server:

packages/auth/src/server.ts
export const auth = betterAuth({
  trustedOrigins: [
    "turbostarter://**",
    // ...
  ],
});

The scheme comes from apps/mobile/app.config.ts. If you change it, update trustedOrigins in the same change.

CSRF protection

Without a tight trusted-origin allowlist, auth flows are open to CSRF-style abuse and malicious open redirects. Only schemes you control should be listed.

Read more in mobile auth configuration and Better Auth security.

Sessions on device

  • Use the shared Better Auth Expo client - do not roll your own token storage format
  • Prefer the library’s secure defaults for persisting session data
  • Sign-out should clear local session state and invalidate server-side where the API supports it
  • Never log access tokens, refresh tokens, or full session cookies in analytics or crash reports

OAuth and native providers

Native Sign in with Apple and Google reduce phishing risk versus generic webviews, but they still depend on correct server config:

  1. Production redirect / callback URLs match the deployed API
  2. App scheme is in trustedOrigins
  3. Provider client IDs match the iOS/Android app ids you ship
  4. Bundle / package identifiers in the provider console match store builds

Deep links as entry points

Treat every deep link like an unauthenticated HTTP request:

  • Validate path and params before navigating to a sensitive screen
  • Do not grant access or apply a purchase solely because a link opened the app
  • After magic-link / OAuth return, confirm the session with the auth client / API before showing private UI

Hardening checklist

  • Keep email verification enabled for password sign-up (server config)
  • Offer stronger factors where it fits your product (OTP, 2FA on web account settings)
  • Use HTTPS for EXPO_PUBLIC_SITE_URL in production
  • Review trustedOrigins whenever you add a new scheme or universal link domain

How is this guide?

Last updated on

On this page

Ship your startup everywhere. In minutes.Try TurboStarter