For the complete documentation index, see llms.txt. Prefer markdown by appending .md to documentation URLs or sending Accept: text/markdown.

Overview

Security in TurboStarter is layered: keep secrets on the server, enforce auth in the API, isolate tenants by organization, and verify every external webhook.

TurboStarter is built so the secure path is the default path. Auth runs through Better Auth, the API is guarded with Hono middleware, secrets stay in server-only packages, and third-party callbacks are signature-verified before they mutate data.

This section is a security playbook - how the pieces fit together, what you must never break, and what to double-check before production.

Be mindful

Security is not a one-time setup. Revisit these practices whenever you add endpoints, providers, or client features that touch sensitive data.

Security model

Defense in TurboStarter is application-level and package-level by default:

LayerWhat it protectsWhere it lives
Package boundariesSecrets and DB clients never ship to the browser@workspace/*/server, @workspace/auth/client/*
Environment validationMissing or mis-scoped secrets fail earlyenvin presets per package
Session authOnly signed-in users reach protected UI and APIsBetter Auth + enforceAuth
AuthorizationRoles and org membership gate mutationsRBAC + enforceOrganizationPermission
Input validationUntrusted payloads are rejected before handlers runZod + validate middleware
External integrationsBilling and task webhooks cannot be forgedSignature verification

Unlike Supabase-first kits that lean on Row Level Security, TurboStarter treats every API route and Server Component as responsible for authorization. That matches the Hono + Drizzle stack: you filter by the verified session and organization, not by trusting IDs from the client alone.

Each of these topics is covered in more detail in the following guides:

How is this guide?

Last updated on

On this page

Ship your startup everywhere. In minutes.Try TurboStarter