PHPackages                             betterauth/laravel - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. betterauth/laravel

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

betterauth/laravel
==================

Modern authentication for Laravel with Paseto V4 tokens, OAuth, 2FA, and Magic Links

v0.0.9(2mo ago)02MITPHPPHP ^8.2CI passing

Since Jan 5Pushed 2mo ago1 watchersCompare

[ Source](https://github.com/MakFly/betterauth-laravel)[ Packagist](https://packagist.org/packages/betterauth/laravel)[ RSS](/packages/betterauth-laravel/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (9)Dependencies (27)Versions (10)Used By (0)

BetterAuth for Laravel
======================

[](#betterauth-for-laravel)

**Modern authentication for Laravel with Paseto V4 tokens, 2FA, and Magic Links**

[![CI](https://github.com/MakFly/betterauth-laravel/actions/workflows/ci.yml/badge.svg)](https://github.com/MakFly/betterauth-laravel/actions/workflows/ci.yml)[![PHP Version](https://camo.githubusercontent.com/744f8821cc27dec8b0013ade48179731a44eadf4f943e0b1d9ffcb93f80177de/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7068702d382e322532422d626c75652e737667)](https://php.net)[![Laravel](https://camo.githubusercontent.com/2e8f7955348c3ea73a4d31c15311535852a8092d070a9fcb38a6aaf1c15efc54/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c61726176656c2d3130253230253743253230313125323025374325323031322d7265642e737667)](https://laravel.com)[![License](https://camo.githubusercontent.com/8bb50fd2278f18fc326bf71f6e88ca8f884f72f179d3e555e20ed30157190d0d/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d677265656e2e737667)](LICENSE)

[Installation](#installation) • [Quick Start](#quick-start) • [Features](#features) • [API Reference](#api-reference)

---

Why BetterAuth?
---------------

[](#why-betterauth)

JWTBetterAuth (Paseto V4)Signed only**Encrypted + Authenticated**Algorithm confusion attacksSingle secure algorithmComplex key managementSimple symmetric keysBase64 encoded payloadEncrypted payloadBetterAuth uses **Paseto V4** (Platform-Agnostic Security Tokens) - a modern, secure alternative to JWT that eliminates entire classes of vulnerabilities by design.

---

Installation
------------

[](#installation)

```
composer require betterauth/laravel
```

```
php artisan betterauth:install
```

That's it. The installer configures everything automatically.

---

Quick Start
-----------

[](#quick-start)

```
use BetterAuth\Laravel\Facades\BetterAuth;

// Register
$result = BetterAuth::signUp([
    'email' => 'user@example.com',
    'password' => 'securepassword',
]);

// Login
$result = BetterAuth::signIn('user@example.com', 'password');
// → access_token, refresh_token, user

// Verify token
$payload = BetterAuth::verify($accessToken);

// Protected routes
Route::middleware('auth:betterauth')->get('/me', fn() => auth()->user());
```

---

Features
--------

[](#features)

### Core Authentication

[](#core-authentication)

- **Paseto V4 Tokens** - Encrypted, not just signed
- **Argon2id Passwords** - Memory-hard hashing (PHC winner)
- **Refresh Token Rotation** - One-time use with automatic rotation
- **UUID v7 IDs** - Time-ordered, database-friendly

### Advanced Features

[](#advanced-features)

- **Two-Factor Auth (TOTP)** - With recovery codes
- **Magic Links** - Passwordless email authentication
- **OAuth Providers** - Google, GitHub, Facebook, and more
- **Passkeys/WebAuthn** - Biometric authentication *(coming soon)*

### Laravel Native

[](#laravel-native)

- Works with `Auth::guard('betterauth')`
- Eloquent models and migrations
- Artisan commands
- Event dispatching

---

Requirements
------------

[](#requirements)

RequirementVersionPHP8.2+Laravel10, 11, 12DatabasePostgreSQL, MySQL, SQLite---

Configuration
-------------

[](#configuration)

After installation, configure via environment variables:

```
BETTERAUTH_SECRET=your-64-character-secret-key
BETTERAUTH_MODE=api
BETTERAUTH_ACCESS_LIFETIME=3600
BETTERAUTH_REFRESH_LIFETIME=2592000
```

Or edit `config/betterauth.php`:

```
return [
    'mode' => 'api',                    // 'api', 'session', 'hybrid'
    'secret' => env('BETTERAUTH_SECRET'),
    'tokens' => [
        'access_lifetime' => 3600,      // 1 hour
        'refresh_lifetime' => 2592000,  // 30 days
    ],
    'user_model' => App\Models\User::class,
    'id_strategy' => 'uuid',            // 'uuid' or 'int'
];
```

Generate a new secret key:

```
php artisan betterauth:secret
```

---

API Reference
-------------

[](#api-reference)

### Authentication Endpoints

[](#authentication-endpoints)

MethodEndpointDescription`POST``/auth/register`Create new account`POST``/auth/login`Authenticate user`GET``/auth/me`Get current user`POST``/auth/refresh`Refresh access token`POST``/auth/logout`Revoke refresh token`POST``/auth/revoke-all`Revoke all tokens`PUT``/auth/password`Update password### Two-Factor Authentication

[](#two-factor-authentication)

MethodEndpointDescription`GET``/auth/2fa/status`Check 2FA status`POST``/auth/2fa/setup`Get QR code`POST``/auth/2fa/enable`Enable 2FA`POST``/auth/2fa/verify`Verify TOTP code`POST``/auth/2fa/recovery`Use recovery code`DELETE``/auth/2fa`Disable 2FA### Magic Links

[](#magic-links)

MethodEndpointDescription`POST``/auth/magic-link`Send magic link`GET``/auth/magic-link/verify`Verify and login---

User Model
----------

[](#user-model)

Add the `HasBetterAuth` trait to your User model:

```
use BetterAuth\Laravel\Models\Traits\HasBetterAuth;
use Illuminate\Foundation\Auth\User as Authenticatable;

class User extends Authenticatable
{
    use HasBetterAuth;

    protected $fillable = ['email', 'password', 'name'];
}
```

The trait provides:

```
$user->getRoles();              // ['ROLE_USER', 'ROLE_ADMIN']
$user->hasRole('ROLE_ADMIN');   // true/false
$user->addRole('ROLE_ADMIN');
$user->removeRole('ROLE_ADMIN');
$user->createTokens();          // Generate new token pair
$user->revokeAllTokens();       // Revoke all refresh tokens
```

---

Two-Factor Authentication
-------------------------

[](#two-factor-authentication-1)

Enable in configuration:

```
// config/betterauth.php
'two_factor' => [
    'enabled' => true,
    'issuer' => 'My App',
],
```

Using the service:

```
use BetterAuth\Laravel\Services\TwoFactorService;

$twoFactor = app(TwoFactorService::class);

// Setup
$setup = $twoFactor->generateSecret($user);
// → secret, qr_code_url, uri

// Enable
$result = $twoFactor->verifyAndEnable($user, '123456');
// → enabled, recovery_codes

// Verify
$valid = $twoFactor->verify($user, '123456');
```

---

Magic Links
-----------

[](#magic-links-1)

Enable in configuration:

```
// config/betterauth.php
'magic_link' => [
    'enabled' => true,
    'expire' => 15, // minutes
],
```

Using the service:

```
use BetterAuth\Laravel\Services\MagicLinkService;

$magicLink = app(MagicLinkService::class);
$magicLink->send('user@example.com');
```

---

Events
------

[](#events)

EventTrigger`UserRegistered`New user signs up`UserLoggedIn`Successful authentication`UserLoggedOut`User signs out`TokenRefreshed`Refresh token used`PasswordChanged`Password updated`TwoFactorEnabled`2FA activated`TwoFactorDisabled`2FA deactivated`MagicLinkSent`Magic link email sent```
// EventServiceProvider.php
protected $listen = [
    \BetterAuth\Laravel\Events\UserRegistered::class => [
        \App\Listeners\SendWelcomeEmail::class,
    ],
];
```

---

Middleware
----------

[](#middleware)

```
// Require authentication
Route::middleware('auth:betterauth')->group(function () {
    // Protected routes
});

// Require email verification
Route::middleware(['auth:betterauth', EnsureEmailIsVerified::class])->group(...);

// Require 2FA enabled
Route::middleware(['auth:betterauth', RequiresTwoFactor::class])->group(...);
```

---

Security
--------

[](#security)

### Token Security (Paseto V4)

[](#token-security-paseto-v4)

- **XChaCha20-Poly1305** encryption
- Tokens are **encrypted**, not just signed
- No algorithm confusion attacks
- No key type confusion

### Password Security (Argon2id)

[](#password-security-argon2id)

- Winner of Password Hashing Competition
- Memory-hard to prevent GPU attacks
- Configurable memory/time/threads

### Refresh Token Security

[](#refresh-token-security)

- **Hashed** before storage (SHA-256)
- **One-time use** - revoked after refresh
- **Automatic rotation** - new token on each refresh

---

Testing
-------

[](#testing)

```
# Run tests
composer test

# With coverage
composer test-coverage

# Static analysis
composer phpstan
```

---

License
-------

[](#license)

MIT License. See [LICENSE](LICENSE) for details.

###  Health Score

36

—

LowBetter than 82% of packages

Maintenance86

Actively maintained with recent releases

Popularity2

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity43

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~8 days

Recently: every ~1 days

Total

9

Last Release

71d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/36bd784d4a0a99b303da318f09603e9861ed9a0cabc2135103eb9954f2d7362c?d=identicon)[MakFly](/maintainers/MakFly)

---

Top Contributors

[![MakFly](https://avatars.githubusercontent.com/u/6107225?v=4)](https://github.com/MakFly "MakFly (24 commits)")

---

Tags

laravelAuthentication2faoauthmagic-linkpaseto

###  Code Quality

TestsPest

Static AnalysisPHPStan

Code StyleLaravel Pint

Type Coverage Yes

### Embed Badge

![Health badge](/badges/betterauth-laravel/health.svg)

```
[![Health](https://phpackages.com/badges/betterauth-laravel/health.svg)](https://phpackages.com/packages/betterauth-laravel)
```

###  Alternatives

[tymon/jwt-auth

JSON Web Token Authentication for Laravel and Lumen

11.5k49.1M350](/packages/tymon-jwt-auth)[laravel/passport

Laravel Passport provides OAuth2 server support to Laravel.

3.4k85.0M532](/packages/laravel-passport)[roots/acorn

Framework for Roots WordPress projects built with Laravel components.

9682.1M97](/packages/roots-acorn)[php-open-source-saver/jwt-auth

JSON Web Token Authentication for Laravel and Lumen

8359.8M53](/packages/php-open-source-saver-jwt-auth)[laragear/two-factor

On-premises 2FA Authentication for out-of-the-box.

339785.3k8](/packages/laragear-two-factor)[laravel/pulse

Laravel Pulse is a real-time application performance monitoring tool and dashboard for your Laravel application.

1.7k12.1M99](/packages/laravel-pulse)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)