auth-starter) is how a Ship project gets authentication. It’s the bridge between your web app and the API: selecting it adds the better-auth backend, the sign-in / sign-up / password-reset pages, the authenticated app shell, and the typed oRPC client the rest of your UI builds on. Skip it and your project ships a clean landing page with nothing to sign into.
Requires PostgreSQL (and pulls in Mailer for verification/reset emails and Cloud Storage for avatar uploads).
What it adds
API- better-auth configured for email/password (with verification + reset) and Google OAuth.
users/accounts/sessions/verificationsschemas and the auth route handler.
apps/web)
- routes:
sign-in,sign-up,forgot-password,reset-password, the_authenticatedguard and settings. - the oRPC client (
services/api-client.service.ts) and theuseApiQuery/useApiMutation/useApiForm/useCurrentUserhooks.
Why auth is a plugin
In 3.0.0 the baseapps/web is just a landing page with no dependency on the API. Auth — and the oRPC client that talks to the API — lives in this plugin so that:
- web-only projects stay clean (no auth, no API client, no backend coupling),
- full-stack projects opt in, and
- any plugin with authenticated routes (Admin, AI Chat) builds on the
_authenticatedshell and hooks it provides.
Using it
The_authenticated guard redirects signed-out users to /sign-in; inside it, useCurrentUser() reads the session and the typed apiClient calls the API. See Calling the API for the client and hooks.
