Better Auth can connect to any OAuth2/OIDC provider via genericOAuth and a discoveryUrl pointed at Ave’s metadata:
https://aveid.net/.well-known/openid-configuration
Configure your registered Ave clientId (and clientSecret if you use a confidential client). Use the same scopes you would in a manual integration: at least openid, and offline_access if you need refresh tokens.
Caveats
- Upstream behavior for token refresh can differ from first-class social providers. Spike and test long sessions, rotation, and cookie handling before committing.
- Better Auth is your app’s OAuth client to Ave — it does not replace Ave’s passkey UX, consent screen, or E2EE fragment delivery. Those remain Ave-side and browser flows.
Primary path
For the most predictable sessions without an extra framework layer, prefer Ave Session and verifyAveIdToken on your API. Last modified on May 1, 2026
