Skip to main content

Documentation Index

Fetch the complete documentation index at: https://86d.app/docs/llms.txt

Use this file to discover all available pages before exploring further.

86d uses Better Auth for all authentication: customer sign-in, admin sessions, and social OAuth flows. The auth system handles session cookies, role-based access control, and (when 86D_API_KEY is set) SSO with the 86d.app platform. Setting up authentication correctly is one of the first things to do before going to production.

Required setup

Before your store can authenticate anyone, set BETTER_AUTH_SECRET to a cryptographically random string. This secret signs all session tokens and auth cookies. 
openssl rand -base64 32
Copy the output and add it to your .env:
.env
BETTER_AUTH_SECRET=<paste the output here>
Never use the placeholder value from .env.example in production. Any store with a predictable BETTER_AUTH_SECRET is trivially exploitable.
You should also set BETTER_AUTH_URL to your store’s public URL so OAuth callbacks resolve correctly:
.env
BETTER_AUTH_URL=https://your-store.com

Auth endpoints

Better Auth handles all requests under /api/auth/[...all]. You do not need to configure these routes manually; they are wired up automatically.
EndpointDescription
POST /api/auth/sign-in/emailSign in with email and password
POST /api/auth/sign-up/emailRegister a new customer account
GET, POST /api/auth/[...all]OAuth callbacks, session management, SSO

Guest shoppers

Guest shoppers do not need an account. Guest carts are tracked using a guestId cookie set automatically on first visit. When a guest completes checkout, their order is recorded against the guest ID. If they later create an account, their order history can be associated with the new account.

Social login providers

Enable social login by adding credentials for one or more OAuth providers to your .env. Any provider whose variables are absent is disabled automatically. You do not need to remove anything from your config.
ProviderRequired variables
GoogleAUTH_GOOGLE_ID, AUTH_GOOGLE_SECRET, NEXT_PUBLIC_AUTH_GOOGLE_ID
Twitter / XAUTH_TWITTER_ID, AUTH_TWITTER_SECRET
SlackAUTH_SLACK_ID, AUTH_SLACK_SECRET
ShopifyAUTH_SHOPIFY_ID, AUTH_SHOPIFY_SECRET
AppleAUTH_APPLE_ID, AUTH_APPLE_SECRET, AUTH_APPLE_BUNDLE_IDENTIFIER
FacebookAUTH_FACEBOOK_ID, AUTH_FACEBOOK_SECRET
Google requires NEXT_PUBLIC_AUTH_GOOGLE_ID in addition to the server-side credentials. This public variable is used to initialize the Google One Tap widget in the browser.

Setting up Google

1

Create a Google OAuth app

Open the Google Cloud Console, create a new project (or select an existing one), and navigate to APIs & Services → Credentials. Create an OAuth 2.0 Client ID of type Web application.
2

Add your redirect URI

Add https://your-store.com/api/auth/callback/google to the list of authorized redirect URIs.
3

Set the environment variables

.env
AUTH_GOOGLE_ID=123456789-abc.apps.googleusercontent.com
AUTH_GOOGLE_SECRET=GOCSPX-...
NEXT_PUBLIC_AUTH_GOOGLE_ID=123456789-abc.apps.googleusercontent.com
Other providers follow the same pattern: create an OAuth app on the provider’s developer platform, set the redirect URI to https://your-store.com/api/auth/callback/<provider>, and copy the client ID and secret into your .env.

Admin access

Admin users have the admin role. Only admin users can access the /admin dashboard, manage products and orders, and upload files.

Default admin account

When you run 86d init or docker compose up (which seeds automatically), a default admin account is created:
FieldValue
Emailadmin@example.com
Passwordpassword123
Change the default admin password immediately after setup. In production, use a strong unique password or disable email and password login in favor of SSO.
You can create additional admin users from the admin dashboard under System → Users, or by promoting an existing user to the admin role directly in the database.

86d SSO

When 86D_API_KEY is set, 86d.app SSO is enabled for admin authentication. This lets you sign in to your store’s admin using your 86d.app account credentials, with no separate admin password required.
.env
86D_API_KEY=your-api-key
STORE_ID=your-store-uuid
With SSO enabled, admin sessions are issued via the 86d.app identity provider. Team members with access to your store in the 86d.app dashboard can sign in directly without needing a local account.

Email and password auth

Email and password login is enabled by default. Customers and admins can register and sign in using their email address and a password. Passwords are hashed using bcrypt and never stored in plaintext. To send password-reset and verification emails, set RESEND_API_KEY:
.env
RESEND_API_KEY=re_...
Without a Resend key, email delivery is disabled and password-reset flows do not work. You may still use social login or SSO for authentication.