Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.refactkit.com/llms.txt

Use this file to discover all available pages before exploring further.

RefactKit handles all authentication flows for you using Better Auth. Your users can sign up with an email and password or continue with a Google account. Both paths lead to the same verified, session-backed account — no extra plumbing required.

Sign-in methods

Email and password

Users register with their name, email, and a password of at least 12 characters. Email verification is required before they can sign in.

Google OAuth

Users click Continue with Google and authorize your app. No password is ever set for OAuth accounts; the access and refresh tokens are stored securely server-side.
Both sign-in methods are available on the login and signup pages. The Google button calls authClient.signIn.social with the google provider: 
authClient.signIn.social({ provider: 'google', callbackURL: '/dashboard' })

Sign-up flow

When a user registers with email and password, the app collects their name, email, and password. The password must be at least 12 characters — this minimum is enforced both on the client and on the server.
1

Submit the sign-up form

The user fills in their name, email, and password and submits. RefactKit calls authClient.signUp.email with the form values.
2

Check your inbox

A verification email is sent automatically. The app replaces the form with a confirmation screen: “We’ve sent a verification link to your email.”
3

Click the verification link

Clicking the link in the email verifies the account and redirects the user to the login page (callbackURL: '/login').
4

Sign in

The user signs in normally. If they have no organizations yet, they land on /onboarding to create their first workspace.
Email verification is required. Users cannot sign in until they click the verification link. If a user tries to sign in before verifying, they’ll see an error from the auth layer.

How sessions work

After a successful sign-in, RefactKit creates a session backed by a secure, HTTP-only cookie. You do not manage tokens or local storage — the cookie is set automatically and sent with every request. Key properties of the session:
PropertyValue
StorageHTTP-only secure cookie
Validity7 days
RenewalRolling — extended on each active request
InvalidationImmediate on sign-out or password reset
Rolling sessions mean that as long as a user is active, they stay signed in without interruption. If a user resets their password, all existing sessions for that account are revoked immediately. The useSession hook (exported from lib/auth-client.ts) gives you real-time access to the current session in any component: 
import { useSession } from '@/lib/auth-client'

function MyComponent() {
  const { data: session } = useSession()
  return <p>Signed in as {session?.user?.email}</p>
}

Password reset flow

Users who forget their password can request a reset link from /forgot-password.
1

Request a reset link

The user enters their email address. RefactKit calls authClient.requestPasswordReset with redirectTo: '/reset-password'.
2

Check your inbox

A password reset email is sent. The app shows a confirmation state. If no account exists for that email, no error is shown (to prevent email enumeration).
3

Set a new password

Clicking the link in the email opens the reset page. The user enters and confirms a new password (minimum 12 characters). Both passwords must match — the form validates this before submitting.
4

Sign in with the new password

After a successful reset, all existing sessions are invalidated and the user is prompted to sign in again.
If a user navigates to /reset-password without a valid token in the URL, RefactKit shows an “Invalid link” screen with a prompt to request a new one. Reset links expire — users must request a fresh one if theirs is stale.

Staying signed in

RefactKit uses rolling sessions, so active users are never unexpectedly signed out. The session expiry is extended automatically on each authenticated request. A user is only signed out when they:
  • Click Sign out explicitly
  • Reset their password (all sessions revoked)
  • Let their session sit idle for 7 days without any activity
For Google OAuth accounts, access and refresh tokens are stored and managed server-side. Users never interact with these tokens directly.