How to Add Authentication to a SvelteKit App (2026 Guide)
Complete guide to SvelteKit auth. Covers Better Auth, Auth.js, hooks, and managed providers for Svelte 5 and SvelteKit apps.
SvelteKit has grown from a niche framework into a serious contender for production web apps. GitHub stars for Svelte crossed 80,000 in mid-2025, and developer usage grew from 8% to roughly 20% in two years according to State of JS surveys. Major companies including Apple, Spotify, and The New York Times use Svelte in production.
But SvelteKit ships with no built-in auth system. You get hooks, server routes, and cookies — the building blocks — but you assemble the auth layer yourself. This guide covers every practical approach to svelte auth in 2026.
How SvelteKit Auth Architecture Works
SvelteKit’s auth model is server-first. Every request hits hooks.server.ts before SvelteKit processes the route. This is where you validate sessions and attach user data.
The standard SvelteKit auth flow has three parts:
- hooks.server.ts reads the session cookie on every request, validates the token or session ID, and attaches the user object to
event.locals. This runs server-side on every page load and navigation. - Server load functions access
event.locals.userto gate data. If the user is not authenticated, you can throw a redirect to the login page. - Form actions handle login and registration. SvelteKit’s form actions process POST requests server-side without requiring client-side JavaScript.
This architecture means auth happens on the server before any HTML reaches the browser. No client-side token storage, no exposed JWTs in the DOM. The session cookie is httpOnly and secure by default.
Common SvelteKit Auth Approaches Compared
Auth.js (@auth/sveltekit)
Auth.js, formerly NextAuth, expanded beyond Next.js to support SvelteKit with the @auth/sveltekit package. It plugs into SvelteKit’s hooks system and handles OAuth flows, session management, and callback processing.
What works well:
- Support for 80+ OAuth providers (Google, GitHub, Discord, etc.)
- Integrates directly with SvelteKit hooks
- Database adapters for Prisma, Drizzle, and most ORMs
- Well-documented setup process
Where it falls apart:
- Email/password auth requires extra configuration and a transactional email provider
- SvelteKit-specific documentation is sparser than the Next.js docs
- The v4 to v5 migration broke many setups
- No built-in UI components — you build every form yourself
Better Auth
Better Auth emerged as the recommended successor after Lucia Auth deprecated itself in March 2025. It is TypeScript-first, framework-agnostic, and designed to work with your own database.
What works well:
- Plugin ecosystem with 2FA, passkeys, and multi-tenancy
- Works with any database through adapters
- Organization management and rate limiting built in
- Compatible with SvelteKit’s server-side architecture
Where it falls apart:
- More initial setup than managed providers
- You maintain the auth infrastructure yourself
- Younger project with a smaller community than Auth.js
- SvelteKit-specific examples are still growing
Clerk
Clerk added Svelte support alongside its React offerings. It provides pre-built components and handles the entire auth flow through their hosted infrastructure.
What works well:
- Pre-built sign-in components
- 10,000 free monthly active users
- Handles the entire auth lifecycle
- Built-in user management dashboard
Where it falls apart:
- Svelte support is newer than React, with fewer examples
- Vendor lock-in to Clerk’s API
- $0.02 per MAU after the free tier
- Pre-built components may not match your design system
Custom Implementation with Hooks
SvelteKit gives you enough primitives to build auth yourself: hooks.server.ts for request interception, form actions for login/register, and the cookies API for session management. You hash passwords with bcrypt or argon2, store sessions in your database, and validate on every request.
This gives you full control but costs 2-4 weeks of development. You handle CSRF tokens, rate limiting, password reset flows, and email verification yourself. For a tutorial on the basics, see our SvelteKit auth blog post.
The Real Problem: Auth Is Only Half the Battle
Authentication is table stakes. It does not generate revenue. Every auth solution above handles login, but none handles Stripe checkout, subscription management, or payment webhooks.
If you are building a SaaS with SvelteKit, you will need to wire up Stripe separately. That means a second integration project: webhook handlers, customer-to-user mapping, entitlement checks, and a subscription management UI.
How Beag Simplifies SvelteKit Auth and Payments
Beag combines auth and payments into a single script tag. Add the Beag script tag to your SvelteKit layout and get:
- Authentication with email, social login, and magic links
- Stripe payments with checkout, subscriptions, and customer portal
- User-to-customer mapping handled automatically
- Session data accessible from your server load functions
Setup takes minutes, not days. For indie hackers shipping micro SaaS products, this is the fastest path from idea to revenue.
Choosing the Right Approach
| Solution | Cost | Setup Time | Auth + Payments |
|---|---|---|---|
| Auth.js | Free (open source) | 2-4 hours | Auth only |
| Better Auth | Free (open source) | 3-6 hours | Auth only |
| Clerk | $0.02/MAU after 10K | 1-2 hours | Auth only |
| Custom hooks | Free | 2-4 weeks | Auth only |
| Beag | $19/month | 15 minutes | Both included |
For more framework comparisons, see our Next.js auth guide or the Astro auth guide. Browse all guides in the guide hub.
What to Do Next
- Pick your auth library. Auth.js for simplicity, Better Auth for advanced features.
- Decide your scope. Auth only, or auth plus payments?
- Factor in development time. Free libraries still cost engineering hours.
- Start building. Try Beag free for 7 days or explore the docs.
Frequently Asked Questions
What happened to Lucia Auth for SvelteKit?
Lucia Auth deprecated itself in March 2025 and transitioned to a maintenance-only educational resource. The Lucia developers recommend Better Auth as the primary successor. Better Auth is TypeScript-first, framework-agnostic, and includes plugins for 2FA, passkeys, and organization management.
Does SvelteKit have built-in authentication?
No. SvelteKit provides the building blocks -- hooks, server routes, cookies -- but no built-in auth system. The official SvelteKit documentation recommends using Auth.js (via @auth/sveltekit) or implementing your own auth with the hooks.server.ts file for session validation.
How do SvelteKit hooks work for auth?
The hooks.server.ts file runs on every server request before SvelteKit processes the route. You use the handle hook to read session cookies, validate tokens, and attach user data to the event.locals object. This makes auth data available in all server load functions and API endpoints.
Should I use Auth.js or Better Auth for SvelteKit?
Auth.js is simpler to set up with its @auth/sveltekit package and supports 80+ OAuth providers. Better Auth offers more features out of the box -- 2FA, passkeys, rate limiting, organization management -- but requires more initial configuration. For basic social login, Auth.js is faster to implement. For production apps needing advanced features, Better Auth is the stronger choice.
How much does SvelteKit auth cost?
Auth.js and Better Auth are both free and open source. Clerk offers 10,000 free MAUs. If you need auth and payments together, Beag bundles both for $19/month, saving you from building a separate Stripe integration.
Skip the Auth and Payments Headaches
Beag handles authentication and Stripe payments with a single script tag. Ship your SaaS faster.
Start 7-day free trial