Better Auth with Non-Node Backends: Bridging TanStack Start and Go Fiber
If you've seen the recent Dreams of Code article, you know the hype is real. Better Auth is arguably the best authentication solution for the Typescript ecosystem right now. It is type-safe, extensible, and incredibly easy to set up.
However, there is a catch: Better Auth is designed to run on a Javascript runtime (Node/Bun/Deno).
So, what happens if your backend logic lives in Go (Fiber), but you want the DX of Better Auth for your TanStack Start frontend?
In this post, I'll show you how to architect a "Proxy Pattern" using Tanstack Start to handle authentication in Node, while securely passing authorization contexts to a Go Fiber backend.
The Architecture
Since Better Auth cannot run inside Go, we run it inside our Tanstack Start server (which runs on Node/Bun). We then use a JWT Strategy to communicate with the Go backend.
Here is the flow:
/api/external).Step 1: Configuring Better Auth (The Frontend)
First, we need to enable the JWT plugin. This is crucial because standard session cookies are opaque to the Go backend. We need a token that Go can cryptographically verify.
On the client side, the setup remains standard:
Step 2: The Proxy (Tanstack Start)
This is the secret sauce. Instead of the browser hitting the Go backend directly (which would require complex CORS and cookie sharing), we create a "Catch-All" route in Tanstack Start (routes/api/external/$.ts).
This route intercepts the request, grabs the valid token using auth.api.getToken, and forwards the request to Go with a standard Authorization: Bearer <token> header.
Step 3: Authorization in Go Fiber
Now that the Go server is receiving a standard Bearer token, we need a middleware to validate it.
Unlike Node, Go doesn't have direct access to the Better Auth code. However, because Better Auth creates a standard JWK (JSON Web Key), Go can validate the signature cryptographically without hitting the database.
Using it in the Router:
Why This Architecture Works
Merging a Node-based meta-framework with a Go backend often feels clunky, but this specific setup solves three major headaches:
/api/external), your browser only ever talks to the Tanstack Start server (Same-Origin). You don't need to configure complex CORS rules or worry about SameSite cookie issues between your frontend and backend domains.Trade-offs to Consider
No architecture is perfect. Here is what you are "paying" for this convenience:
Client -> Tanstack Start (Node) -> Go Fiber -> Database. While the internal network speed between Node and Go is usually negligible (especially in Kubernetes or same-network deployments), it is technically an extra hop compared to a monolith.routes/api/external/$.ts will need to be significantly more robust to handle streaming connections.The Bottom Line
If you are a solo developer or a small team, this pattern is a productivity multiplier.
It allows you to treat authentication as "solved" by the Typescript ecosystem, while letting you write your high-performance business logic in Go. You don't have to switch languages completely you just have to let them play to their respective strengths.
Conclusion
You don't have to rewrite your entire backend in Node just to use Better Auth. By leveraging the JWT Plugin and Tanstack Start server functions, you can keep your robust Go architecture while enjoying the modern authentication experience that Better Auth provides.
This setup gives you the best of both worlds: