All of the changes made will be available here.

Better Auth is the most comprehensive authentication framework for TypeScript that provides a wide range of features to make authentication easier and more secure.

DocumentationGitHubCommunity

BETTER-AUTH.

v1.4.5

v1.4.4

🚀 Features

  • cli: Better-auth-command – @Ridhim-RR
  • scim: Add support to parse custom scim+json media type – @jonathansamines

🐞 Bug Fixes

  • Customizing fields should be optional for rate limit options – @ceolinwill
  • Chunk account data cookie when exceeding limit – @jslno
  • Remove applying user-agent by default – @Bekacru
  • Additional fields default values should apply when creating session – @Bekacru
  • Return null early if userid isn't defined – @Bekacru
  • logger: Log level priority – @danielfinke
  • mcp: Return origin url as authorization server – @jslno
  • multi-session: Endpoints breaks with invalid signatures – @ping-maxwell
  • oidc-provider: Resolve getSignedCookie return type – @bytaesu
    View changes on GitHub

v1.4.3

🚀 Features

  • Add Vercel as OAuth provider – @anatrajkovska
  • Add support for trusted proxy headers in base URL inference – @Bekacru

🐞 Bug Fixes

  • Support @tanstack/solid-start in tanstackStartCookies plugin " – @Bekacru
  • open-api: Clean up incorrect null type in OpenAPI – @bytaesu
  • two-factor: Remove incorrect blocking logic in OTP setup and verification – @isaacriehm
    View changes on GitHub

v1.4.2

🚀 Features

  • cli: Check /auth for auth.ts@ping-maxwell
  • github: Add PKCE support for Github – @Shridhad
  • jwt: Allow custom jwks endpoint – @luist18

🐞 Bug Fixes

  • Support @tanstack/solid-start in tanstackStartCookies plugin – @jakst
  • SignIn/signUp API returns user additional field – @himself65
  • cli:
    • Kysely migration fails due to chaining addIndex and addColumn on the same alterTable builder – @ping-maxwell
    • Prevent duplicate index creation in Prisma schema generation – @rovertrack
  • client:
    • Get-session gets triggered twice on foucs – @Bekacru
  • email-otp:
    • Sign-in email-otp bugs with capitalized emails – @ping-maxwell
  • oidc-provider:
    • Session shouldn't be required – @Bekacru
  • organization:
    • Have deleteOrganization use adapter.deleteMany instead of delete – @kefimoto
    View changes on GitHub

v1.4.1

🚀 Features

  • api-key: Support secondary storage – @ping-maxwell @Bekacru

🐞 Bug Fixes

  • Custom fn field default values should be properly evaluted – @Bekacru
  • jwt: Retrieve latest keys from storage properly – @Bekacru
  • passkey: Change generate-authenticate-options from POST to GET – @mburumaxwell
    View changes on GitHub

v1.4.0

🚀 Features

  • Bypass transaction with async local storage – @himself65
  • Add returnHeaders to getSession@frectonz
  • Waku integration guide – @rmarscher
  • Add support for custom callback for authorization url – @Bekacru
  • Additional fields on account – @dvanmali
  • Add support for custom callback for token url – @acusti
  • Enum support for drizzle schema – @himself65
  • Nextjs 16 guide – @Kinfe123 @himself65
  • Add storeStateStrategy@himself65
  • Enhance PostgreSQL support for non-public schema by respecting search_path configuration – @okisdev
  • Add polar oauth provider – @ephraimduncan
  • Session store chunking – @himself65
  • Stateless session management – @Bekacru @ping-maxwell @himself65
  • Esm only – @himself65
  • Implement automatic server-side IP detection – @GautamBytes
  • Async import in getAdapter@himself65
  • Improved API error page – @ping-maxwell @Bekacru
  • Add request state – @himself65
  • Add support for uuids – @Bekacru
  • Auto-index CLI – @ping-maxwell @Bekacru
  • Expose additional http methods – @jonathansamines @Bekacru
  • better-auth/minimal@bytaesu @Bekacru
  • Add support for custom response status codes – @jonathansamines @Bekacru
  • Support pass raw function as middleware – @himself65
  • Support pass raw function as middleware " – @himself65
  • Adapter join support – @ping-maxwell
  • Refactor fetch plugins config disableDefaultFetchPlugins to include userAgentPlugin – @kaandok @himself65
  • Utilize database joins across better-auth – @ping-maxwell
  • Support storing account data in a cookie – @Bekacru
  • Adding support for SCIM provisioning – @jonathansamines
  • Add support for organization slug on list members – @Bekacru
  • anonymous:
    • Support phone number verification for account linking – @Bekacru
    • Allow customizing random email generator – @bytaesu
  • captcha:
    • Add support for CaptchaFox – @tgrassl
  • cli:
    • Add mcp client configs from cli@Kinfe123 @himself65
    • Support Cloudflare Workers virtual module imports – @chhoumann
  • client:
    • Refetch session when browser state changes – @himself65
    • Add type helper AuthClient@himself65
    • Introduce disableSignal client option – @ping-maxwell
  • core:
    • Replace ZodType with @standard-schema/spec@himself65
  • db:
    • Delete hooks – @Kinfe123 @himself65
  • device-authorization:
    • Add verification uri – @bytaesu @himself65
  • discord:
    • Allow specification of permissions – @TheUntraceable @Bekacru
  • docs:
    • Adding missing auth & colour in builder – @okisdev
  • email-otp:
    • Allow returning undefined in generateOTP@ping-maxwell
  • expo:
    • Support multiple cookie prefixes for better-auth detection – @himself65
  • generic-oauth:
    • Provide pre configured provider helpers – @Paola3stefania
    • Add custom token exchange support for non-standard providers – @bytaesu
  • jwt:
    • Support custom adapter option for jwt – @Bekacru
    • Add JWT verification endpoint and refactor verification logic – @himself65
    • Add key rotation – @Bekacru @Paola3stefania
  • last-login-method:
    • Update OAuth login method tracking for multiple auth type – @Kinfe123
    • Add support for 'siwe' as a last login method and added tests – @rovertrack
  • mongodb:
    • Support string IDs over ObjectIDs – @ping-maxwell @ahmedriad1
  • oauth-proxy:
    • Stateless mode compatibility – @bytaesu
  • oidc-provider:
    • Add RP-Initiated Logout endpoint – @himself65
  • organization:
    • Support createdAt on invitations – @iRoachie @himself65
    • Refactor organization schema to use BetterAuth types – @himself65
  • passkey:
    • Allow multiple passkey origins – @kevcube
  • paybin:
    • Add Paybin OAuth provider – @redoh
  • phone-number:
    • Allow custom verifyOTP implementation – @bytaesu @zain
  • plugin-openapi:
    • Allow passing nonce for CSP – @GautamBytes
  • prisma:
    • Enhance JSON default value handling for arrays and objects in schema generation – @rovertrack
  • session:
    • Use JWE for cookie cache by default – @himself65
  • sso:
    • DefaultSSO options and ACS endpoint – @Kinfe123 @Bekacru
    • Provide default service provider metadata – @dvanmali
    • Add option to provide login hint – @tnkuehne
    • Add domain verification for SSO providers – @jonathansamines @ping-maxwell
  • stripe:
    • Upgrade stripe support to v19.1.0 – @okisdev
    • Add StripePlugin type – @himself65
    • Allow any scheme – @hyoban @Bekacru
    • Allow flexible types in plan limits – @bytaesu @Bekacru

🐞 Bug Fixes

  • Device authorization plugin – @bytaesu
  • Device authorization plugin – @bytaesu
  • Reduce any type in generator.ts – @himself65
  • Refresh secondary storage sessions on user update – @frectonz
  • Allow disable database transaction – @himself65
  • Wrap Math.floor around the division when calculating TTL – @DevDuki @himself65
  • Ttl sessions list expiration – @dvanmali
  • Tests failing due to clock drift – @dvanmali
  • Refresh secondary storage sessions on user update – @frectonz
  • Refresh secondary storage sessions on user update – @frectonz
  • Support compressed ipv6 format – @Velka-DEV
  • Add required constraint to slug filed in org plugin – @bytaesu
  • Use consistent messaging on requestPasswordReset@Eazash
  • Cookie size limit shouldn't throw error – @Bekacru @himself65
  • Handle symbols in proxy get trap to prevent TypeError – @zbeyens @himself65
  • Ttl for rate limited secondary storage – @dvanmali
  • Properly encode callback url for email verificaiton – @Bekacru
  • Session update database hook should expect partial session type – @Bekacru
  • Deprecate options.advanced.generateId type – @himself65
  • Api keys should properly check if a request is from client or server – @Bekacru
  • Refactor account deletion functions to trigger database hooks – @xuchenhao001
  • Improve username transformation logic – @ping-maxwell
  • Ensure falsy values are valid default values – @ocherry341
  • Import node:async_hooks directly – @himself65
  • Undeclared variable reference on docs – @Kinfe123
  • Argument where of type TwoFactorWhereUniqueInput needs at least one of id arguments – @AlexStrNik
  • Mobile ai search responsiveness – @Kinfe123
  • Type compatibility with exactOptionalPropertyTypes@Kinfe123 @himself65
  • Remove deprecated ssoClient export from client plugin – @Kinfe123
  • GetAcccessToken refresh should properly refresh when oauth tokens are encrypted – @bsklaroff
  • Resolve custom URL scheme origin matching with wildcards – @AntonVishal
  • Respect additionalFields returned config for user data when setting cookie cache – @ahmed-abdat @Bekacru
  • Correct type HookEndpointContext and InternalContext@himself65
  • Add optional chaining for process.platform – @bytaesu
  • User-agent requirement when fetching from clients – @dvanmali
  • Unused peer dependency – @himself65
  • Rename sha to branch and made it canary by default – @max-programming
  • Remove deprecated forgetPassword endpoints – @bytaesu
  • Respect onAPIError.errorURL in OAuth callback flow – @GautamBytes @ping-maxwell
  • Call db hooks when calling deleteUser@ping-maxwell
  • Allow user update to handle additional fields and validation – @Bekacru
  • Missing email validation – @ahmedriad1 @ping-maxwell
  • Urls without protocol shouldn't be able to satisfy a wildcard origin – @Bekacru
  • Use standard validator – @himself65
  • Add undefined type for optional property types – @himself65
  • Type mismatch for 'banned' on UserWithRole – @GautamBytes
  • Delete duplicate email existence check in changeEmail endpoint – @DevDuki
  • Add missing userId in listAccounts response – @bytaesu
  • Trigger use session on revoke sessions – @Bekacru
  • string[] inference for additionalFields – @GautamBytes
  • Unsanitized endpoints provided dates will cause DB insert failure – @ping-maxwell @Bekacru
  • Update hooks return should merge with original data – @Bekacru
  • Dont trigger session refresh on magic-link sign-in – @ping-maxwell
  • Treat generateId "serial" as numeric ID and correct UUID column types across adapters – @ping-maxwell
  • Validate baseURL protocol and improve error messages – @dmmulroy
  • Use ctx over request in plugin options – @ping-maxwell
  • Use identity instead of serial for pg schema – @ping-maxwell
  • Zoom refresh token – @borgoat
  • /change-email should trigger session signal – @ping-maxwell
  • Resolve SESSION_IS_NOT_FRESH error with cookieCache – @GautamBytes
  • Preserve provided string IDs in the MongoDB adapter when they are not valid ObjectId – @udnes99
  • GenericOAuth and SSO ignore discoveryUrl for authorization – @GautamBytes
  • Remove active session requirement for change email verification – @Bekacru
  • adapter:
    • Returning null as string for optional id references – @jslno
    • Use updated field values in WHERE clause during update – @QuintenStr @ping-maxwell
    • Foreign keys that are nullable on number ids can return string of null@ping-maxwell
    • Ensure transaction function is implemented in the adapter – @himself65
    • Missing data type transformation on where clauses – @ping-maxwell
    • Inconsistent mongo ends_with query – @ping-maxwell
    • Kysely with CamelCasePlugin breaks for OIDC. – @ping-maxwell
    • Should not apply defaultValue during find calls – @ping-maxwell
    • Drizzle deleteMany result should be a number – @ping-maxwell
  • adapters:
    • Mongodb id issue – @okisdev @ping-maxwell
  • admin:
    • Stricter body validation with the setUserPassword api – @hieudien14310 @ping-maxwell
    • Validate admin role updates against the configured roles to prevent setting a non-existent role – @hieudien14310
  • anonymous:
    • Provide ctx on accountLink – @ping-maxwell
    • isAnonymous should default to false instead of null – @ping-maxwell
  • api-key:
    • Cascade api keys on user deletion – @ping-maxwell
    • Cascade api keys on user deletion – @ping-maxwell
    • Calling client on server side – @himself65
    • Correct refill interval time calculation – @Pankaj3112 @himself65
    • Shouldn't issue api key a mock session by default – @Bekacru
    • Don't update the lastRequest when calling updateApiKey – @ping-maxwell
    • Remove incorrect usage tracking in updateApiKey – @ahmed-abdat @Bekacru
  • better-auth:
    • Moved email verification check after password check – @QuintenStr
  • cli:
    • DefaultNow is deprecated in schema for Drizzle with SQLite – @himself65
    • Timestamp in schema for Drizzle with SQLite – @zy1p
    • Move type dependencies to devDependencies – @bdkopen
  • client:
    • BaseURL is undefined for SSR – @himself65
    • Add lynx client exports – @JagritGumber
    • Missing isRefetching type in react useSession@ThibautCuchet
    • Ensure refetchInterval triggers active network request – @GautamBytes @himself65
  • cookie:
    • SameSite to "none" for oauth state – @himself65
    • SameSite to "none" for oauth state " – @Bekacru
  • core:
    • Correctly set typesVersions paths – @XiNiHa
  • create-adapter:
    • Disable transaction by default – @ping-maxwell
  • custom-session:
    • Don't overwrite the Set-Cookie header – @frectonz
    • Infer.Session to infer the return type of the custom session – @Bekacru
  • db:
    • onDelete is ignored – @himself65
    • Postgres - explicitly define pg_catalog for gen_random_uuid() – @mrl5
  • deps:
    • Update dependency @nanostores/react to v1
  • device-authorization:
    • Fix client error type for deny device – @3ddelano
    • Sanitize user code input on device approve – @Bekacru
  • docs:
    • Set default tab to next-js since react was not listed – @mohit4bug
    • Anchor link scrolling with conflict prevention – @Kinfe123
    • Enable code block copying in documentation page – @vagxrth
  • drizzle:
    • Replace pgEnum with text enum type in Drizzle schema generation – @eni4sure
  • drizzle-adapter:
    • Handle all operators in multiple where conditions – @Kinfe123 @ping-maxwell
  • email-otp:
    • Call reset password callback – @HoshangDEV
    • Email-verification doesn't trigger session signal – @ping-maxwell
    • Fix openapi schema for /email-otp/verify-email endpoint – @jonathansamines
    • Prevent duplicate verification emails when override is enabled – @ephraimduncan
    • Prevent user enumeration on email OTP – @himself65
    • Use constant time equal for equality checks – @Bekacru
  • expo:
    • Set-header retrigger $sessionSignal@himself65
    • Store normalized cookie name in storage – @ping-maxwell
    • Origin check failing due to null origin in expo – @Bekacru
    • Account linking flow on mobile – @almadoro
    • Clear peer dependence and flag optional – @hyoban
    • Enhance cookie detection for better-auth cookies – @himself65
  • generic-oauth:
    • overrideUserInfo doesn't work – @ping-maxwell
    • Await async mapProfileToUser – @bytaesu @Bekacru
  • gitlab:
    • Fix the token endpoint – @Tobix99
  • haveibeenpwned:
    • Check for limited set of paths – @Bekacru
  • last-login-method:
    • Custom resolver method default logic – @ThibautCuchet
    • LastLoginMethod cookie is not set when using a generic oauth provider – @nbifrye
    • Detect passkey login to set last used method – @GautamBytes
  • magic-link:
    • Avoid returning error for disabled signup early – @Bekacru
    • Ensure emailVerified update is reflected in user object – @bytaesu @Bekacru
  • mcp:
    • Missing Content-Type header for mcp DCR – @Berndwl
    • Consent requirement should be respected – @okisdev
  • mongodb:
    • Mongodb findOneAndUpdate should return .value@Paola3stefania
  • multi-session:
    • Reject cookies without valid signatures on signout hook – @Bekacru
  • nuxt:
    • Avoid load env base url for SSR – @himself65
  • oauth:
    • Redirect to GET for POST method – @himself65
  • oauth-proxy:
    • Should skip state check for oauth proxy – @Bekacru
    • Handle cross-origin flows – @bytaesu @Bekacru
    • Return multiple Set-Cookie headers instead of a single comma-separated header – @nakasyou
  • oauth2:
    • Fix user data not reflecting provider updates with overrideUserInfo – @dandamian
  • odic:
    • Case when prompt=login@himself65
    • Case when prompt=login " – @himself65
  • odic-provider:
    • Default options – @himself65
  • oidc:
    • Properly enforce consent requirements per OIDC spec – @himself65
  • oidc-provider:
    • OIDC token-type capitalization – @yutaka5
    • Use consistent iat claim and allow configurable issuer – @ephraimduncan @himself65
    • Improve typing – @himself65
    • oidc_login_prompt not cleared after login – @himself65
    • Change updated_at to be a UNIX numeric timestamp – @ShobhitPatra @himself65
    • Fix opts order – @himself65
    • oidc_login_prompt not cleared after login " – @himself65
    • Missing options – @himself65
    • Implement proper OIDC prompt parameter handling – @himself65 @Bekacru
    • Redirect to consent when scope changed – @himself65
  • openapi:
    • Add operationIds to routes – @thomasmol @ping-maxwell @Bekacru @TheUntraceable
  • org:
    • Use correct adapter during db tranaction – @himself65
    • Update type to include undefined – @himself65
  • organization:
    • Decouple client and server permission checks – @Bekacru
    • Decouple client and server permission checks – @Bekacru
    • Membership check for organizations with large member counts – @Badbird5907 @himself65
    • Remove autoCreateOnSignUp option as it's not implemented yet – @Bekacru
    • Pass ctx to DB hooks – @ping-maxwell
    • Allow passing id through beforeCreateOrganization@ping-maxwell
    • Prevent empty name and slug in create/update – @kira-1011
    • Certain parameters not showing in client types – @ping-maxwell
    • Prevent duplicate slug on organization update – @kira-1011 @Bekacru @ping-maxwell @Kinfe123
    • Compatibility with declaration on tsconfig.json – @himself65
    • Compatibility with exactOptionalPropertyTypes@himself65
    • Typecheck node exceeds the maximum length – @himself65
    • Fix the schema type – @himself65
    • RemoveTeamMember breaks for prisma – @ping-maxwell
    • Correct migration order when dynamicAccessControl is enabled – @AntonVishal @ping-maxwell
    • Deleting member from org doesn't delete them from teams – @ping-maxwell
    • All endpoints should properly infer additional fields – @ping-maxwell @Bekacru @ahmedriad1
    • ActiveOrgId no longer inferred after enabling dynamic AC – @ping-maxwell
  • passkey:
    • Remove email from query – @himself65
    • Atom listeners not working – @ping-maxwell
    • Passkey breaks with throw: true@ping-maxwell @Bekacru
    • Wrong Session type being used on passkey – @ouwargui
    • Filter delete passkey with userId – @Bekacru
    • Ensure addPasskey returns passkey data instead of undefined – @mburumaxwell
  • phone-number:
    • Shouldn't allow updating phone number on /update-user endpoint – @ping-maxwell
  • session:
    • Refresh cache before it expires – @himself65
    • Persist additionalFields in cookie cache – @Ridhim-RR
  • social-providers:
    • Core module import – @himself65
  • sso:
    • Safe json parsing for saml/oidc configs – @natetewelde @himself65
    • Prevent duplicate SSO provider creation with same providerId – @xiaoyu2er
    • OIDC scopes should fallback to provider scopes – @Bekacru
    • Add deprecated flag to the old sso plugin export – @Bekacru
    • Move oauth2-mock-server dep into devDependencies for sso package – @rbayliss
    • Use the internalAdapter for user queries to avoid skipping database hooks – @hartbit
    • Respect disableImplicitSignUp in SAML callback – @kanarian
    • Prevent server instance from leaking to client – @rbayliss
    • Export SSOProvider type – @rbayliss
  • stripe:
    • OnCustomerCreate should be called even if update user isn't returned – @Bekacru
    • Update with an existing subscription – @himself65
    • Sync customer email on db change – @himself65
    • getCustomerCreateParams not actually being called – @ebalo55 @himself65
    • Throw error if event failed to be constructed – @Bekacru
    • Check for reference IDs inside during Stripe reference validation – @Bekacru
    • Stripe error codes should be returned from the plugin – @Bekacru
    • Remove TS error suppression updating getCheckoutSessionParams – @mohebifar
    • Prevent duplicate customer creation on signup – @bytaesu
    • Return updated subscription in onSubscriptionUpdate callback – @bytaesu @Bekacru
    • Throw error if query.referenceId is defined – @Bekacru
    • Cancel subscription fails with Prisma – @ping-maxwell
  • telemetry:
    • Avoid async import if telemetry disabled, fix for esbuild – @erquhart
    • Avoid async import if telemetry disabled, fix for esbuild " – @himself65
  • test:
    • Use async import for db – @himself65
  • two-factor:
    • Return parsed array in viewBackupCodes – @ahmed-abdat
    • Backup codes shouldn't be encrypted twice – @Bekacru
    • Avoid GET endpoints with body – @jonathansamines @Bekacru
    • Incorrect reference for server only actions – @okisdev
    • Improve error message for bad totp code in 2FA setup – @DevDuki
    • Trust device token refresh – @gregtjack @Bekacru @ping-maxwell
    • Use constant time equal for otp comparison – @Bekacru
  • types:
    • Include null in getSession return type – @jcajuab
  • url:
    • Handle empty and root path in withPath, prevent double slashes, add tests – @surafel58
  • username:
    • Username should respect send on sign config – @QuintenStr
    • Compacity with exactOptionalPropertyTypes@himself65
  • vk:
    • Check for empty email after user profile mapping – @ic4l4s9c

🏎 Performance

  • Improve type Auth@himself65
  • Lazy load create telemetry – @himself65
  • Lazy load create telemetry " – @himself65
    View changes on GitHub