All of the changes made will be available here.

Dec 31, 2025

v1.4.10

Dec 31, 2025

🚀 Features

---

• Support form data for email sign-in/sign-up and fallback to checking fetch Metadata for first login –
• expo:
  • Add webBrowserOptions to openAuthSessionAsync –
• saml:
  • Add XML parser hardening with configurable size limits –
• stripe:
  • Flexible subscription cancellation and termination management –
  • Handle customer.subscription.created webhook event –
  • Add disableRedirect option for subscription and billing –

🐞 Bug Fixes

---

• Correct accountLinking default to true –
• Add supportsArrays to memory and mongodb adapters –
• Sync updateSession changes to secondary storage and active-sessions list –
• admin:
  • Custom role type inference –
  • UserId check in /has-permission –
• anonymous:
  • Missing path breaks anonymous hooks –
• api:
  • Chain plugin onRequest hooks properly –
• client:
  • Prevent duplicate signal processing in atom listeners –
  • Apply rate limit focus refetch regardless of session state –
• expo:
  • Improve parseSetCookieHeader –
• oauth-provider:
  • Support jwksPath –
  • Only session db store currently supported –
• oauth-proxy:
  • Point provider requests to production and fix cookie handling in non-HTTPS environments –
• organization:
  • Remove unnecessary type re-export –
• passkey:
  • Use data.id instead of challengeId in deleteVerificationValue –
• stripe:
  • Add 'subscription/restore' to pathMethods –
  • Prevent trial abuse by checking all user subscriptions –

    View changes on GitHub

Dec 23, 2025

v1.4.9

Dec 23, 2025

🚀 Features

---

• Add ctx.isTrustedDomain helper –
• Drizzle pg supports JSON –
• Add Refresh Token Support to Kick OAuth Provider –
• Add additionalFields option in verification table schema –
• Add patreon social provider –
• Add a global backgroundTasks config option to defer actions like sending email and updates to run after response is sent –
• admin:
  • Prevent impersonating admins by default [breaking] –
  • Add support role with permissions for user updates and enforce role change validation –
• expo:
  • Last-login-method client plugin –
• multi-session:
  • Allow to infer additional fields –
  • Allow to infer additional fields " –
• oauth-provider:
  • An oauth 2.1 compliant plugin –
• oauth-proxy:
  • Add expirty timestamp for encrypted tokens –
• one-time-token:
  • Support setting session cookie on ott verify –
• organization:
  • Allow invited users to see organization name –
• phone-number:
  • Add password length validation for reset functionality –
• saml:
  • Assertion timestamp validation with per-provider clock skew –
  • Validate SAML crypto algorithms during initial phase –
  • Enforce one-time use of SAML assertions –
  • Reject deprecated SAML signature and digest algorithms –
  • Reject deprecated SAML signature and digest algorithms –
• sso:
  • Use domain verified flag to trust providers automatically –
  • Add InResponseTo validation –
  • Add OIDC discovery –
  • Add URL normalization and validation to all discovery URLs –

🐞 Bug Fixes

---

• Add helper types to exports –
• Avoid throwing on client side –
• Export organization plugin types –
• Pathname should be normalized when basePath is set to root –
• Prematurely deleting active sessions in secondary storage –
• Make sure non-chunked session data cookie is cleared –
• Array field handling across adapters and schema generation –
• StoreStateStrategy default to database if provided –
• Should always remove 2FA verification token after successful verification –
• Prevent stateless refresh with database configured –
• Revert token masking in listSessions route –
• Compatible with openapi 3.1 –
• Properly merge updated data in account cookie –
• Preserve = padding in parsed cookies –
• Unify SSO/OAuth account linking and add domain-based org assignment to all sign-in flows –
• Respect BETTER_AUTH_TRUSTED_ORIGINS env variable –
• Delete verifications with hooks –
• Respect IP headers in dev/test environments –
• Trusted origins resolving –
• Update-user breaking during stateless auth –
• Export necessary adapter types –
• Use operator in list members where clause –
• Don't set state query param if state is not provided –
• Correct wildcard pattern matching for trustedOrigins –
• adapter:
  • Add logger creation in adapter factory –
  • Allow run internal adapter outside context –
  • Apply customTransformInput to where clause values –
• admin:
  • Clear admin session cookie on stopImpersonating –
• api-key:
  • Check metadata is enabled for api key update endpoint –
  • Prevent id update error with MongoDB adapter –
• auth:
  • Respect trustedOrigins when baseURL is inferred –
• cli:
  • secret generates empty –
  • Deduplicate drizzle schema relationships –
  • Cmd info --json unexpected exit with 1 –
  • Cmd info --json unexpected exit with 1 –
• client:
  • Set session data on refreshManager –
• cognito:
  • Use %20 encoding for scopes instead of + –
• core:
  • Allow returning null in getUserInfo in provider options –
• db:
  • Correctly unwrap validator result in schema parsing –
• deps:
  • Update dependency next to v16.0.7 [security]
  • Update dependency @react-email/components to v1
• expo:
  • Add missing matcher paths –
• generic-oauth:
  • Ensure encryptOAuthTokens is respected in account linking flow –
• kysely:
  • Wrong affected row count in updateMany & deleteMany –
• line:
  • Enforce nonce –
• magic-link:
  • Handle query params in errorCallbackUrl –
• oidc:
  • Compatibility with exact-optional-property –
• openapi:
  • Mark /get-session response as nullable –
• organization:
  • Validate role existence in inviteMember endpoint –
  • Allow internal organization creation when disabled for client –
• passkey:
  • Use deleteVerificationByIdentifier instead of deleteVerificationValue –
• prisma:
  • Use findFirst instead of findMany for findOne –
• prisma-adapter:
  • Extract id to root level for delete operations –
• saml:
  • Enforce trusted provider check –
  • Remove signature validation bypass –
• sso:
  • Safely parse provider configs on registration –
  • Deprecate trustEmailVerified –
  • Enforce domain verification in assignOrganizationByDomain –
• stripe:
  • Update subscriptionId to use Stripe id –
• username:
  • Await username validator –

🏎 Performance

---

• Add index on organizations slug field –

    View changes on GitHub

Dec 14, 2025

v1.4.7

Dec 14, 2025

🚀 Features

---

• admin:
  • Add support role with permissions for user updates and enforce role change validation –
• one-time-token:
  • Support setting session cookie on ott verify –
• phone-number:
  • Add password length validation for reset functionality –
• saml:
  • Assertion timestamp validation with per-provider clock skew –
• sso:
  • Add InResponseTo validation –
  • Add OIDC discovery –
  • Add URL normalization and validation to all discovery URLs –

🐞 Bug Fixes

---

• Prevent stateless refresh with database configured –
• api-key: Check metadata is enabled for api key update endpoint –
• line: Enforce nonce –
• saml: Remove signature validation bypass –

🏎 Performance

---

• Add index on organizations slug field –

    View changes on GitHub

Dec 9, 2025

v1.4.6

Dec 9, 2025

🚀 Features

---

• Add ctx.isTrustedDomain helper –
• Drizzle pg supports JSON –
• Add Refresh Token Support to Kick OAuth Provider –
• admin: Prevent impersonating admins by default [breaking] –
• expo: Last-login-method client plugin –
• multi-session: Allow to infer additional fields –
• organization: Allow invited users to see organization name –
• sso: Use domain verified flag to trust providers automatically –

🐞 Bug Fixes

---

• Avoid throwing on client side –
• Export organization plugin types –
• Prematurely deleting active sessions in secondary storage –
• Pathname should be normalized when basePath is set to root –
• Make sure non-chunked session data cookie is cleared –
• Array field handling across adapters and schema generation –
• StoreStateStrategy default to database if provided –
• Should always remove 2FA verification token after successful verification –
• adapter:
  • Add logger creation in adapter factory –
  • Allow run internal adapter outside context –
• admin:
  • Clear admin session cookie on stopImpersonating –
• cli:
  • secret generates empty –
  • Deduplicate drizzle schema relationships –
• core:
  • Allow returning null in getUserInfo in provider options –
• db:
  • Correctly unwrap validator result in schema parsing –
• deps:
  • Update dependency next to v16.0.7 [security]
  • Update dependency @react-email/components to v1
• kysely:
  • Wrong affected row count in updateMany & deleteMany –
• magic-link:
  • Handle query params in errorCallbackUrl –
• oidc:
  • Compatibility with exact-optional-property –
• openapi:
  • Mark /get-session response as nullable –
• prisma:
  • Use findFirst instead of findMany for findOne –
• saml:
  • Enforce trusted provider check –
• sso:
  • Safely parse provider configs on registration –
• username:
  • Await username validator –

    View changes on GitHub

Nov 30, 2025

v1.4.4

Nov 30, 2025

🚀 Features

---

• cli: Better-auth-command –
• scim: Add support to parse custom scim+json media type –

🐞 Bug Fixes

---

• Customizing fields should be optional for rate limit options –
• Chunk account data cookie when exceeding limit –
• Remove applying user-agent by default –
• Additional fields default values should apply when creating session –
• Return null early if userid isn't defined –
• logger: Log level priority –
• mcp: Return origin url as authorization server –
• multi-session: Endpoints breaks with invalid signatures –
• oidc-provider: Resolve getSignedCookie return type –

    View changes on GitHub

Nov 26, 2025

v1.4.3

Nov 26, 2025

🚀 Features

---

• Add Vercel as OAuth provider –
• Add support for trusted proxy headers in base URL inference –

🐞 Bug Fixes

---

• Support @tanstack/solid-start in tanstackStartCookies plugin " –
• open-api: Clean up incorrect null type in OpenAPI –
• two-factor: Remove incorrect blocking logic in OTP setup and verification –

    View changes on GitHub