better-auth

Bug Fixes

• Fixed SIWE verification to bind the signed message to server state before creating a session, preventing acceptance of signatures produced for a different message, earlier nonce, or unrelated domain.
• Fixed PayPal ID token verification to validate the signature, issuer, audience, expiration, and nonce against PayPal's JWKS (RS256) or client secret (HS256), rejecting tokens that pass only structural checks.
• Fixed Google hd (hosted domain) enforcement to verify the hd claim on the verified ID token and callback profile, preventing accounts outside the configured Workspace domain from signing in.
• Fixed verifyAccessToken remote introspection to reject tokens with a missing or mismatching aud claim
• Fixed the admin plugin to enforce permissions on role, ban, and email fields in /admin/create-user and /admin/update-user, and prevent data from overriding protected fields. (#9974)
• Fixed email sign-in and sign-up to validate Origin and Referer headers against trustedOrigins even when requests carry no cookies. (#9973)
• Fixed /update-session to reject plugin-managed fields (activeOrganizationId, activeTeamId, impersonatedBy) with a 400 error
• Fixed /update-session and account token routes to immediately reject deleted sessions when cookie cache is enabled alongside database or secondary storage. (#9967)
• Fixed /refresh-token to only trust the account cookie when its userId, providerId, and accountId match the resolved session user.
• Fixed generic OAuth sign-in to reject sign-ins when no account ID can be resolved from the provider response, preventing account collisions on providers that omit sub.
• Fixed createInvitation and acceptInvitation to validate that all requested team IDs belong to the invitation's organization, preventing cross-organization team membership.
• Fixed the JWKS cache to be scoped per verification source with a TTL, preventing key cross-contamination when verifying tokens against multiple issuers simultaneously.
• Fixed the Reddit provider to stop storing oauth_client_id as the user email, preventing all users of the same app from sharing a single email address
• Fixed Facebook token verification to validate tokens against the configured app via the debug_token endpoint, requiring is_valid, a matching app_id, and a client secret for direct sign-in.

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed the token endpoint to enforce per-client grant types, preventing clients registered only for authorization_code from requesting client_credentials tokens.
• Fixed /oauth2/continue to derive post-login gate completion from a server-issued session marker rather than the client-submitted postLogin flag.
• Fixed token introspection to require an azp claim and a valid client on JWT access tokens, preventing session JWTs from being reported as active access tokens.

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML AuthnRequest handling to consume the request atomically, preventing replay attacks on concurrent requests. (#9972)
• Fixed SSO provider IDs to be isolated from the OAuth/social account-linking namespace, preventing unintended account linking when an SSO provider ID matches a trusted OAuth provider name.
• Fixed OIDC endpoint validation to reject server-side requests resolving to non-publicly-routable addresses, protecting against SSRF on token, userinfo, and JWKS endpoints.

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed API key verification to persist only the fields it mutates rather than the full record, preventing concurrent disables, permission changes, or expiry updates from being reverted by an in-flight verification.
• Fixed /api-key/create to verify the session against the authoritative store with disableCookieCache: true, preventing revoked sessions from being accepted within the cookie-cache window.

For detailed changes, see CHANGELOG

@better-auth/electron

Bug Fixes

• Fixed Electron auth transfers to require S256 PKCE at both minting and exchange, rejecting plain and missing code_challenge_method values.

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

• Fixed SCIM user provisioning to return 409 when a user with the same email already exists unless linkExistingUsers is set, changed org-scoped DELETE to deprovision the user rather than delete the global account, and added canGenerateToken to control SCIM token creation.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.6.15...v1.6.16

better-auth

Bug Fixes

• Fixed the listSessions endpoint to properly enforce fresh-age session checks (#9865)
• Fixed unbanUser, setRole, and adminUpdateUser to return USER_NOT_FOUND instead of a generic 500 when the target user does not exist (#9875)
• Fixed Kysely migration constant import path to restore Kysely 0.28 and 0.29 compatibility (#9811)
• Improved cookie regex character ranges for more accurate cookie parsing (#9879)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Features

• Added POST support to the /oauth2/userinfo endpoint, allowing the access token to be passed in the Authorization header (#9937)

Bug Fixes

• Fixed hooks.before and hooks.after to run correctly when OAuth authorization resumes after sign-in, account selection, or consent (#9919)

For detailed changes, see CHANGELOG

@better-auth/kysely-adapter

Bug Fixes

• Fixed Turbopack build failures by inlining migration table constants, also restoring compatibility with Kysely 0.28 and 0.29 (#9933)

For detailed changes, see CHANGELOG

@better-auth/passkey

Features

• Added automatic resolution of authenticator names from AAGUID, exposing getAuthenticatorName(aaguid) and commonAuthenticatorNames so passkeys can display a friendly provider name like "1Password" or "Google Password Manager" (#9927)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed ERR_SUBJECT_UNCONFIRMED errors caused by clockSkew not being forwarded to samlify's ServiceProvider when validating SAML responses (#9748)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.6.14...v1.6.15

better-auth

Bug Fixes

• Fixed Google One Tap authenticating the wrong user when the presented Google account was already linked to a different local user.
• Fixed null values being rejected for optional fields in the generated database schema (#9841)
• Fixed getSessionCookie to prefer the __Secure- prefixed cookie over a non-secure leftover, preventing a stale cookie from shadowing the current session (#9806)
• Fixed redirect URI validation to work on all supported runtimes and to reject URIs containing a fragment component per RFC 6749 §3.1.2 (#9845)
• Fixed organization invitation verification to restore the normal emailed-invitation flow while enforcing stricter email verification for externally controlled or predictable invitation IDs (#9877)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML Single Logout leaving the user signed in due to the logout handlers matching the session by ID instead of token.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.6.13...v1.6.14

better-auth

Features

• Added support for server-side accountInfo calls with an optional userId parameter, allowing trusted callers to read provider profiles without constructing session headers (#9813)

Bug Fixes

• Clarified that viewBackupCodes is a server-only function not accessible via HTTP in its API documentation (#9822)
• Fixed Google One Tap authenticating the wrong user when the presented Google account is already linked to a different local user, by resolving identity through the shared OAuth path
• Fixed storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, preventing oversized-cookie errors on platforms like AWS Lambda (#9591)
• Fixed updateUserInfoOnLink not being applied when linking accounts through the standard OAuth redirect flow (#8758)
• Fixed oidc-provider and mcp plugins accepting invalid redirect_uri schemes such as javascript: and data: (#9838)
• Fixed organization logo not accepting null, preventing users from clearing an existing logo on create and update (#9842)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML Single Logout leaving the user signed in due to session deletion matching on row ID instead of session token
• Fixed ambiguous internalAdapter helper methods that could silently match the wrong account or wipe all sessions for a user (#9818)
• Fixed a high-severity XML injection vulnerability in signed SAML assertions by updating samlify to 2.13.1 (GHSA-34r5-q4jw-r36m) (#9821)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed verifyApiKey rejecting keys created under a non-default configId when the request omitted configId (#9794)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed a silent failure in consumeOne when an adapter's deleteMany returned a non-numeric value, now surfacing a clear error (#9831)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

• Fixed sign-in being lost on Expo when a provider issues large tokens, by splitting oversized account cookies across multiple storage keys (#9815)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed POST /oauth2/register bypassing the clientPrivileges create check, allowing unauthorized dynamic client registration (#9837)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.6.12...v1.6.13

better-auth

Bug Fixes

• Fixed field index ordering in getMigration migrations. (#9691)
• Fixed synthetic user construction to exclude extra fields. (#9347)
• Fixed session cookie refresh headers not being forwarded when resolving sessions. (#9667)
• Fixed changeEmail to return an error when emailVerification.sendVerificationEmail is missing, and URL-encoded callbackURL in verify-email links. (#9614)
• Fixed callbackURL URL-encoding in verify-email links for OAuth account linking and username sign-in. (#9792)
• Fixed role.authorize to reject empty action lists and correctly evaluate OR conditions on unknown resources. (#9603)
• Fixed missing exports of AdminClientOptions and OrganizationClientOptions. (#9642)
• Fixed email OTP sign-in failing with captcha errors under default captcha settings. (#9596)
• Fixed parseJSON to properly decode escape sequences in quoted strings. (#9617)
• Fixed cookie parsing to tolerate missing spaces after `
• Fixed getTrustedOrigins to respect the dynamic baseURL protocol option. (#9644)
• Fixed request mutation by cloning the request before passing it to the sendVerificationEmail callback. (#9619)
• Added accessTokenExpiresIn config option to genericOAuth for providers that omit expires_in in their token response. (#9799)
• Fixed oauth-proxy to forward specific error codes instead of collapsing all errors into user_creation_failed. (#9723)
• Fixed oauth-proxy flows failing with state_mismatch when production and preview environments use different secrets. (#9385)
• Fixed OAuth callback errors to forward specific error codes (state_not_found, state_invalid, state_mismatch) instead of the generic please_restart_the_process code. (#9788)
• Fixed OAuth state validation failures to redirect to the per-flow errorCallbackURL instead of the default error page. (#9789)
• Fixed OpenAPI schema generation to emit unique operationIds for endpoints that expose multiple HTTP methods. (#9721)
• Fixed organization invitations silently routing users to the wrong team when team IDs contained a comma. (#9616)
• Fixed deleteOrganization and removeMember to roll back on failure instead of leaving orphaned rows. (#9630)
• Fixed stateless session cache refresh to preserve the real session expiry instead of resetting it. (#8817)
• Fixed a session cookie leak that allowed session_token and session_data cookies to be captured and replayed to bypass 2FA when cookie caching is enabled. (#9639)
• Fixed missing username validation on the admin createUser endpoint. (#9464)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed expired magic-link tokens and OAuth authorization codes to be reliably rejected, and corrected their error codes. (#9624)
• Fixed the registration_endpoint to be hidden from .well-known metadata unless dynamic client registration is enabled. (#9448)
• Fixed Basic Auth credential parsing to accept client_secret values containing colons. (#9601)
• Fixed the consent update endpoint to return NOT_FOUND when the referenced client no longer exists. (#9600)
• Fixed OAuth and OIDC metadata discovery for path-prefixed issuers. (#9668)

For detailed changes, see CHANGELOG

@better-auth/core

Features

• Added toCamelCase, toSnakeCase, toPascalCase, and toKebabCase utilities to @better-auth/core/utils/string. (#9727) –

Bug Fixes

• Fixed Sign in with Apple to accept hashed nonces for native iOS sign-in. (#8870)
• Fixed verifyAccessToken to return proper unauthorized errors for invalid token verification failures. (#9655)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed hook rejections in SSO OIDC and SAML callbacks to redirect to errorCallbackURL instead of returning a JSON error. (#9702)
• Updated XML parser dependency to a patched release to resolve security alerts. (#9662)
• Fixed SSO OIDC callback to URL-encode error values in redirect query strings. (#9722)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

• Fixed the Drizzle adapter dropping OR clauses when mixed with AND conditions in where queries. (#9756)
• Fixed MySQL insert-return handling with a robust cascading fallback strategy wrapped in a transaction. (#9665)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

• Fixed a crash when passkey transports is undefined. (#9746)
• Fixed passkey challenges to be consumed atomically, preventing replay attacks, and improved error status codes for failed registrations and authentications. (#9622)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed TypeScript TS4023 declaration emit errors by adding better-call as a peer dependency. (#9759)

For detailed changes, see CHANGELOG

@better-auth/electron

Bug Fixes

• Fixed cookie serialization to percent-encode values containing special characters like `

For detailed changes, see CHANGELOG

@better-auth/kysely-adapter

Bug Fixes

• Fixed SQLite introspectors (BunSqliteDialect, NodeSqliteDialect) incorrectly reporting tables as views. (#9615)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

• Improved URL normalization and Stripe search query escaping to handle edge cases correctly. (#9661)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.6.11...v1.6.12

better-auth

Bug Fixes

• Added an error code to the change-email-disabled response to help clients identify the rejection reason (#8948)
• Fixed access-control role statement types so predefined organization roles expose only their configured permissions in TypeScript (#9507)
• Fixed the anonymous plugin to correctly call onLinkAccount when email verification triggers auto sign-in (#9548)
• Fixed device authorization to bind pending codes to the verifying session, preventing any authenticated user from approving or denying another user's device code (#9573)
• Fixed a race condition in the magic-link plugin that allowed concurrent requests to mint multiple sessions from the same single-use token (#9572)
• Fixed the oidc-provider and mcp plugins to require client_secret for confidential clients on refresh token grants and use constant-time secret comparison (#9576)
• Hardened oidc-provider and mcp plugins to follow OAuth 2.1: removed "none" from advertised signing algorithms, defaulted plain PKCE off, and rejected incomplete PKCE parameters (#9575)
• Fixed an invitation takeover vulnerability by enabling requireEmailVerificationOnInvitation by default and extending the verification gate to getInvitation and listUserInvitations (#9577)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed a race condition in the OAuth authorization-code grant that allowed concurrent token-exchange requests to mint multiple token sets from the same authorization code
• Fixed a race condition in OAuth refresh-token rotation that allowed concurrent requests to fork refresh token families, and added a unique constraint on oauthRefreshToken.token
• Fixed OAuth account linking to require a verified local email before linking an OAuth identity to a local account (#9578)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed an invalid import list in the instrumentation module (#9582)
• Widened advanced.ipAddress.ipv6Subnet to accept any valid IPv6 prefix length (0-128) instead of a narrow set of values (#9545)

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

• Fixed session cleanup to run when admin, anonymous, or SCIM operations delete a user (#9162)
• Fixed generateSCIMToken to reject providerId values that collide with built-in account providers, preventing tokens from authenticating against unintended accounts (#9579)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SSO provider registration to require an org admin or owner role, preventing any organization member from registering providers (#9220)
• Fixed an SSRF vulnerability by validating user-supplied OIDC endpoint URLs against a public-routable host allowlist at provider registration and update (#9574)

For detailed changes, see CHANGELOG

auth

Features

• Added an atomic claimOne adapter primitive for consuming database rows without race conditions (#9560)

Bug Fixes

• Renamed the claimOne adapter primitive to consumeOne and added internalAdapter.consumeVerificationValue for atomically consuming verification rows (#9568)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed API key rate-limited responses to return HTTP 429 instead of 401, so clients can distinguish throttling from authentication failures (#9505)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.6.10...v1.6.11

better-auth

Bug Fixes

• Exposed refreshUserSessions on the internal adapter (#7764)
• Fixed organization invitation roles to accept dynamic access control roles (#9437)
• Improved link accessibility (#9521)
• Fixed incorrect email casing in one-tap, email-otp, and email-verification flows (#9369)
• Fixed OpenAPI schema for POST /sign-in/social mis-declaring required fields (#9268)
• Added a warning when the cookie plugin is placed last in the plugins array (#9484)
• Fixed useSession not revalidating after admin impersonation starts or stops (#9402)
• Fixed duplicate Set-Cookie headers being emitted on redirect responses from social sign-in and magic-link endpoints (#9497)
• Fixed the bearer plugin writing duplicate cookie entries when merging the session token into request headers (#9387)
• Fixed captcha plugin breaking the email-otp flow (#8339)
• Fixed email enumeration protection not applying when emailAndPassword.autoSignIn is false (#8839)
• Fixed a TypeError caused by non-ASCII characters in OAuth error descriptions on redirect (#9065)
• Renamed internalAdapter.deleteAccount parameter from accountId to id to reflect that it queries by primary key (#9503)
• Fixed OAuth callbacks accepting a missing provider account ID, which could link accounts under an undefined id (#9456)
• Fixed cancelPendingInvitationsOnReInvite having no effect, where re-inviting the same email always returned USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION (#9453)
• Fixed a TS2742 type error caused by missing re-exports when using additionalFields in the organization plugin (#9349)
• Fixed useActiveMemberRole retaining a previous user's role after sign-out in SPA flows (#9440)
• Fixed setActiveTeam to only accept teams from the currently active organization (#9239)
• Added authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint (#9461)
• Fixed callbackURL being ignored on signIn.username, so it now redirects correctly like signIn.email (#9475)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed sessionId typing in refresh token types to be optional, matching the schema (#9324)
• Fixed stale prompt=login consent continuations not completing after a forced login
• Exported OAuth provider helper types needed for portable downstream TypeScript declaration emit (#9406)
• Fixed prompt=login not being honored after consent continuation, preventing session bypass (#9344)
• Added database indexes to OAuth provider foreign-key fields in generated schemas (#9389)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

• Fixed onSubscriptionUpdate to receive the raw stripeSubscription object, and fixed onSubscriptionCancel to receive the post-update subscription row instead of a stale snapshot (#9354)
• Fixed getCheckoutSessionParams overriding internally managed Stripe Checkout Session fields such as success_url, cancel_url, customer, and line_items (#9481)
• Fixed onSubscriptionDeleted, onTrialEnd, and onTrialExpired receiving a stale pre-update subscription snapshot instead of the post-update row (#9356)
• Fixed getCheckoutSessionParams overriding free trial and internal metadata, which could hide trial periods and create duplicate subscription rows on webhook (#9474)
• Renamed internal subscription webhook variables for clarity (#9355)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed api.verifyApiKey not validating the key's configId against the request body (#9393)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed Cloudflare Workers instrumentation imports to use a no-op entry when OpenTelemetry is not installed (#9395)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

• Fixed passkey autofill authentication to return a handled cancellation instead of an unhandled error when it cannot start (#9429)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed /sso/saml2/sp/metadata throwing NOT_FOUND for providers configured via defaultSSO (#9398)

For detailed changes, see CHANGELOG

auth

Bug Fixes

• Fixed auth init generating broken MySQL and PostgreSQL Kysely database configs (#9455)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.6.9...v1.6.10

better-auth

Bug Fixes

• Fixed mapProfileToUser fallback for OAuth providers that may omit email from their profile response (#9331)
• Fixed support for passing id through beforeCreateTeam and beforeCreateInvitation hooks (#9253)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed authorization flows that do not include a state parameter (#9328)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

• Fixed incompatibility with TypeScript's exactOptionalPropertyTypes compiler option (#9270)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.6.7...v1.6.8

better-auth

Features

• Added support for an array of client IDs as the ID token audience in social providers (#9292)

Bug Fixes

• Fixed response headers being lost when an APIError is thrown (#9211)
• Fixed browser and edge runtime errors by serving a no-op ./instrumentation module in those environments (#9281)
• Fixed a crash when parsing OAuth2 state with an undefined request body (#9293)
• Fixed callbackOnVerification not being called when updatePhoneNumber is enabled (#4894)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed the userinfo endpoint to read the Authorization header from request context when using auth.api (#9244)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

• Fixed passkey authentication verification not returning the user (#5209)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.6.6...v1.6.7

better-auth

Bug Fixes

• Fixed preservation of the Partitioned attribute when forwarding Set-Cookie headers (#9235)
• Fixed boolean coercion for the disableRefresh query parameter in custom session validation (#9214)
• Fixed incorrect inference of team additional fields in the organization plugin (#9266)
• Added support for removing a phone number via updateUser({ phoneNumber: null }) (#9219)

For detailed changes, see CHANGELOG

@better-auth/core

Features

• Added mapConcurrent, a bounded-concurrency async utility, at @better-auth/core/utils/async (#9227) –

Bug Fixes

• Made @opentelemetry/api an optional peer dependency (#9111) –

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Improved performance by running secondary-storage API key lookups in parallel (#9187)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

• Fixed session loading to read cached data from SecureStore on app startup, eliminating the login screen flash for returning users (#8953)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed several SSRF vulnerabilities by unifying host classification and closing loopback bypass vectors across packages (#9226)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed an ESM/CJS compatibility issue when loading samlify (#9262)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.6.5...v1.6.6

better-auth

Features

• Added support for Stripe SDK v21 and v22 (#9084)

Bug Fixes

• Fixed incorrect operationId for the requestPasswordResetCallback endpoint in the OpenAPI spec (#9072)
• Fixed dynamic baseURL resolution from request headers for direct auth.api calls (#9113)
• Fixed isMounted race condition that caused excessive requests per second in the client (#9078)
• Fixed nullable schema for the get-session endpoint in the OpenAPI 3.1 spec (#8389)
• Fixed checkout and upgrade flows to omit quantity for metered prices (#8926)
• Fixed 2FA enforcement to trigger on all sign-in paths, including magic-link, OAuth, passkey, email-OTP, and SIWE (#9122)
• Fixed backup code updates to respect the configured storeBackupCodes storage strategy after verification (#7231)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Features

• Added customTokenResponseFields callback for injecting custom fields into token endpoint responses, and hardened authorization code validation (#9118)

Bug Fixes

• Hardened dynamic baseURL resolution for direct auth.api calls and plugin metadata helpers (#9131)
• Fixed unauthenticated dynamic client registration to silently override confidential auth methods to public, improving compatibility with MCP clients (#9123)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed multiple SAML response processing bugs, including ACS URL generation, encryption field handling, and provider config parsing (#9097)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

• Fixed prototype pollution vulnerability when merging user-supplied metadata in the Stripe plugin (#9164)

For detailed changes, see CHANGELOG

auth

Bug Fixes

• Fixed tsconfig path alias resolution for extended configs and mid-path wildcards in the CLI (#9032)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.6.2...v1.6.3

better-auth

❗ Breaking Changes

• Prevented unverified TOTP enrollment from blocking sign-in (#8711)

Migration: Schema migration required.

Add the verified column to the twoFactor table, then regenerate/apply your ORM migration.

• Prisma: run npx auth@latest generate, then npx prisma migrate dev (or npx prisma db push) and npx prisma generate.
• Drizzle: run npx auth@latest generate, then npx drizzle-kit generate and npx drizzle-kit migrate.

Existing rows do not need a backfill because the column defaults to true.

Features

• Included enabled 2FA methods in sign-in redirect response (#8772)

Bug Fixes

• Fixed OAuth state verification against cookie-stored nonce to prevent CSRF (#8949)
• Fixed infinite router refresh loops in nextCookies() by replacing cookie probe with header-based RSC detection (#9059)
• Fixed cross-provider account collision in link-social callback (#8983)
• Included RelayState in signed SAML AuthnRequests (#9058)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed multi-valued query params collapsing through prompt redirects (#9060)
• Rejected skip_consent at schema level in dynamic client registration (#8998)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAMLResponse decoding failures caused by line-wrapped base64 (#8968)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.6.1...v1.6.2

Blog post: Better Auth 1.6

better-auth

❗ Breaking Changes

• Aligned freshAge calculation with session creation time instead of update time (#8762)

Migration: session.freshAge now calculates from createdAt. Set session: { freshAge: 0 } to disable the check entirely.

Features

• Added experimental OpenTelemetry instrumentation for endpoints, hooks, middleware, and database operations (#8027)
• Added resendStrategy option to reuse existing OTP in email-otp plugin (#8560)
• Added enable option for HaveIBeenPwned plugin (#8728)
• Added request metadata to sendMagicLink callback (#8571)
• Added dedicated secret option to OAuth proxy to reduce shared key exposure (#8699)
• Added explicit organizationId parameter in team endpoints (#5062)
• Added WeChat social provider (#5189)
• Added twoFactorPage config option for custom 2FA page routing (#5329)

Bug Fixes

• Deprecated oidc-provider plugin in favor of @better-auth/oauth-provider (#8985) –
• Fixed access control indexing type (#8155)
• Added origin check middleware to password reset request (#8392)
• Fixed account cookie comparison to use provider accountId instead of internal id (#8786)
• Fixed session id generation when using secondary storage without database (#8927)
• Fixed skipOriginCheck array handling (#8582)
• Fixed misleading rate limit IP warning (#8617)
• Passed user field through idToken sign-in body for Apple name support (#8417)
• Preserved custom session fields on focus refresh (#8354)
• Fixed double encoded cookie (#8133)
• Prevented revoked sessions from being restored via database fallback (#8708)
• Resolved duplicate operationId in admin plugin endpoints (#8570)
• Rethrew phone sendOTP failures instead of silently swallowing them (#8842)
• Set stateless cookieCache maxAge to match session.expiresIn (#8648)
• Threw on duplicate email when autoSignIn: false without requireEmailVerification (#8521)
• Fixed accountInfo endpoint to use accountId instead of internal id (#8346)
• Restored deprecated createAdapter and type exports for backwards compatibility (#8461)
• Fixed Response return for HTTP request contexts (#7521)
• Fixed throw: true handling in client session refresh (#8610)
• Preserved stale session data on network or server errors (#8437)
• Fixed bundler re-export type resolution with direct imports (#8261)
• Fixed Set-Cookie header splitting with lookahead heuristic (#8301)
• Prioritized generateId: "uuid" over adapter customIdGenerator (#8679)
• Fixed date string revival in safeJSONParse for pre-parsed objects (#8248)
• Fixed postgres migration to use CREATE INDEX (#8538)
• Triggered sessionSignal after requesting email change in email-otp (#8816)
• Fixed generic-oauth to use discovery userinfo endpoint instead of hardcoded URLs (#8223)
• Normalized missing resolver path in last-login-method plugin (#8589)
• Returned additional fields in /magic-link/verify (#7223)
• Fixed OAuth proxy to read callback params from body for form_post (#8895)
• Fixed double-hashing of OAuth state when storeIdentifier is hashed (#8980)
• Fixed redirect_uri validation for prompt=none in oidc-provider (#8398)
• Opted into FedCM to suppress Google GSI deprecation warnings (#8720)
• Filtered null organizations in listUserInvitations (#8694)
• Fixed multi-role user handling in invite and member removal checks (#8442)
• Enforced authorization on SCIM management endpoints and normalized passkey ownership checks (#8843)
• Allowed passwordless users to manage 2FA (#7243)
• Wired twoFactorTable option to schema modelName (#8443)
• Prevented any from collapsing auth.$Infer and client inference types (#8981)
• Fixed updateUser to not overwrite unrelated username fields (#7570)
• Enforced username uniqueness in updateUser (#8731)
• Used non-blocking scrypt for password hashing to avoid blocking the event loop (#8685)

For detailed changes, see CHANGELOG

@better-auth/sso

❗ Breaking Changes

• Enabled InResponseTo validation by default for SP-initiated SAML flows (#8736)

Migration: Set sso({ saml: { enableInResponseToValidation: false } }) to restore the previous behavior.

Features

• Added logging for OIDC callback code validation failures (#8693)

Bug Fixes

• Patched transitive node-forge vulnerability via samlify pin (#8838)
• Fixed bare domain handling in domain verification (#8369)
• Preferred UserInfo endpoint over ID token and mapped sub claim correctly (#8276)
• Fixed provisionUser inconsistency and added provisionUserOnEveryLogin option (#8818)
• Skipped state cookie check for SAML ACS cross-site POST (#8735)
• Fixed verification operations to use internalAdapter (#8353)
• Fixed ESM compatibility with namespace import for samlify (#8697)

For detailed changes, see CHANGELOG

@better-auth/mongo-adapter

❗ Breaking Changes

• Stored UUIDs as native BSON UUID type (#8681)

Migration: New documents use native BSON UUIDs. Existing string UUIDs continue to work. No data migration required.

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Features

• Added pairwise subject identifiers (OIDC Core Section 8) (#8292)
• Added public client prelogin endpoint (#8214)

Bug Fixes

• Allowed localhost subdomains in isLocalhost function (#8286)
• Fixed fetch redirect CORS after login (#8519)
• Allowed customIdTokenClaims to override standard claims (#7865)
• Enforced DB-backed sessions when secondary storage is enabled (#8894)
• Fixed dist declaration type errors (#8701)
• Fixed dynamic baseURL config handling in init (#8649)
• Improved allowed paths for oauth_query in client plugin (#8320)
• Allowed customIdTokenClaims to override acr and auth_time (#8633)
• Normalized auth_time timestamps across adapter shapes (#8761)
• Returned JSON redirects from post-login OAuth continuation to fix CORS-blocked 302s (#8815)
• Fixed PAR scope loss, loopback redirect matching, and DCR skip_consent (#8632)
• Added prompt=none support (#8554)

For detailed changes, see CHANGELOG

@better-auth/stripe

Features

• Added customizable prorationBehavior per plan (#8525)

Bug Fixes

• Improved organization customer search by adding customerType check (#8609)
• Replaced {CHECKOUT_SESSION_ID} placeholder in success callbackURL (#8568)
• Returned correct priceId for annual subscriptions in list (#8810)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Features

• Added case-insensitive query support (mode: "insensitive") (#8556)

Bug Fixes

• Fixed Drizzle adapter failing date transformation (#8289)
• Used IS NULL / IS NOT NULL for null value comparisons (#8660)

For detailed changes, see CHANGELOG

@better-auth/expo

Features

• Exposed plugin version field on all built-in plugins (#8750)

Bug Fixes

• Fixed shim require issue (#8253)
• Fixed origin override handling across mutable and immutable requests (#8405)

For detailed changes, see CHANGELOG

@better-auth/prisma-adapter

Bug Fixes

• Moved adapter packages to dependencies to fix missing module errors (#8401)
• Used updateMany fallback for non-unique updates (#8524)
• Used deleteMany when deleting by non-unique field (#8314)

For detailed changes, see CHANGELOG

auth

Features

• Migrated MCP server URL to mcp.better-auth.com (#8747)

Bug Fixes

• Fixed path alias resolution from extended tsconfig files (#8520)
• Treated omitted required as true in Drizzle and Prisma generators (#8614)

For detailed changes, see CHANGELOG

@better-auth/electron

Bug Fixes

• Fixed verification operations with secondary storage (#8247)
• Handled safeStorage encryption failures gracefully (#8530)

For detailed changes, see CHANGELOG

@better-auth/passkey

Features

• Added pre-auth registration and WebAuthn extensions support (#7154)

Bug Fixes

• Fixed error message strings in passkey client (#8751)

For detailed changes, see CHANGELOG

@better-auth/test-utils

Features

• Exported adapter test suites from @better-auth/test-utils/adapter (#8564) –

Bug Fixes

• Removed using keyword for runtime compatibility (#8756)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed turbo caching, enforced lockfile integrity, and expanded pre-commit hooks (#8892)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Stopped marking redirect APIErrors as span errors in OpenTelemetry traces (#8850)

For detailed changes, see CHANGELOG

@better-auth/kysely-adapter

Bug Fixes

• Removed deprecated numUpdatedOrDeletedRows from D1 dialect (#8798)

For detailed changes, see CHANGELOG

@better-auth/telemetry

Bug Fixes

• Used conditional exports to replace dynamic import hacks (#8458)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

Full changelog: v1.5.6...v1.6.0

   🚀 Features

• Agent auth plugin –
• core: Add experimental opentelemetry instrumentation –
• email-otp: Add resendStrategy option to reuse existing OTP –
• magic-link: Add request metadata to sendMagicLink –
• mongo-adapter: Store UUIDs as native BSON UUID –
• oauth-provider: Public client prelogin endpoint –
• organization: Explicit organizationId in team endpoints –
• social-provider: Add wechat social provider –
• stripe: Allow customizable prorationBehavior per plan –
• test-utils: Export adapter test suites from @better-auth/test-utils/adapter –
• two-factor: Add twoFactorPage in config –

   🐞 Bug Fixes

• Handle skipOriginCheck array –
• Prevent revoked sessions from being restored via database fallback –
• api:
  • Return Response for HTTP request contexts –
• client:
  • Handle throw:true in session refresh –
• core:
  • Prioritize generateId "uuid" over adapter customIdGenerator –
• docs:
  • Improve AI chat security and cleanup –
  • Add missing Encore icon to sidebar icons –
• electron:
  • Handle safeStorage encryption failures gracefully –
• oauth-provider:
  • Support prompt=none –
  • Improve allowed paths for oauth_query for client plugin –
  • Fix dist declaration type errors –
• organization:
  • Filter null organizations in listUserInvitations –
• sso:
  • Use namespace import for samlify to fix ESM compatibility –
• stripe:
  • Replace {CHECKOUT_SESSION_ID} placeholder in success callbackURL –
  • Improve organization customer search by adding customerType check –

    View changes on GitHub

   🚀 Features

• oauth-provider: Pairwise subject identifiers (OIDC Core §8) –

   🐞 Bug Fixes

• Pass user field through idToken sign-in body for Apple name support –
• Add missing SubpageItem properties for docs-sidebar compatibility –
• Add icon prop to SubpageLink component –
• Correct sign-in link to dash.better-auth.com –
• Restore features.tsx and align import with canary –
• Add suppressHydrationWarning to video elements –
• Preserve custom session fields on focus refresh –
• Throw on duplicate email when autoSignIn: false without requireEmailVerification –
• Add origin check middleware to password reset request –
• adapters: Restore deprecated createAdapter and type exports for backcompat –
• blog: Fix RSS feed link path, image path and blog date –
• cli: Resolve path aliases from extended tsconfig files –
• client: Preserve stale session data on network or server errors –
• db: Use CREATE INDEX for postgres migration –
• oauth-provider: Avoid fetch redirect CORS after login –
• oidc-provider: Validate redirect_uri for prompt=none –
• organization: Handle multi-role users in invite and member removal checks –
• prisma-adapter: Fall back to updateMany for non-unique updates –
• sso: Handle bare domains in domain verification –
• telemetry: Use conditional exports to replace dynamic import hacks –
• two-factor: Wire twoFactorTable option to schema modelName –

    View changes on GitHub