🚀 Features
- Bypass transaction with async local storage - by @himself65 in #4711 (52af6)
- Add
returnHeaderstogetSession- by @frectonz in #3983 (19d4b) - Waku integration guide - by @rmarscher in #3990 (3e75a)
- Add support for custom callback for authorization url - by @Bekacru in #4919 (78506)
- Additional fields on account - by @dvanmali in #4935 (bf0ac)
- Add support for custom callback for token url - by @acusti in #5027 (6bb94)
- Enum support for drizzle schema - by @himself65 in #5287 (fd780)
- Nextjs 16 guide - by @Kinfe123 and @himself65 in #5296 (8db97)
- Add
storeStateStrategy- by @himself65 and Copilot in #5470 (b5f3b) - Enhance PostgreSQL support for non-public schema by respecting
search_pathconfiguration - by @okisdev in #5449 (bef33) - Add polar oauth provider - by @ephraimduncan in #5506 (4b075)
- Session store chunking - by @himself65 and Copilot in #5645 (0aa6d)
- Stateless session management - by @Bekacru, Copilot, @ping-maxwell and @himself65 in #5601 (afce9)
- Esm only - by @himself65 in #5703 (b6977)
- Implement automatic server-side IP detection - by @GautamBytes in #5695 (06e8c)
- Async import in
getAdapter- by @himself65 in #5722 (10249) - Improved API error page - by @ping-maxwell and @Bekacru in #5272 (f9964)
- Add request state - by @himself65 in #5742 (cea5b)
- Add support for uuids - by @Bekacru in #5809 (4ac34)
- Auto-index CLI - by @ping-maxwell and @Bekacru in #5357 (af6eb)
- Expose additional http methods - by @jonathansamines and @Bekacru in #5754 (956e2)
better-auth/minimal- by @bytaesu and @Bekacru in #5704 (1ebc6)- Add support for custom response status codes - by @jonathansamines and @Bekacru in #5806 (fa595)
- Support pass raw function as middleware - by @himself65 in #5888 (48a20)
- Support pass raw function as middleware " - by @himself65 in #5888 (a391a)
- Adapter join support - by @ping-maxwell in #5730 (f5bbb)
- Refactor fetch plugins config disableDefaultFetchPlugins to include userAgentPlugin - by @kaandok and @himself65 in #6020 (8e754)
- Utilize database joins across better-auth - by @ping-maxwell in #6004 (e9f5b)
- Support storing account data in a cookie - by @Bekacru in #6013 (06606)
- Adding support for SCIM provisioning - by @jonathansamines in #5685 (ffa29)
- Add support for organization slug on list members - by @Bekacru in #5862 (31a81)
- anonymous:
- captcha:
- cli:
- Add mcp client configs from
cli- by @Kinfe123 and @himself65 in #4872 (70cb4) - Support Cloudflare Workers virtual module imports - by @chhoumann in #5559 (cf050)
- Add mcp client configs from
- client:
- Refetch session when browser state changes - by @himself65 and Copilot in #5630 (522cf)
- Add type helper
AuthClient- by @himself65 in #5815 (7caa2) - Introduce
disableSignalclient option - by @ping-maxwell in #6108 (f4c43)
- core:
- Replace ZodType with
@standard-schema/spec- by @himself65 in #5629 (36315)
- Replace ZodType with
- db:
- Delete hooks - by @Kinfe123 and @himself65 in #4792 (eb76a)
- device-authorization:
- Add verification uri - by @bytaesu and @himself65 in #5451 (8b2b6)
- discord:
- Allow specification of permissions - by @TheUntraceable and @Bekacru in #4717 (69c9b)
- docs:
- email-otp:
- Allow returning undefined in
generateOTP- by @ping-maxwell in #4723 (8ac4f)
- Allow returning undefined in
- expo:
- Support multiple cookie prefixes for better-auth detection - by @himself65 in #6080 (f5285)
- generic-oauth:
- jwt:
- Support custom adapter option for jwt - by @Bekacru in #5812 (10cee)
- Add JWT verification endpoint and refactor verification logic - by @himself65 in #6122 (18cf7)
- Add key rotation - by @Bekacru, Copilot and @Paola3stefania in #6147 (0bd9b)
- last-login-method:
- mongodb:
- Support string IDs over ObjectIDs - by @ping-maxwell and @ahmedriad1 in #5384 (0dfe6)
- oauth-proxy:
- oidc-provider:
- Add RP-Initiated Logout endpoint - by @himself65 and Copilot in #6094 (c9085)
- organization:
- Support createdAt on invitations - by @iRoachie and @himself65 in #2346 (fc321)
- Refactor organization schema to use BetterAuth types - by @himself65 in #5515 (a58f1)
- passkey:
- paybin:
- phone-number:
- plugin-openapi:
- Allow passing nonce for CSP - by @GautamBytes in #5751 (fa147)
- prisma:
- Enhance JSON default value handling for arrays and objects in schema generation - by @rovertrack in #5904 (09162)
- session:
- Use JWE for cookie cache by default - by @himself65 in #5510 (f654b)
- sso:
- DefaultSSO options and ACS endpoint - by @Kinfe123 and @Bekacru in #3660 (b3ead)
- Provide default service provider metadata - by @dvanmali in #4866 (e892a)
- Add option to provide login hint - by @tnkuehne and Copilot in #5283 (6f231)
- Add domain verification for SSO providers - by @jonathansamines and @ping-maxwell in #5910 (da965)
- stripe:
🐞 Bug Fixes
- Device authorization plugin - by @bytaesu in #4695 (b9cbd)
- Device authorization plugin - by @bytaesu in #4695 (c3001)
- Reduce any type in generator.ts - by @himself65 in #4710 (0770c)
- Refresh secondary storage sessions on user update - by @frectonz in #4522 (ea89d)
- Allow disable database transaction - by @himself65 in #4733 (a8776)
- Wrap
Math.flooraround the division when calculating TTL - by @DevDuki, Dusan Misic, ping-maxwell and @himself65 in #4768 (14b9e) - Ttl sessions list expiration - by @dvanmali in #3836 (57e04)
- Tests failing due to clock drift - by @dvanmali in #4915 (63ca1)
- Refresh secondary storage sessions on user update - by @frectonz in #4522 (ccc7c)
- Refresh secondary storage sessions on user update - by @frectonz in #4522 (f1b0a)
- Support compressed ipv6 format - by @Velka-DEV in #4982 (d8f11)
- Add required constraint to slug filed in org plugin - by @bytaesu in #4989 (0581a)
- Use consistent messaging on
requestPasswordReset- by @Eazash in #5014 (2f94b) - Cookie size limit shouldn't throw error - by @Bekacru and @himself65 in #5031 (72ecc)
- Handle symbols in proxy get trap to prevent TypeError - by @zbeyens and @himself65 in #4924 (8d46c)
- Ttl for rate limited secondary storage - by @dvanmali in #4961 (f246d)
- Properly encode callback url for email verificaiton - by @Bekacru in #5052 (41d2e)
- Session update database hook should expect partial session type - by @Bekacru in #5056 (ade06)
- Deprecate
options.advanced.generateIdtype - by @himself65 (48249) - Api keys should properly check if a request is from client or server - by @Bekacru (2e236)
- Refactor account deletion functions to trigger database hooks - by @xuchenhao001 in #5114 (dade3)
- Improve username transformation logic - by @ping-maxwell in #5115 (b2a9e)
- Ensure falsy values are valid default values - by @ocherry341 in #5182 (03d62)
- Import
node:async_hooksdirectly - by @himself65 in #5198 (0717e) - Undeclared variable reference on docs - by @Kinfe123 in #5235 (6d6df)
- Argument
whereof type TwoFactorWhereUniqueInput needs at least one ofidarguments - by @AlexStrNik in #5180 (2dab4) - Mobile ai search responsiveness - by @Kinfe123 in #5269 (08d95)
- Type compatibility with
exactOptionalPropertyTypes- by @Kinfe123 and @himself65 in #5236 (f2723) - Remove deprecated
ssoClientexport from client plugin - by @Kinfe123 in #5307 (ee229) - GetAcccessToken refresh should properly refresh when oauth tokens are encrypted - by @bsklaroff in #5094 (16236)
- Resolve custom URL scheme origin matching with wildcards - by @AntonVishal and antonvishal in #5248 (82de6)
- Respect additionalFields returned config for user data when setting cookie cache - by @ahmed-abdat and @Bekacru in #5327 (a048f)
- Correct type
HookEndpointContextandInternalContext- by @himself65 in #5359 (89475) - Add optional chaining for process.platform - by @bytaesu in #5390 (f547d)
- User-agent requirement when fetching from clients - by @dvanmali in #5420 (5deb8)
- Unused peer dependency - by @himself65 in #5465 (3a343)
- Rename
shatobranchand made itcanaryby default - by @max-programming in #5491 (5bc26) - Remove deprecated forgetPassword endpoints - by @bytaesu in #5455 (7b62d)
- Respect onAPIError.errorURL in OAuth callback flow - by @GautamBytes and @ping-maxwell in #5523 (9c51f)
- Call db hooks when calling
deleteUser- by @ping-maxwell in #5553 (216dc) - Allow user update to handle additional fields and validation - by @Bekacru (9c508)
- Missing email validation - by @ahmedriad1 and @ping-maxwell in #5593 (bf8e9)
- Urls without protocol shouldn't be able to satisfy a wildcard origin - by @Bekacru in #5624 (8b355)
- Use standard validator - by @himself65 in #5627 (285e3)
- Add
undefinedtype for optional property types - by @himself65 in #5654 (b6d40) - Type mismatch for 'banned' on UserWithRole - by @GautamBytes in #5701 (6d7e3)
- Delete duplicate email existence check in changeEmail endpoint - by @DevDuki and Dusan Misic in #5699 (c6241)
- Add missing userId in listAccounts response - by @bytaesu in #5731 (9d4ef)
- Trigger use session on revoke sessions - by @Bekacru in #5761 (e62d3)
string[]inference for additionalFields - by @GautamBytes in #5778 (414d0)- Unsanitized endpoints provided dates will cause DB insert failure - by @ping-maxwell and @Bekacru in #5042 (5c8dd)
- Update hooks return should merge with original data - by @Bekacru in #5852 (0d41f)
- Dont trigger session refresh on magic-link sign-in - by @ping-maxwell in #5221 (e843e)
- Treat generateId "serial" as numeric ID and correct UUID column types across adapters - by @ping-maxwell in #5823 (705f7)
- Validate baseURL protocol and improve error messages - by @dmmulroy in #5902 (1c0ac)
- Use
ctxoverrequestin plugin options - by @ping-maxwell in #5944 (448d7) - Use
identityinstead ofserialfor pg schema - by @ping-maxwell in #5943 (b3927) - Zoom refresh token - by @borgoat in #5992 (0eb6b)
/change-emailshould trigger session signal - by @ping-maxwell in #6025 (3abc8)- Resolve SESSION_IS_NOT_FRESH error with cookieCache - by @GautamBytes in #6031 (c4ee4)
- Preserve provided string IDs in the MongoDB adapter when they are not valid ObjectId - by @udnes99 in #6033 (8a5df)
- GenericOAuth and SSO ignore discoveryUrl for authorization - by @GautamBytes in #6057 (99e57)
- Remove active session requirement for change email verification - by @Bekacru in #6106 (4d2a8)
- adapter:
- Returning null as string for optional id references - by @jslno in #4713 (23b87)
- Use updated field values in WHERE clause during update - by @QuintenStr and @ping-maxwell in #5004 (c8f47)
- Foreign keys that are nullable on number ids can return string of
null- by @ping-maxwell in #5036 (68608) - Ensure transaction function is implemented in the adapter - by @himself65 in #5046 (246a2)
- Missing data type transformation on where clauses - by @ping-maxwell in #5158 (4b136)
- Inconsistent mongo
ends_withquery - by @ping-maxwell in #5160 (cd006) - Kysely with
CamelCasePluginbreaks for OIDC. - by @ping-maxwell in #5078 (e9157) - Should not apply
defaultValueduringfindcalls - by @ping-maxwell in #5779 (97c97) - Drizzle
deleteManyresult should be a number - by @ping-maxwell in #5682 (191f1)
- adapters:
- Mongodb id issue - by @okisdev and @ping-maxwell in #5686 (c4890)
- admin:
- Stricter body validation with the setUserPassword api - by @hieudien14310 and @ping-maxwell in #5075 (3b863)
- Validate admin role updates against the configured roles to prevent setting a non-existent role - by @hieudien14310 in #4842 (dda1e)
- anonymous:
- Provide
ctxon accountLink - by @ping-maxwell in #5389 (0b0de) isAnonymousshould default to false instead of null - by @ping-maxwell in #6026 (da374)
- Provide
- api-key:
- Cascade api keys on user deletion - by @ping-maxwell in #4703 (d4e9c)
- Cascade api keys on user deletion - by @ping-maxwell in #4703 (c72c3)
- Calling client on server side - by @himself65 in #4777 (dda55)
- Correct refill interval time calculation - by @Pankaj3112 and @himself65 in #4871 (e2c3c)
- Shouldn't issue api key a mock session by default - by @Bekacru (e9342)
- Don't update the
lastRequestwhen calling updateApiKey - by @ping-maxwell in #5318 (6c93c) - Remove incorrect usage tracking in updateApiKey - by @ahmed-abdat and @Bekacru in #5325 (07d99)
- better-auth:
- Moved email verification check after password check - by @QuintenStr in #4835 (2f0f1)
- cli:
- client:
- BaseURL is undefined for SSR - by @himself65 in #4760 (a208c)
- Add lynx client exports - by @JagritGumber in #4950 (f556b)
- Missing isRefetching type in react
useSession- by @ThibautCuchet in #5166 (af4a4) - Ensure refetchInterval triggers active network request - by @GautamBytes and @himself65 in #6032 (9571c)
- cookie:
- core:
- create-adapter:
- Disable transaction by default - by @ping-maxwell in #4750 (64c5a)
- custom-session:
- db:
- deps:
- device-authorization:
- docs:
- drizzle:
- drizzle-adapter:
- Handle all operators in multiple
whereconditions - by @Kinfe123 and @ping-maxwell in #5311 (58ffd)
- Handle all operators in multiple
- email-otp:
- Call reset password callback - by @HoshangDEV in #4818 (9985d)
- Email-verification doesn't trigger session signal - by @ping-maxwell in #5219 (ff89e)
- Fix openapi schema for /email-otp/verify-email endpoint - by @jonathansamines in #5622 (4eac7)
- Prevent duplicate verification emails when override is enabled - by @ephraimduncan in #5794 (d0f61)
- Prevent user enumeration on email OTP - by @himself65 in #5050 (caf9c)
- Use constant time equal for equality checks - by @Bekacru in #6142 (cfc45)
- expo:
- Set-header retrigger
$sessionSignal- by @himself65 in #5393 (2737f) - Store normalized cookie name in storage - by @ping-maxwell in #5432 (2cf7d)
- Origin check failing due to null origin in expo - by @Bekacru in #5545 (e0382)
- Account linking flow on mobile - by @almadoro in #5836 (12db1)
- Clear peer dependence and flag optional - by @hyoban in #5881 (bf6f7)
- Enhance cookie detection for better-auth cookies - by @himself65 in #6074 (3c9fc)
- Set-header retrigger
- generic-oauth:
- gitlab:
- haveibeenpwned:
- last-login-method:
- Custom resolver method default logic - by @ThibautCuchet in #4821 (778bf)
- LastLoginMethod cookie is not set when using a generic oauth provider - by @nbifrye in #6016 (b54c2)
- Detect passkey login to set last used method - by @GautamBytes in #6154 (33e98)
- magic-link:
- mcp:
- mongodb:
- Mongodb findOneAndUpdate should return
.value- by @Paola3stefania in #6139 (08077)
- Mongodb findOneAndUpdate should return
- multi-session:
- nuxt:
- Avoid load env base url for SSR - by @himself65 in #4887 (8e04b)
- oauth:
- Redirect to GET for POST method - by @himself65 in #5759 (2f029)
- oauth-proxy:
- oauth2:
- odic:
- Case when
prompt=login- by @himself65 in #5848 (bafe1) - Case when
prompt=login" - by @himself65 in #5848 (abf76)
- Case when
- odic-provider:
- Default options - by @himself65 and Copilot in #5945 (72191)
- oidc:
- Properly enforce consent requirements per OIDC spec - by @himself65 in #4974 (c471c)
- oidc-provider:
- OIDC token-type capitalization - by @yutaka5 and Yutaka in #5308 (dbfa7)
- Use consistent iat claim and allow configurable issuer - by @ephraimduncan and @himself65 in #5508 (7c3c4)
- Improve typing - by @himself65 in #5813 (e96e5)
oidc_login_promptnot cleared after login - by @himself65 in #5912 (938ff)- Change updated_at to be a UNIX numeric timestamp - by @ShobhitPatra and @himself65 in #4263 (5af1a)
- Fix opts order - by @himself65 in #5974 (96cf8)
oidc_login_promptnot cleared after login " - by @himself65 in #5912 (4224a)- Missing options - by @himself65 (0dc59)
- Implement proper OIDC prompt parameter handling - by @himself65, @Bekacru and Copilot in #5993 (3342d)
- Redirect to consent when scope changed - by @himself65 and Copilot in #6116 (e88ea)
- openapi:
- Add
operationIds to routes - by @thomasmol, @ping-maxwell, @Bekacru and @TheUntraceable in #2107 (4817a)
- Add
- org:
- Use correct adapter during db tranaction - by @himself65 in #4730 (4b83f)
- Update type to include undefined - by @himself65 in #5003 (61b44)
- organization:
- Decouple client and server permission checks - by @Bekacru in #4707 (2a4cd)
- Decouple client and server permission checks - by @Bekacru in #4707 (d9cbb)
- Membership check for organizations with large member counts - by @Badbird5907 and @himself65 in #4724 (6b6cc)
- Remove
autoCreateOnSignUpoption as it's not implemented yet - by @Bekacru in #4755 (bc325) - Pass
ctxto DB hooks - by @ping-maxwell in #4769 (76d2a) - Allow passing id through
beforeCreateOrganization- by @ping-maxwell in #4765 (c448a) - Prevent empty name and slug in create/update - by @kira-1011 in #5100 (ba766)
- Certain parameters not showing in client types - by @ping-maxwell in #5214 (d382d)
- Prevent duplicate slug on organization update - by @kira-1011, @Bekacru, @ping-maxwell and @Kinfe123 in #5095 (5769e)
- Compatibility with declaration on tsconfig.json - by @himself65 and Copilot in #5334 (19f5c)
- Compatibility with
exactOptionalPropertyTypes- by @himself65 in #5337 (b4a7e) - Typecheck node exceeds the maximum length - by @himself65 in #5372 (4b5f6)
- Fix the schema type - by @himself65 in #5512 (eee94)
- RemoveTeamMember breaks for prisma - by @ping-maxwell in #5061 (2a021)
- Correct migration order when dynamicAccessControl is enabled - by @AntonVishal, @ping-maxwell and antonvishal in #5476 (b4145)
- Deleting member from org doesn't delete them from teams - by @ping-maxwell in #5063 (089e6)
- All endpoints should properly infer additional fields - by @ping-maxwell, @Bekacru and @ahmedriad1 in #3731 (9a722)
- ActiveOrgId no longer inferred after enabling dynamic AC - by @ping-maxwell in #6023 (37f5a)
- passkey:
- Remove
emailfrom query - by @himself65 in #4740 (481cb) - Atom listeners not working - by @ping-maxwell in #5096 (57fcd)
- Passkey breaks with
throw: true- by @ping-maxwell and @Bekacru in #5079 (ba86d) - Wrong Session type being used on passkey - by @ouwargui in #5204 (fb2c6)
- Filter delete passkey with userId - by @Bekacru (06d68)
- Ensure addPasskey returns passkey data instead of undefined - by @mburumaxwell in #5736 (ef15b)
- Remove
- phone-number:
- Shouldn't allow updating phone number on
/update-userendpoint - by @ping-maxwell in #5833 (52624)
- Shouldn't allow updating phone number on
- session:
- Refresh cache before it expires - by @himself65 in #5528 (4edec)
- Persist additionalFields in cookie cache - by @Ridhim-RR in #5735 (51bd7)
- social-providers:
- Core module import - by @himself65 in #5643 (b963e)
- sso:
- Safe json parsing for saml/oidc configs - by @natetewelde and @himself65 in #4858 (d330a)
- Prevent duplicate SSO provider creation with same providerId - by @xiaoyu2er in #5033 (ddce2)
- OIDC scopes should fallback to provider scopes - by @Bekacru in #5071 (f34a9)
- Add deprecated flag to the old
ssoplugin export - by @Bekacru in #5138 (2a724) - Move oauth2-mock-server dep into devDependencies for sso package - by @rbayliss in #5689 (21ca9)
- Use the internalAdapter for user queries to avoid skipping database hooks - by @hartbit in #5913 (f8b05)
- Respect disableImplicitSignUp in SAML callback - by @kanarian in #5966 (eb45c)
- Prevent server instance from leaking to client - by @rbayliss in #5994 (7800a)
- Export SSOProvider type - by @rbayliss in #5996 (7ed28)
- stripe:
- OnCustomerCreate should be called even if update user isn't returned - by @Bekacru in #4716 (f11d3)
- Update with an existing subscription - by @himself65 in #4988 (4388d)
- Sync customer email on db change - by @himself65 in #4995 (b0ec2)
getCustomerCreateParamsnot actually being called - by @ebalo55 and @himself65 in #5019 (13872)- Throw error if event failed to be constructed - by @Bekacru in #5088 (47f8e)
- Check for reference IDs inside during Stripe reference validation - by @Bekacru and cubic Bot in #5354 (a0107)
- Stripe error codes should be returned from the plugin - by @Bekacru in #5371 (bae3c)
- Remove TS error suppression updating getCheckoutSessionParams - by @mohebifar in #5602 (77beb)
- Prevent duplicate customer creation on signup - by @bytaesu in #5847 (15a7e)
- Return updated subscription in onSubscriptionUpdate callback - by @bytaesu and @Bekacru in #5819 (e5cce)
- Throw error if query.referenceId is defined - by @Bekacru (20940)
- Cancel subscription fails with Prisma - by @ping-maxwell in #6174 (3422d)
- telemetry:
- Avoid async import if telemetry disabled, fix for esbuild - by @erquhart in #5086 (6aa0c)
- Avoid async import if telemetry disabled, fix for esbuild " - by @himself65 in #5086 (3d8f3)
- test:
- Use async import for db - by @himself65 in #5708 (31108)
- two-factor:
- Return parsed array in viewBackupCodes - by @ahmed-abdat in #5174 (255fb)
- Backup codes shouldn't be encrypted twice - by @Bekacru in #5202 (13018)
- Avoid GET endpoints with body - by @jonathansamines and @Bekacru in #5792 (4a664)
- Incorrect reference for server only actions - by @okisdev in #5796 (fe547)
- Improve error message for bad totp code in 2FA setup - by @DevDuki and Dusan Misic in #5826 (437ca)
- Trust device token refresh - by @gregtjack, Dylan Vanmali, @Bekacru and @ping-maxwell in #3318 (90afe)
- Use constant time equal for otp comparison - by @Bekacru in #6176 (65f30)
- types:
- url:
- username:
- Username should respect send on sign config - by @QuintenStr in #4799 (a788b)
- Compacity with
exactOptionalPropertyTypes- by @himself65 in #5313 (af03d)
- vk:
🏎 Performance
- Improve type
Auth- by @himself65 in #4930 (350cc) - Lazy load create telemetry - by @himself65 in #5007 (0385c)
- Lazy load create telemetry " - by @himself65 in #5007 (7f54b)