Oct 7, 2025
🐞 Bug Fixes
- Session update database hook should expect partial session type –

- Deprecate
options.advanced.generateId
type – 
- Api keys should properly check if a request is from client or server –

- Improve username transformation logic –

- api-key:
- Shouldn't issue api key a mock session by default –

- organization:
- Prevent empty name and slug in create/update –

- sso:
- OIDC scopes should fallback to provider scopes –

- Add deprecated flag to the old
sso
plugin export – 
- stripe:
- Throw error if event failed to be constructed –

- telemetry:
- Avoid async import if telemetry disabled, fix for esbuild –

- url:
- Handle empty and root path in withPath, prevent double slashes, add tests –

Oct 3, 2025
🐞 Bug Fixes
- [security] api keys should properly check if a request is from client or server –

- api-key: Shouldn't issue api key a mock session by default –

Oct 2, 2025
🚀 Features
- Additional fields on account –

- Add support for custom callback for token url –

- captcha: Add support for CaptchaFox –

- cli: Add mcp client configs from
cli
–

🐞 Bug Fixes
- Support compressed ipv6 format –

- Add required constraint to slug filed in org plugin –

- Use consistent messaging on
requestPasswordReset
– 
- Cookie size limit shouldn't throw error –

- Handle symbols in proxy get trap to prevent TypeError –

- Ttl for rate limited secondary storage –

- adapter:
- Use updated field values in WHERE clause during update –

- Foreign keys that are nullable on number ids can return string of
null
– 
- api-key:
- Correct refill interval time calculation –

- client:
- Add lynx client exports –

- device-authorization:
- Fix client error type for deny device –

- last-login-method:
- Custom resolver method default logic –

- oauth-proxy:
- Should skip state check for oauth proxy –

- oidc:
- Properly enforce consent requirements per OIDC spec –

- org:
- Update type to include undefined –

- sso:
- Safe json parsing for saml/oidc configs –

- Prevent duplicate SSO provider creation with same providerId –

- stripe:
- Update with an existing subscription –

- Sync customer email on db change –

getCustomerCreateParams
not actually being called –

🏎 Performance
- Lazy load create telemetry –

Sep 30, 2025
🚀 Features
- Add support for custom callback for authorization url –

🐞 Bug Fixes
- Refresh secondary storage sessions on user update –

- cli: Timestamp in schema for Drizzle with SQLite –

- db:
onDelete
is ignored – 
- deps: Update dependency @nanostores/react to v1
🏎 Performance
- Improve type
Auth
– 
Sep 28, 2025
🐞 Bug Fixes
getSession
shouldn't expose options
and path
types – 
Sep 25, 2025
🐞 Bug Fixes
- Ttl sessions list expiration –

- Tests failing due to clock drift –

- Moved email verification check after password check –

- cli: DefaultNow is deprecated in schema for Drizzle with SQLite –

- custom-session: Don't overwrite the
Set-Cookie
header – 
- email-otp: Call reset password callback –

Sep 24, 2025
🚀 Features
- sso: Provide default service provider metadata –

🐞 Bug Fixes
- nuxt: Avoid load env base url for SSR –

Sep 23, 2025
No significant changes
Sep 23, 2025
🐞 Bug Fixes
- types: Include null in getSession return type –

Sep 22, 2025
🚀 Features
- passkey: Allow multiple passkey origins –

- sso: DefaultSSO options and ACS endpoint –

🐞 Bug Fixes
- Wrap
Math.floor
around the division when calculating TTL –

- api-key:
- Calling client on server side –

- mcp:
- Missing Content-Type header for mcp DCR –

- organization:
- Pass
ctx
to DB hooks – 
- Allow passing id through
beforeCreateOrganization
– 
- username:
- Username should respect send on sign config –

Sep 19, 2025
🚀 Features
- Add
returnHeaders
to getSession
– 
- last-login-method: Update OAuth login method tracking for multiple auth type –

🐞 Bug Fixes
- client: BaseURL is undefined for SSR –

- organization: Remove
autoCreateOnSignUp
option as it's not implemented yet – 
- passkey: Remove
email
from query – 
Sep 18, 2025
🚀 Features
- discord: Allow specification of permissions –

- email-otp: Allow returning undefined in
generateOTP
– 
🐞 Bug Fixes
- Device authorization plugin –

- Reduce any type in generator.ts –

- Refresh secondary storage sessions on user update –

- Allow disable database transaction –

- adapter:
- Returning null as string for optional id references –

- api-key:
- Cascade api keys on user deletion –

- create-adapter:
- Disable transaction by default –

- organization:
- Decouple client and server permission checks –

- Membership check for organizations with large member counts –

- stripe:
- OnCustomerCreate should be called even if update user isn't returned –

Sep 16, 2025
🚀 Features
- Flip emailVerified when link the account –

🐞 Bug Fixes
- Check if user exists before banning the user –

- Timestamp issues in kysely –

- Respect
errorCallbackURL
in failed oauth flows – 
- plugins: Asynchronous
init
–

Sep 15, 2025
Maintenance update: We fixed lots of issues from the community. Thanks to everyone for contributing to better-auth.
🚀 Features
- Add getActiveRoleMember –

- Database transaction support –

- logger: Option to disable colors –

- passkey: Error codes in passkey client –

- sqlite: Remove autoincrement for SQLite –

🐞 Bug Fixes
- Ignore cookiecache on auth sensitive functions –

- Custom field for
refreshTokenExpiresAt
– 
- Return local IP in development mode –

- Make cookie cache respect
dontRememberMe
mode – 
- Normalize zod imports –

- Check endpoint conflicts respect
method
– 
- Respect username validator –

- Set clientId in ProviderOptions to
unknown
by default – 
- Pick the first clientId for oauth provider –

- Remove use of
global.crypto
– 
- Should infer types correctly when empty list of plugins is provided –

- Correct MongoDB adapter import path in CLI –

- Make sure fetch function doesn't get called repeatedly on
onMount
– 
- Prevent lastLoginMethod plugin from setting cookie on failed auth –

- admin:
- Change the order of role and user id check when both are provider on userHasPermission –

- anonymous:
- Prevent false positive error on first anonymous sign-in –

- cli:
info
shows the correct version – 
- Add missing JSON type to schema generation –

- demo:
- Update forgot password link to /forget-password –

- docs:
- Remove duplicated RFC compliance mention –

- expo:
window.crypto
is undefined – 
- Missing peer deps –

- lastLoginMethod:
- Inherit cross-subdomain cookie settings in lastLoginMethod plugin –

- memory-adapter:
- Should respect where connector –

- multi-session:
- Multi-session cookie name preface preventing multiple accounts signed in –

- one-time-token:
- Typo and clean –

- organization:
checkRolePermission
shouldn't be a promise – 
- Member and team hooks should apply on create organization –

- Before org create hooks not applying customized data –

- [security] updateOrgRole should check for userId properly –

- Restrict role check by user id –

- prisma:
- Handle optional field relation types correctly –

- stripe:
- Properly resolve plans by lookup keys –

- Subscription is created without completing payment –

- Prevent multiple free trials for same user –

- Use correct request method for billing-portal –

- tiktok:
- Remove
client_secrect
from authorizationUrl – 
- username:
- Add missing normalization –

- Sign in should work with post normalization –

- vue:
- Correct baseURL –
