All of the changes made will be available here.

Better Auth is the most comprehensive authentication framework for TypeScript that provides a wide range of features to make authentication easier and more secure.

DocumentationGitHubCommunity

BETTER-AUTH.

v1.4.18

🚀 Features

  • Add disableImplicitLinking to accountLinking – @Paola3stefania @himself65
  • Mark /forget-password/email-otp as deprecation – @bytaesu
  • device-authorization:
    • Add user id checks – @himself65
  • one-tap:
    • Add button mode for Google sign-in – @himself65
  • sso:
    • Support multi-domain providers – @Paola3stefania
    • Add provider list and detail endpoints – @Paola3stefania @himself65

🐞 Bug Fixes

  • Correctly handle OAuth callback and Apple email field – @bytaesu
  • Centralize cookie parsing and handle Expires dates correctly – @bytaesu @cursoragent @himself65
  • Refresh account_data cookie when session is refreshed – @bytaesu @himself65
  • Remove duplicate secondary storage writes from setSessionCookie – @bytaesu
  • Set default logger level to "warn" – @bytaesu @cursoragent
  • Respect the explicitly set sendOnSignUp option – @bytaesu
  • Handle serial and false cases in generateId – @bytaesu
  • Log error when misconfigured – @himself65
  • Update google oauth endpoints – @bytaesu
  • Consistent api version for facebook provider – @bytaesu
  • Check jsconfig.json in getPathAliases – @jycouet
  • 2fa:
    • Server-side trust device expiration and configurable maxAge – @Paola3stefania @himself65
  • anonymous:
    • Export types – @CalLavicka @himself65
  • cli:
    • Use inkeep remote mcp url – @Bekacru
    • Update MCP URL from Chonkie to Inkeep – @Paola3stefania
  • core:
    • Consolidate rateLimit table schema definition – @bytaesu
  • email-otp:
    • Add stricter default rate limits for password reset endpoints – @bytaesu
  • expo:
    • Prevent null cookie key when redirect URL has no cookie param – @bytaesu
    • Prevent duplicate listener notifications in FocusManager and OnlineManager – @kimchi-developer @himself65
  • github:
    • Surface OAuth token exchange errors – @Paola3stefania
  • mcp:
    • Remove local mpc – @Paola3stefania
  • multi-session:
    • Prevent duplicate cookies when same user signs in multiple times – @Paola3stefania @himself65
  • oauth-provider:
    • Properly handle metadata field in client registration – @Paola3stefania
  • okta:
    • Userinfo route mismatch – @psigen
  • organization:
    • Filter returned: false fields from API responses – @Paola3stefania @himself65
  • saml:
    • IdP-Initiated Callback Routing – @Paola3stefania
  • session:
    • Skip invalid sessions in list – @Paola3stefania @himself65
  • stripe:
    • Allow billing interval change for same plan – @bytaesu
    • Find active subscription correctly when upgrading – @bytaesu

🏎 Performance

  • Fix infinite typecheck – @himself65
    View changes on GitHub

v1.4.17

🚀 Features

  • two-factor: Add twoFactorCookieMaxAge as a separate option – @Bekacru

🐞 Bug Fixes

  • Set default ipv6 subnet to 64 – @himself65
  • cookies: Fallback to isProduction when baseURL is not set – @bytaesu
  • db: Only exclude returned: false fields from output schemas – @Paola3stefania
  • stripe: Allow re-subscribing to the same plan when subscription has expired – @DIYgod @bytaesu
  • two-factor: Improve OTP comparision during hashed and encrypted values – @Bekacru
    View changes on GitHub

v1.4.16

🚀 Features

  • admin: Make password field optional on create user – @Bekacru @cursoragent

🐞 Bug Fixes

  • oauth: Set account cookie on re-login when updateAccountOnSignIn is false – @bytaesu
  • organization: Missing activeTeamId field when dynamic access control is enabled – @longnguyen2004 @himself65 @ping-maxwell
  • rate-limit: Support IPv6 address normalization and subnet – @himself65
    View changes on GitHub

v1.4.15

🐞 Bug Fixes

  • Update TanStack imports to use server subpath – @himself65
  • client: Deep merge plugin actions to preserve all methods – @gustavovalverde
    View changes on GitHub

v1.4.14

🚀 Features

  • Add skipTrailingSlashes option to advanced config – @bytaesu
  • stripe: Add support for locale option to upgradeSubscription – @bytaesu

🐞 Bug Fixes

  • TanStack Start cookie plugins for React and Solid.js – @himself65
  • Centralize schema parsing for API responses – @bytaesu
  • Update Figma provider default scope and oauth endpoints – @bytaesu
  • Allow empty name on email sign-up – @jslno
    View changes on GitHub

v1.4.13

🚀 Features

  • core: Add version in AuthContext@himself65
  • integrations: Support both react and solid flavors of tanstack-start – @asterikx
  • mcp: Add setup_auth tool – @Paola3stefania
  • organization: Allow rejecting expired invites and filter pending invitations – @Bekacru
  • scim: Add Microsoft Entra ID SCIM Compatibility – @cemcevik @himself65

🐞 Bug Fixes

  • Should return dates for expiration fields – @ping-maxwell @himself65
  • Preserve attributes when expiring cookies – @bytaesu @himself65
  • expo: Fix cookie-based OAuth state with expo-authorization-proxy – @ruff-exec @bytaesu
  • organization: Infer endpoints when dynamic ac and teams enabled – @jslno
  • stripe: Add generic return type to getSchema for proper field inference – @bytaesu
    View changes on GitHub

v1.4.12

🚀 Features

  • oauth: Add custom authorizationEndpoint option – @bytaesu

🐞 Bug Fixes

  • anonymous: Define delete-anonymous-user path method – @ping-maxwell
  • client: Add refetch to useSession for all clients – @Paola3stefania
  • core: Remove dual module warning – @himself65
  • session: Prevent duplicate tokens in active sessions list – @theonlypal @bytaesu @himself65
    View changes on GitHub

v1.4.11

🚀 Features

  • Add auth.api.verifyPassword@SaviruFr @himself65
  • anonymous: Delete anonymous user endpoint – @ping-maxwell
  • generic-oauth: Add Gumroad login support – @ptaberg @himself65
  • saml: Reject SAML responses containing multiple assertions – @Paola3stefania
  • stripe: Enhance stripe plugin with organization customer support – @bytaesu

🐞 Bug Fixes

  • Filter null values from dynamic trusted origins – @bytaesu @himself65
  • Call hooks on change-email-verification flow – @bytaesu
  • Clean up expired rate-limit entries on memory storage – @ping-maxwell
  • Set Location header on redirected responses – @GautamBytes @ping-maxwell
  • anonymous:
    • Prevent Convex cleanup from deleting fresh sessions – @RodrigoRafaelSantos7 @ping-maxwell
  • api-key:
    • Remove strict length pre-check in verifyApiKey@GautamBytes @ping-maxwell
    • Remove double stringify/parse of metadata field – @xiaoyu2er @ping-maxwell @himself65
    • Log key verification errors – @ping-maxwell @himself65
  • core:
    • Detect dual module error – @himself65
    • Separate CSRF and origin checks – @Paola3stefania @himself65
  • docs:
    • Correct tos and policy types in oauth-provider – @GautamBytes @ping-maxwell
  • email-otp:
    • Call afterEmailVerification hook on verification – @GautamBytes
  • email-verification:
    • Sending email verification of another user fails with EMAIL_ALREADY_VERIFIED – @ping-maxwell
  • mcp:
    • Restore ctx.query from cookie in OAuth flow – @bytaesu
  • one-tap:
    • Respect user dismiss actions in prompt retry logic – @bytaesu
  • open-api:
    • Correctly infer type for ZodDefault fields – @MuzzaiyyanHussain
  • organization:
    • Use opts pattern to enable hook injection – @bytaesu
  • passkey:
    • Add error logs during client verification error – @ping-maxwell
  • prisma-adapter:
    • Lift eq AND conditions to root so update detects unique where field – @ping-maxwell
  • stripe:
    • Improve error handling and subscriptionSuccess route – @bytaesu
    • Pass metadata to subscription object in upgrade method – @bytaesu
    • Prevent duplicate subscription creation when a subscription already exists – @bytaesu
  • two-factor:
    • Prisma issue – @okisdev @Bekacru @ping-maxwell
    • Add missing POST endpoints to client pathMethods – @theonlypal
    View changes on GitHub

v1.4.10

🚀 Features

  • Support form data for email sign-in/sign-up and fallback to checking fetch Metadata for first login – @Paola3stefania @bytaesu @jonathansamines
  • expo:
    • Add webBrowserOptions to openAuthSessionAsync – @himself65
  • saml:
    • Add XML parser hardening with configurable size limits – @Paola3stefania
  • stripe:
    • Flexible subscription cancellation and termination management – @bytaesu @GautamBytes
    • Handle customer.subscription.created webhook event – @bytaesu @himself65
    • Add disableRedirect option for subscription and billing – @himself65

🐞 Bug Fixes

  • Correct accountLinking default to true@bytaesu @himself65
  • Add supportsArrays to memory and mongodb adapters – @bytaesu
  • Sync updateSession changes to secondary storage and active-sessions list – @Ridhim-RR @bytaesu
  • admin:
    • Custom role type inference – @bytaesu
    • UserId check in /has-permission@himself65
  • anonymous:
    • Missing path breaks anonymous hooks – @ping-maxwell @himself65
  • api:
    • Chain plugin onRequest hooks properly – @bytaesu
  • client:
    • Prevent duplicate signal processing in atom listeners – @himself65
    • Apply rate limit focus refetch regardless of session state – @bytaesu @himself65
  • expo:
    • Improve parseSetCookieHeader@bytaesu
  • oauth-provider:
    • Support jwksPath – @dvanmali
    • Only session db store currently supported – @dvanmali
  • oauth-proxy:
    • Point provider requests to production and fix cookie handling in non-HTTPS environments – @bytaesu
  • organization:
    • Remove unnecessary type re-export – @bytaesu
  • passkey:
    • Use data.id instead of challengeId in deleteVerificationValue – @GautamBytes
  • stripe:
    • Add 'subscription/restore' to pathMethods – @bytaesu
    • Prevent trial abuse by checking all user subscriptions – @GautamBytes @himself65
    View changes on GitHub

v1.4.9

🚀 Features

  • Add ctx.isTrustedDomain helper – @jonathansamines
  • Drizzle pg supports JSON – @dvanmali
  • Add Refresh Token Support to Kick OAuth Provider – @CesarRodrigu
  • Add additionalFields option in verification table schema – @noctarius
  • Add patreon social provider – @Spuffynism
  • Add a global backgroundTasks config option to defer actions like sending email and updates to run after response is sent – @nexxeln @Bekacru
  • admin:
    • Prevent impersonating admins by default [breaking] – @jslno @Bekacru
    • Add support role with permissions for user updates and enforce role change validation – @Bekacru
  • expo:
    • Last-login-method client plugin – @jslno @himself65
  • multi-session:
    • Allow to infer additional fields – @jslno
    • Allow to infer additional fields " – @Bekacru
  • oauth-provider:
    • An oauth 2.1 compliant plugin – @dvanmali
  • oauth-proxy:
    • Add expirty timestamp for encrypted tokens – @Bekacru
  • one-time-token:
    • Support setting session cookie on ott verify – @Bekacru
  • organization:
    • Allow invited users to see organization name – @GautamBytes
  • phone-number:
    • Add password length validation for reset functionality – @Bekacru
  • saml:
    • Assertion timestamp validation with per-provider clock skew – @Paola3stefania
    • Validate SAML crypto algorithms during initial phase – @Paola3stefania
    • Enforce one-time use of SAML assertions – @Paola3stefania
    • Reject deprecated SAML signature and digest algorithms – @Paola3stefania
    • Reject deprecated SAML signature and digest algorithms – @Paola3stefania
  • sso:
    • Use domain verified flag to trust providers automatically – @Paola3stefania
    • Add InResponseTo validation – @Paola3stefania
    • Add OIDC discovery – @Paola3stefania @Bekacru
    • Add URL normalization and validation to all discovery URLs – @jonathansamines @Paola3stefania @Bekacru

🐞 Bug Fixes

  • Add helper types to exports – @himself65
  • Avoid throwing on client side – @landoncolburn @Bekacru
  • Export organization plugin types – @pffigueiredo
  • Pathname should be normalized when basePath is set to root – @Bekacru
  • Prematurely deleting active sessions in secondary storage – @DevDuki
  • Make sure non-chunked session data cookie is cleared – @Bekacru
  • Array field handling across adapters and schema generation – @ping-maxwell @Bekacru
  • StoreStateStrategy default to database if provided – @himself65
  • Should always remove 2FA verification token after successful verification – @delfortrie
  • Prevent stateless refresh with database configured – @Bekacru
  • Revert token masking in listSessions route – @bytaesu
  • Compatible with openapi 3.1 – @himself65
  • Properly merge updated data in account cookie – @jslno
  • Preserve = padding in parsed cookies – @Shridhad
  • Unify SSO/OAuth account linking and add domain-based org assignment to all sign-in flows – @Paola3stefania
  • Respect BETTER_AUTH_TRUSTED_ORIGINS env variable – @Paola3stefania
  • Delete verifications with hooks – @jonathansamines
  • Respect IP headers in dev/test environments – @bytaesu
  • Trusted origins resolving – @Bekacru
  • Update-user breaking during stateless auth – @ping-maxwell
  • Export necessary adapter types – @himself65
  • Use operator in list members where clause – @Diabl0570
  • Don't set state query param if state is not provided – @paoloricciuti
  • Correct wildcard pattern matching for trustedOrigins@bytaesu
  • adapter:
    • Add logger creation in adapter factory – @ping-maxwell
    • Allow run internal adapter outside context – @himself65
    • Apply customTransformInput to where clause values – @erquhart @ping-maxwell
  • admin:
    • Clear admin session cookie on stopImpersonating@jslno
  • api-key:
    • Check metadata is enabled for api key update endpoint – @Bekacru
    • Prevent id update error with MongoDB adapter – @balbuzar
  • auth:
    • Respect trustedOrigins when baseURL is inferred – @Paola3stefania
  • cli:
    • secret generates empty – @himself65
    • Deduplicate drizzle schema relationships – @ping-maxwell
    • Cmd info --json unexpected exit with 1 – @himself65
    • Cmd info --json unexpected exit with 1 – @himself65
  • client:
    • Set session data on refreshManager – @himself65
  • cognito:
    • Use %20 encoding for scopes instead of + – @nathannewyen
  • core:
    • Allow returning null in getUserInfo in provider options – @Zollerboy1
  • db:
    • Correctly unwrap validator result in schema parsing – @GautamBytes
  • deps:
    • Update dependency next to v16.0.7 [security]
    • Update dependency @react-email/components to v1
  • expo:
    • Add missing matcher paths – @bytaesu
  • generic-oauth:
    • Ensure encryptOAuthTokens is respected in account linking flow – @DevanAbinaya
  • kysely:
    • Wrong affected row count in updateMany & deleteMany – @jslno
  • line:
    • Enforce nonce – @Bekacru
  • magic-link:
    • Handle query params in errorCallbackUrl – @martinriviere
  • oidc:
    • Compatibility with exact-optional-property – @ping-maxwell
  • openapi:
    • Mark /get-session response as nullable – @GautamBytes
  • organization:
    • Validate role existence in inviteMember endpoint – @GautamBytes
    • Allow internal organization creation when disabled for client – @GautamBytes
  • passkey:
    • Use deleteVerificationByIdentifier instead of deleteVerificationValue – @bytaesu
  • prisma:
    • Use findFirst instead of findMany for findOne – @Bekacru
  • prisma-adapter:
    • Extract id to root level for delete operations – @ping-maxwell
  • saml:
    • Enforce trusted provider check – @Paola3stefania
    • Remove signature validation bypass – @Paola3stefania
  • sso:
    • Safely parse provider configs on registration – @Paola3stefania @Bekacru
    • Deprecate trustEmailVerified – @Paola3stefania
    • Enforce domain verification in assignOrganizationByDomain – @Paola3stefania
  • stripe:
    • Update subscriptionId to use Stripe id – @bytaesu
  • username:
    • Await username validator – @jslno

🏎 Performance

  • Add index on organizations slug field – @matteobad
    View changes on GitHub