Beter Auth Release Notes

🚀 Features

• Support accepting callback for trusted providers function - by @Siumauricio and @Paola3stefania in #7904 (07d21)

electron:

• Fetch user image securely regardless of csp - by @jslno in #7844 (1e18d)
• Allow manual token exchange & add sanitizeUser option - by @jslno in #7976 (7306c)

🐞 Bug Fixes

• Add error handling for id token verification in Apple and Google providers - by @Paola3stefania in #8011 (bcf76)

db:

• Infer default value for required attr properly - by @jslno in #7996 (cec49)

oauth-provider:

• Return url instead of uri in continue and consent endpoints - by @bytaesu in #7811 (88e1e)
• Add missing oauthClient createdAt/updatedAt values - by @dvanmali in #7851 (30d17)
• Return "invalid_client" on encrypted secret verification failure - by @bytaesu in #8030 (9f791)

phone-number:

• Reset password should create credential account - by @jslno, @bytaesu, Taesu and @Bekacru in #6862 (d241f)

stripe:

• Use correct stripeCustomerId on /subscription/cancel/callback endpoint - by @bytaesu in #8032 (76d9b)

View changes on GitHub

Original source Report a problem

🚀 Features

• Support infer init context - by @himself65 in #7923 (0eec0)
• Auth cli - by @jslno in #7964 (cf832)
• email-otp:
• Support name, image and additionalFields in /sign-in/email-otp endpoint - by @bytaesu in #7876 (b0a4f)
• i18n:
• Pass GenericEndpointContext to getLocale callback - by @bytaesu in #7866 (2d30e)
• magic-link:
• Add allowedAttempts options - by @Phillip9587, @himself65 and @ping-maxwell in #5552 (cb5ff)
• oauth:
• Add support for legacy OAuth clients that don't use PKCE - by @OscarCornish, Copilot and @Paola3stefania in #7609 (1e303)
• oauth-provider:
• Export oAuthState for config use - by @dvanmali in #7843 (34fe5)
• providers:
• Add Railway OAuth provider - by @kadumedim in #7730 (cc65d)
• scim:
• Add SCIM connection management endpoints - by @jonathansamines in #7898 (4595d)
• Introduce ownership model for SCIM - by @jonathansamines in #7931 (10aa1)
• sso:
• Add IdP-initiated SAML Single Logout (SLO) - by @Paola3stefania and @himself65 in #7567 (95a5a)
• Add shared redirectURI option for OIDC providers - by @Paola3stefania in #7818 (a2e1d)
• stripe:
• Add seat-based billing and usage-based billing - by @bytaesu in #7930 (dcd93)
• Add billingInterval field to subscription - by @bytaesu in #7221 (0a1dd)
• test-utils:
• Add test utilities plugin for integration and E2E testing - by @janhesters, Claude Opus 4.5 and @himself65 in #7746 (f15d2)

🐞 Bug Fixes

• Standardize name field masking as an empty string - by @bytaesu, @cursoragent and Taesu in #7794 (dfeef)
• Support all where operators in list filter endpoints - by @bytaesu in #7859 (0a4da)
• Type extends - by @himself65 in #7922 (5d8cd)
• Safely coerce date values from DB in OAuth provider plugin - by @himself65 in #7937 (09adc)
• Separate rate limit request and response handling - by @himself65 in #7939 (86ca6)
• admin:
• Apply listUsers filter when filterValue is defined - by @coderrshyam, @bytaesu and Taesu in #7827 (2d59c)
• captcha:
• Include error codes in middleware responses - by @himself65 in #7991 (6c52e)
• client:
• Infer additional fields for top-level user and session responses - by @bytaesu in #7986 (b857d)
• core:
• Coerce string where values to match field types in adapter - by @bytaesu in #7860 (a30fc)
• Exclude tsconfig.json from published package - by @GautamBytes and Gautam Manchandani in #7967 (dce7b)
• custom-session:
• Use getSetCookie() to preserve individual Set-Cookie headers - by @thomaspeklak in #7879 (64bb8)
• Use getSetCookie() to preserve individual Set-Cookie headers " - by @Bekacru in #7879 (ae30d)
• Use getSetCookie() to preserve individual Set-Cookie headers "" - by @Bekacru in #7879 (6846a)
• email-otp:
• Avoid user enumeration when disabled sign-up - by @jslno in #7971 (a4a37)
• mongo-adapter:
• Updating a FK id should store as ObjectID - by @ping-maxwell in #7977 (ad111)
• oauth:
• Handle refresh_token_expires_in in refreshAccessToken - by @bytaesu in #7810 (e4a0a)
• Support case-insensitive email matching for social account linking - by @karuppusamy-d in #7812 (af0c8)
• oauth-provider:
• Support scope narrowing at consent submission - by @gustavovalverde in #7873 (5b260)
• one-tap:
• Remove broken direct FedCM API call and harden prompt lifecycle - by @bytaesu in #7928 (150d2)
• organization:
• Remove unreachable null check in acceptInvitation - by @Saurav3004, Taesu and @himself65 in #7825 (32d06)
• Refetch activeMember and activeMemberRole when active organization changes - by @bytaesu in #7989 (7c52f)
• sso:
• Only call provisionUser for new users - by @bytaesu in #7870 (a50d2)
• Harden SAML ACS error redirects and add regression test for #7777 - by @Paola3stefania in #7815 and #7777 (bf2b2)
• Use POST with body params for provider CRUD endpoints to fix client inference - by @Paola3stefania in #7903 (68f70)
• Resolve TXT record at verification subdomain instead of root domain - by @Paola3stefania in #7935 (cc805)
• stripe:
• Move meters config into plans for usage-based billing - by @bytaesu in #7946 (9b5a7)
• Prevent duplicate line item when priceId equals seatPriceId - by @bytaesu in #7947 (4fb52)
• Remove getSubscriptionUsage endpoint - by @bytaesu in #7949 (7950f)
• Drop metered billing, use generic lineItems instead - by @bytaesu in #7951 (04217)
• Propagate trial data in subscription webhook handlers - by @bytaesu in #7955 (ddc27)
• Fall back to customers.list when customers.search API is unavailable - by @bytaesu in #7965 (74e06)
• View changes on GitHub

Original source Report a problem

Features

• Make name field optional " - by @himself65 in #7617 (00c95)
• Electron integration - by @jslno and @himself65 in #7647 (1c9aa)
• Awaitable social provider config - by @dvanmali in #4829 (ed68d)
• email-otp: Add rateLimit configuration option - by @ShobhitPatra and @himself65 in #4005 (001fe)
• oauth-proxy: Rewrite to support distributed environments - by @bytaesu, @cursoragent and taesu in #7720 (71a02)
• 🐞 Bug Fixes

Bug Fixes

• Improve Headers detection with instanceof check and cross-realm fallback - by @bytaesu in #7651 (bb45c)
• Correct error redirect URL construction - by @bytaesu in #7799 (4fe37)
• adapter:
  • Use getCurrentAdapter for user lookup to avoid transaction deadlock - by @sakamoto-wk in #7758 (7db4e)
• api-key:
  • Error details not passed to response - by @ping-maxwell and @himself65 in #7692 (ace5a)
• cli:
  • Add .env.local to dotenv - by @himself65 in #7831 (3b2b9)
• db:
  • Skip 'adapter.delete' in deleteWithHooks when entity not found - by @bytaesu in #7792 (ef26e)
• email-otp:
  • Typo in OpenAPI response metadata - by @smsunarto and Claude Opus 4.5 in #7737 (be4e7)
• expo:
  • Construct the new Request to avoid immutable headers error on Cloudflare Workers - by @bytaesu in #7774 (ecbd1)
  • Avoid a leading “; ” when constructing the first cookie - by @Laurin-Notemann in #7821 (a2b64)
• generic-oauth:
  • Emit duplicate id warning - by @himself65 in #7779 (9f40c)
• microsoft:
  • Add verifyIdToken support for Microsoft Entra ID provider - by @bytaesu in #7795 (75585)
• nextjs:
  • Detect RSC context to prevent unnecessary session refresh - by @bytaesu in #7763 (8ca2d)
• organization:
  • Prevent deletion of roles assigned to members - by @bytaesu in #7736 (3308e)
• passkey:
  • Use deleteVerificationByIdentifier for secondary-storage cleanup - by @bytaesu in #7790 (d1b82)
  • Compute expirationTime per-request instead of at init - by @bytaesu in #7731 (59a18)
• sso:
  • Allow custom organization roles in provisioning types - by @MuzzaiyyanHussain in #7722 (a605e)
  • Fix broken relay state redirect on SAML ACS route - by @rbayliss in #7781 (6516b)
  • Correct IdentityProvider configuration in signInSSO - by @theNailz and Claude Opus 4.5 in #7708 (c0d67)
  • Validate aud claim in OpenID Connect ID tokens - by @Paola3stefania in #7816 (01fae)
• stripe:
  • Clarify error when authorizeReference is missing - by @bytaesu in #7741 (fe921)
• View changes on GitHub

Original source Report a problem

🚀 Features

adapter

• Improve select support - by @jslno in #7667 (20d08)

oauth-provider

• Add iss parameter to authorization responses (RFC 9207) - by @Paola3stefania in #7669 (90a2d)
• Add configurable rate limiting for OAuth endpoints - by @Paola3stefania in #7666 (b2b4a)
• Enforce HTTPS for redirect URIs - by @Paola3stefania in #7670 (2d62a)

phone-number

• Support user additionalFields in signUpOnVerification flow - by @bytaesu and @himself65 in #7699 (9e1ab)

🐞 Bug Fixes

• Skip sending email verification to already verified users without a session - by @bytaesu in #7712 (ef487)
• access: Allow passing statements directly into newRole - by @jslno in #7687 (230cb)
• admin: Change list type from never[] to UserWithRole[] - by @LovelessCodes in #7701 (b00bc)
• anonymous: Export types - by @CalLavicka and @himself65 in #7661 (8630f)
• email-otp: Add stricter default rate limits for password reset endpoints - by @bytaesu in #7658 (9fb4f)
• oauth-provider: Honor prompt=none for OIDC - by @NefixEstrada in #7665 (4fd1a)
• sso: Add better-call peerDeps - by @bytaesu in #7676 (bcdcd)
• stripe: Restore better-call peerDeps - by @bytaesu in #7675 (f5d56)

View changes on GitHub

Original source Report a problem

Features

• device-authorization
  • Add user id checks - by @himself65 in #7632 (4d79c)
• one-tap
  • Add button mode for Google sign-in - by @himself65 and Alex Yang in #7482 (aeb92)
• sso
  • Support multi-domain providers - by @Paola3stefania in #7541 (5be34)
  • Add provider list and detail endpoints - by @Paola3stefania and @himself65 in #6967 (d0ed1)
• 🚀 Features
  • Add disableImplicitLinking to accountLinking - by @Paola3stefania and @himself65 in #7270 (a7740)
• Mark /forget-password/email-otp as deprecation - by @bytaesu in #7645 (8f333)

Bug Fixes

• Correctly handle OAuth callback and Apple email field - by @bytaesu in #7181 (c918e)
• Centralize cookie parsing and handle Expires dates correctly - by @bytaesu, @cursoragent, taesu and @himself65 in #7556 (d598b)
• Refresh account_data cookie when session is refreshed - by @bytaesu and @himself65 in #7576 (5d3f7)
• Remove duplicate secondary storage writes from setSessionCookie - by @bytaesu in #7592 (7a4bc)
• Set default logger level to "warn" - by @bytaesu, @cursoragent and taesu in #7597 (5d0e7)
• Respect the explicitly set sendOnSignUp option - by @bytaesu in #7593 (33619)
• Handle serial and false cases in generateId - by @bytaesu in #7474 (949cd)
• Log error when misconfigured - by @himself65 in #7584 (16201)
• Update google oauth endpoints - by @bytaesu in #7442 (d401b)
• Consistent api version for facebook provider - by @bytaesu in #7445 (cf619)
• Check jsconfig.json in getPathAliases - by @jycouet in #7650 (9cb45)
• 2fa
  • Server-side trust device expiration and configurable maxAge - by @Paola3stefania and @himself65 in #7644 (5d15b)
• anonymous
  • Export types - by @CalLavicka and @himself65 in #7661 (133a2)
• cli
  • Use inkeep remote mcp url - by @Bekacru in #7543 (27af8)
  • Update MCP URL from Chonkie to Inkeep - by @Paola3stefania in #7585 (79621)
• core
  • Consolidate rateLimit table schema definition - by @bytaesu in #7551 (ea589)
• email-otp
  • Add stricter default rate limits for password reset endpoints - by @bytaesu in #7658 (dcc28)
• expo
  • Prevent null cookie key when redirect URL has no cookie param - by @bytaesu in #7555 (d2ca0)
  • Prevent duplicate listener notifications in FocusManager and OnlineManager - by @kimchi-developer and @himself65 in #7552 (a3ffb)
• github
  • Surface OAuth token exchange errors - by @Paola3stefania in #7186 (94b75)
• mcp
  • Remove local mpc - by @Paola3stefania in #7574 (d6d62)
• multi-session
  • Prevent duplicate cookies when same user signs in multiple times - by @Paola3stefania and @himself65 in #7256 (9db76)
• oauth-provider
  • Properly handle metadata field in client registration - by @Paola3stefania in #7232 (33015)
• okta
  • Userinfo route mismatch - by @psigen in #7602 (acf77)
• organization
  • Filter returned: false fields from API responses - by @Paola3stefania and @himself65 in #7531 (57f1e)
• saml
  • IdP-Initiated Callback Routing - by @Paola3stefania and Alex Yang in #6675 (c6f8f)
• session
  • Skip invalid sessions in list - by @Paola3stefania and @himself65 in #7182 (b6986)
• stripe
  • Allow billing interval change for same plan - by @bytaesu in #7542 (1cfcc)
  • Find active subscription correctly when upgrading - by @bytaesu in #7547 (663d4)

Performance

• Fix infinite typecheck - by @himself65 in #7563 (12f4c)

• View changes on GitHub

Original source Report a problem

🚀 Features

• I18n plugin - by @himself65 in #7428 (30c27)
• Add setShouldSkipSessionRefresh - by @himself65 in #7625 (ac81f)
• Add disableImplicitLinking to accountLinking - by @Paola3stefania and @himself65 in #7270 (f11cd)
• Mark /forget-password/email-otp as deprecation - by @bytaesu in #7645 (97e6d)
• Remove deprecated API - by @himself65 in #7623 (12517)

db

• Add verification identifier storage options - by @Paola3stefania in #7209 (0e8cd)

device-authorization

• Add user id checks - by @himself65 in #7632 (70e71)

i18n

• Type inference for error codes - by @himself65 in #7639 (b500a)

one-tap

• Add button mode for Google sign-in - by @himself65 and Alex Yang in #7482 (9dfbe)

session

• Add deferSessionRefresh option to support read-replica setups - by @Paola3stefania, Alexander Asomba, Bereket Engida and @himself65 in #6871 (36f55)

sso

• Support multi-domain providers - by @Paola3stefania in #7541 (75ee9)
• Add provider list and detail endpoints - by @Paola3stefania and @himself65 in #6967 (4f5c7)
• Add support for signed SAML AuthnRequests - by @Paola3stefania in #7562 (426f0)

🐞 Bug Fixes

• Centralize cookie parsing and handle Expires dates correctly - by @bytaesu, @cursoragent, taesu and @himself65 in #7556 (72069)
• Refresh account_data cookie when session is refreshed - by @bytaesu and @himself65 in #7576 (96a7e)
• Log error when misconfigured - by @himself65 in #7584 (10690)
• Remove duplicate secondary storage writes from setSessionCookie - by @bytaesu in #7592 (b2939)
• Set default logger level to "warn" - by @bytaesu, @cursoragent and taesu in #7597 (ba366)
• Respect the explicitly set sendOnSignUp option - by @bytaesu in #7593 (762a1)
• Update google oauth endpoints - by @bytaesu in #7442 (27746)
• Consistent api version for facebook provider - by @bytaesu in #7445 (1f65d)
• Check jsconfig.json in getPathAliases - by @jycouet in #7650 (b7d50)

2fa

• Server-side trust device expiration and configurable maxAge - by @Paola3stefania and @himself65 in #7644 (a7f15)

cli

• Use inkeep remote mcp url - by @Bekacru in #7543 (83186)
• Update MCP URL from Chonkie to Inkeep - by @Paola3stefania in #7585 (b3cce)

core

• Consolidate rateLimit table schema definition - by @bytaesu in #7551 (7d3bf)

expo

• Prevent null cookie key when redirect URL has no cookie param - by @bytaesu in #7555 (cf6c0)
• Prevent duplicate listener notifications in FocusManager and OnlineManager - by @kimchi-developer and @himself65 in #7552 (a5e40)

github

• Surface OAuth token exchange errors - by @Paola3stefania in #7186 (db6a4)

mcp

• Remove local mpc - by @Paola3stefania in #7574 (041dc)

multi-session

• Prevent duplicate cookies when same user signs in multiple times - by @Paola3stefania and @himself65 in #7256 (8e047)

okta

• Userinfo route mismatch - by @psigen in #7602 (7df0a)

organization

• Filter returned: false fields from API responses - by @Paola3stefania and @himself65 in #7531 (87777)

session

• Skip invalid sessions in list - by @Paola3stefania and @himself65 in #7182 (dedb4)

stripe

• Allow billing interval change for same plan - by @bytaesu in #7542 (f716e)
• Find active subscription correctly when upgrading - by @bytaesu in #7547 (16f45)

🏎 Performance

• Fix infinite typecheck - by @himself65 in #7563 (2ff99)

View changes on GitHub

Original source Report a problem

🚀 Features

• admin: Make password field optional on create user - by @Bekacru and @cursoragent in #7441 (c11ac)
• api-keys: Pagination support for list-api-keys - by @ping-maxwell and @himself65 in #7424 (25f57)
• two-factor: Add twoFactorCookieMaxAge as a separate option - by @Bekacru (29946)

🐞 Bug Fixes

• Update TanStack imports to use server subpath - by @himself65 in #7446 (e8922)

• /minimal includes unexpected deps - by @himself65 in #7467 (1668a)

• Handle serial and false cases in generateId - by @bytaesu in #7474 (52033)

• Consistent token endpoint for dropbox provider - by @bytaesu in #7444 (7a9dc)

• Include Set-Cookie when APIError thrown in hooks - by @himself65 in #7478 (a5f42)

• Ensure session id exists for secondary storage without database - by @bytaesu in #7476 (ed5c4)

• Delay database hooks execution until after transaction commits - by @himself65 and Alex Yang in #7345 (dabed)

• Set default ipv6 subnet to 64 - by @himself65 in #7509 (5de97)

• client:

  • Deep merge plugin actions to preserve all methods - by @gustavovalverde in #7407 (0e04e)

• cookies:

  • Fallback to isProduction when baseURL is not set - by @bytaesu in #7159 (46c9f)

• db:

  • Only exclude returned: false fields from output schemas - by @Paola3stefania in #7504 (5cc0a)

• mcp:

  • Correct version - by @himself65 in #7496 (98b0b)

• organization:

  • Missing activeTeamId field when dynamic access control is enabled - by @longnguyen2004, @himself65, ping-maxwell and @ping-maxwell in #7385 (00bda)

• prisma-adapter:

  • Enhance null condition handling - by @himself65 and reslear in #7483 (228ed)

• rate-limit:

  • Support IPv6 address normalization and subnet - by @himself65 in #7470 (57af0)

• sso:

  • Normalize SAML emails to prevent duplicate users - by @ajaykarthikr in #7460 (46b8c)
  • Fix validateToken JWK handling for all key types - by @Paola3stefania in #7479 (78f12)

• stripe:

  • Allow re-subscribing to the same plan when subscription has expired - by @DIYgod, Claude Opus 4.5, Taesu and @bytaesu in #7459 (0142e)

• two-factor:

  • Improve OTP comparision during hashed and encrypted values - by @Bekacru (87949)

View changes on GitHub

Original source Report a problem

🚀 Features

• two-factor: Add twoFactorCookieMaxAge as a separate option - by @Bekacru (c6e4f)

🐞 Bug Fixes

• Set default ipv6 subnet to 64 - by @himself65 in #7509 (6ef60)
• cookies: Fallback to isProduction when baseURL is not set - by @bytaesu in #7159 (f7cbb)
• db: Only exclude returned: false fields from output schemas - by @Paola3stefania in #7504 (86db4)
• stripe: Allow re-subscribing to the same plan when subscription has expired - by @DIYgod, Claude Opus 4.5, Taesu and @bytaesu in #7459 (a1b09)
• two-factor: Improve OTP comparision during hashed and encrypted values - by @Bekacru (22534)

View changes on GitHub

Original source Report a problem