Skip to content

better-auth — releases

Latest 20 GitHub releases for better-auth/better-auth. Auto-mirrored by playbooks/local/autodocgen.yml.

[!info] Pinned in BreeZ-CF: 1.x · upstream latest: v1.6.9.

v1.6.9 · v1.6.9

2026-04-24 · by @better-release[bot]

better-auth

Bug Fixes

  • Fixed instrumentation resolution in the adapter factory so edge and browser environments correctly use the pure variant (#9340)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@erquhart

Full changelog: v1.6.8...v1.6.9

v1.6.8 · v1.6.8

2026-04-23 · by @better-release[bot]

better-auth

Bug Fixes

  • Fixed mapProfileToUser fallback for OAuth providers that may omit email from their profile response (#9331)
  • Fixed support for passing id through beforeCreateTeam and beforeCreateInvitation hooks (#9253)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed authorization flows that do not include a state parameter (#9328)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed incompatibility with TypeScript's exactOptionalPropertyTypes compiler option (#9270)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@baptisteArno, @gustavovalverde, @ping-maxwell

Full changelog: v1.6.7...v1.6.8

v1.7.0-beta.2 · v1.7.0-beta.2

2026-04-22 · by @better-release[bot] · prerelease

better-auth

Features

  • Added userId and organizationId parameters to the listUserTeams API for scoped team lookups without switching the active organization (#8977)
  • Added support for passing an array of client IDs as the ID token audience in social providers (#9292)

Bug Fixes

  • Fixed forceAllowId UUIDs being ignored on PostgreSQL adapters when advanced.database.generateId is set to "uuid" (#9068)
  • Fixed response headers being lost when an APIError is thrown (#9211)
  • Fixed $sessionSignal not being triggered for session-rotating endpoints (#9087)
  • Fixed the partitioned cookie attribute being dropped on set-cookie round-trips (#9235)
  • Fixed the ./instrumentation module to export a no-op in browser and edge environments (#9281)
  • Fixed disableRefresh query parameter validation in custom sessions to correctly coerce string values to booleans (#9214)
  • Fixed a crash when the request body is undefined during OAuth2 state parsing (#9293)
  • Fixed team additional fields not being inferred correctly in the organization plugin (#9266)
  • Fixed updateUser to allow removing a phone number (#9219)
  • Fixed callbackOnVerification not being called when updatePhoneNumber is enabled (#4894)
  • Reverted two-factor enforcement to credential sign-in flows only, removing the unintended challenge on magic link, OAuth, passkey, and other non-credential sign-in methods (#9205)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

❗ Breaking Changes

  • Updated all OAuth 2.0 endpoints to return RFC-compliant { error, error_description } error envelopes for validation failures (#9277)

    Migration: All six OAuth endpoints (/oauth2/token, /oauth2/authorize, /oauth2/revoke, /oauth2/introspect, /oauth2/register, /oauth2/end-session) now emit structured { error, error_description } responses per RFC 6749 §5.2. Update any client code that previously parsed the raw validation error format from these endpoints.

Bug Fixes

  • Fixed host classification inconsistencies across packages that could allow SSRF attacks (#9226)
  • Fixed the userinfo endpoint to correctly read the Authorization header when called via auth.api (#9244)

For detailed changes, see CHANGELOG

@better-auth/api-key

Features

  • Added mapConcurrent utility for bounded-concurrency iteration (#9227)

Bug Fixes

  • Fixed secondary-storage API key operations to run in parallel, improving performance (#9187)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Required patched drizzle-orm ^0.45.2 and kysely ^0.28.14 peer versions to track vulnerability fixes (#9165)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

  • Fixed cached session data not being read from SecureStore on app startup (#8953)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed passkey authentication verification not returning the authenticated user (#5209)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @GautamBytes, @gustavovalverde, @Kinfe123, @ouwargui, @ping-maxwell, @ramonclaudio, @ruban-s, @stewartjarod, @TanishValesha, @terijaki

Full changelog: v1.7.0-beta.1...v1.7.0-beta.2

v1.6.7 · v1.6.7

2026-04-22 · by @better-release[bot]

better-auth

Features

  • Added support for an array of client IDs as the ID token audience in social providers (#9292)

Bug Fixes

  • Fixed response headers being lost when an APIError is thrown (#9211)
  • Fixed browser and edge runtime errors by serving a no-op ./instrumentation module in those environments (#9281)
  • Fixed a crash when parsing OAuth2 state with an undefined request body (#9293)
  • Fixed callbackOnVerification not being called when updatePhoneNumber is enabled (#4894)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed the userinfo endpoint to read the Authorization header from request context when using auth.api (#9244)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed passkey authentication verification not returning the user (#5209)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@gustavovalverde, @Kinfe123, @ouwargui, @ramonclaudio, @stewartjarod, @TanishValesha

Full changelog: v1.6.6...v1.6.7

v1.6.6 · v1.6.6

2026-04-21 · by @better-release[bot]

better-auth

Bug Fixes

  • Fixed preservation of the Partitioned attribute when forwarding Set-Cookie headers (#9235)
  • Fixed boolean coercion for the disableRefresh query parameter in custom session validation (#9214)
  • Fixed incorrect inference of team additional fields in the organization plugin (#9266)
  • Added support for removing a phone number via updateUser({ phoneNumber: null }) (#9219)

For detailed changes, see CHANGELOG

@better-auth/core

Features

  • Added mapConcurrent, a bounded-concurrency async utility, at @better-auth/core/utils/async (#9227)

Bug Fixes

  • Made @opentelemetry/api an optional peer dependency (#9111)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

  • Improved performance by running secondary-storage API key lookups in parallel (#9187)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

  • Fixed session loading to read cached data from SecureStore on app startup, eliminating the login screen flash for returning users (#8953)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed several SSRF vulnerabilities by unifying host classification and closing loopback bypass vectors across packages (#9226)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed an ESM/CJS compatibility issue when loading samlify (#9262)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @gustavovalverde, @jonathansamines, @ping-maxwell, @terijaki

Full changelog: v1.6.5...v1.6.6

v1.6.5 · v1.6.5

2026-04-16 · by @better-release[bot]

better-auth

Bug Fixes

  • Clarified recommended production usage for the test utils plugin (#9119)
  • Fixed session not refreshing after /change-password and /revoke-other-sessions (#9087)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Security

  • Fixed GHSA-xr8f-h2gw-9xh6, a high-severity authorization bypass in @better-auth/oauth-provider where unprivileged authenticated users could create OAuth clients when deployments relied on clientPrivileges to restrict client creation.
  • First patched stable version: @better-auth/oauth-provider@1.6.5.
  • Note: the published beta line (1.7.0-beta.0 and 1.7.0-beta.1) remains affected until a fixed beta release is published.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@GautamBytes, @ramonclaudio

Full changelog: v1.6.4...v1.6.5

v1.7.0-beta.1 · v1.7.0-beta.1

2026-04-15 · by @better-release[bot] · prerelease

better-auth

Bug Fixes

  • Fixed dynamic baseURL resolution from request headers for direct auth.api calls (#9113)
  • Fixed a race condition in the client that caused excessive requests due to isMounted timing issues (#9078)
  • Fixed 2FA enforcement to apply across all sign-in paths, including magic link, OAuth, passkey, and email OTP (#9122)
  • Fixed backup code updates to respect the configured storeBackupCodes storage strategy after verification (#7231)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

❗ Breaking Changes

  • Rewrote the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults (#9069)

    Migration: Replace signIn.oauth2({ providerId }) with signIn.social({ provider }), oauth2.link() with linkSocial(), and update your IdP callback URLs from /api/auth/oauth2/callback/:id to /api/auth/callback/:id. Remove genericOAuthClient(), issuer, and requireIssuerValidation from your config. Set pkce: false for providers that reject PKCE challenges.

Features

  • Added customTokenResponseFields callback to inject custom fields into token endpoint responses, and hardened authorization code validation (#9118)
  • Added at_hash claim to ID tokens to cryptographically bind them to their access tokens, per OIDC Core §3.1.3.6 (#9079)

Bug Fixes

  • Fixed dynamic baseURL resolution to correctly handle trusted proxy headers, loopback addresses, and forwarded requests in plugin metadata helpers (#9131)
  • Fixed unauthenticated dynamic client registration to automatically downgrade confidential auth methods to public client, improving compatibility with MCP clients (#9123)

For detailed changes, see CHANGELOG

@better-auth/sso

❗ Breaking Changes

  • Consolidated the SAML ACS endpoint, removed callbackUrl from samlConfig, and fixed SLO session matching (#9117)

    Migration: Remove callbackUrl from samlConfig (the ACS URL is now auto-derived from baseURL and providerId) and update your IdP's ACS URL to /sso/saml2/sp/acs/:providerId. Remove decryptionPvk, additionalParams, idpMetadata.entityURL, and idpMetadata.redirectURL from SAMLConfig if present. The spMetadata field is now optional and can be removed.

Bug Fixes

  • Upgraded samlify to 2.12.0, adding XPath injection protection and XXE prevention for SAML XML processing (#9121)

For detailed changes, see CHANGELOG

@better-auth/cimd

Features

  • Added the @better-auth/cimd plugin for Client ID Metadata Document support, enabling URL-based client identification for MCP and dynamic client discovery flows (#9159)

For package details, see README

@better-auth/stripe

Bug Fixes

  • Fixed a prototype pollution vulnerability in the Stripe plugin when handling user-supplied metadata (#9164)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @Byte-Biscuit, @gustavovalverde, @ping-maxwell

Full changelog: v1.7.0-beta.0...v1.7.0-beta.1

v1.6.4 · v1.6.4

2026-04-15 · by @better-release[bot]

better-auth

Bug Fixes

  • Fixed forceAllowId UUIDs set in database hooks being ignored on PostgreSQL adapters when advanced.database.generateId is set to "uuid" (#9068)
  • Reverted 2FA enforcement scope to credential sign-in paths only, so magic link, email OTP, OAuth, SSO, passkey, and other non-credential sign-in flows no longer trigger a 2FA challenge (#9205)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@GautamBytes, @gustavovalverde

Full changelog: v1.6.3...v1.6.4

v1.6.3 · v1.6.3

2026-04-14 · by @better-release[bot]

better-auth

Features

  • Added support for Stripe SDK v21 and v22 (#9084)

Bug Fixes

  • Fixed incorrect operationId for the requestPasswordResetCallback endpoint in the OpenAPI spec (#9072)
  • Fixed dynamic baseURL resolution from request headers for direct auth.api calls (#9113)
  • Fixed isMounted race condition that caused excessive requests per second in the client (#9078)
  • Fixed nullable schema for the get-session endpoint in the OpenAPI 3.1 spec (#8389)
  • Fixed checkout and upgrade flows to omit quantity for metered prices (#8926)
  • Fixed 2FA enforcement to trigger on all sign-in paths, including magic-link, OAuth, passkey, email-OTP, and SIWE (#9122)
  • Fixed backup code updates to respect the configured storeBackupCodes storage strategy after verification (#7231)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Features

  • Added customTokenResponseFields callback for injecting custom fields into token endpoint responses, and hardened authorization code validation (#9118)

Bug Fixes

  • Hardened dynamic baseURL resolution for direct auth.api calls and plugin metadata helpers (#9131)
  • Fixed unauthenticated dynamic client registration to silently override confidential auth methods to public, improving compatibility with MCP clients (#9123)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed multiple SAML response processing bugs, including ACS URL generation, encryption field handling, and provider config parsing (#9097)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed prototype pollution vulnerability when merging user-supplied metadata in the Stripe plugin (#9164)

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Fixed tsconfig path alias resolution for extended configs and mid-path wildcards in the CLI (#9032)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @Byte-Biscuit, @gustavovalverde, @Oluwatobi-Mustapha, @ping-maxwell, @ramonclaudio

Full changelog: v1.6.2...v1.6.3

v1.7.0-beta.0 · v1.7.0-beta.0

2026-04-10 · by @better-release[bot] · prerelease

better-auth

❗ Breaking Changes

  • feat(two-factor)!: add OTP enablement and discriminated response (#9057)

enableTwoFactor now accepts a method parameter ("otp" | "totp", default "totp") and returns a discriminated response with a method field.

### method: "otp"

  • Sets twoFactorEnabled: true immediately.
  • Returns { method: "otp" }.
  • Requires otpOptions.sendOTP to be configured on the server; rejects with OTP_NOT_CONFIGURED otherwise.

### method: "totp" (default)

  • Returns { method: "totp", totpURI, backupCodes }.
  • Rejects with TOTP_NOT_CONFIGURED if totpOptions.disable is set.

### Breaking changes

  • Removed skipVerificationOnEnable: use method: "otp" for immediate activation, or the standard TOTP verification flow.
  • Response shape changed: enableTwoFactor includes a method field in the response ("otp" or "totp").

Features

  • feat(stripe): support Stripe SDK v21 and v22 (#9084)

Bug Fixes

  • fix: incorrect operationId in password reset callback endpoint (#9072)
  • fix(open-api): correct get-session nullable schema for OAS 3.1 (#8389)
  • fix(stripe): omit quantity for metered prices in checkout and upgrades (#8926)

For detailed changes, see CHANGELOG

@better-auth/sso

❗ Breaking Changes

  • fix(sso)!: harden SAML response validation (InResponseTo, Audience, SessionIndex) (#9055)

### Breaking Changes

  • allowIdpInitiated now defaults to false — IdP-initiated SSO (unsolicited SAML responses) is disabled by default. Set saml.allowIdpInitiated: true to restore the previous behavior. This aligns with the SAML2Int interoperability profile which recommends against IdP-initiated SSO due to its susceptibility to injection attacks.

### Bug Fixes

  • InResponseTo validation was completely non-functional — The code read extract.inResponseTo (always undefined) instead of samlify's actual path extract.response.inResponseTo. SP-initiated InResponseTo validation now works as intended in both ACS handlers.
  • Audience Restriction was never validated — SAML assertions issued for a different service provider were accepted without checking the <AudienceRestriction> element. Audience is now validated against the configured samlConfig.audience value per SAML 2.0 Core §2.5.1.
  • SessionIndex stored as object instead of string — samlify returns sessionIndex from login responses as { authnInstant, sessionNotOnOrAfter, sessionIndex }, but the code stored the whole object. SLO session-index comparisons always failed silently. The correct inner sessionIndex string is now extracted.

### Improvements

  • Extracted shared validateInResponseTo() and validateAudience() into packages/sso/src/saml/response-validation.ts, eliminating ~160 lines of duplicated validation logic between the two ACS handlers.
  • Fixed SAMLAssertionExtract type to match samlify's actual extractor output shape.

Bug Fixes

  • fix(sso): unify SAML response processing and fix bugs (#9097)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Features

  • feat(oauth): add private_key_jwt client authentication (RFC 7523) (#8836)

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • fix(cli): handle extends and mid-path wildcards in tsconfig paths (#9032)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @gustavovalverde, @Oluwatobi-Mustapha, @ramonclaudio

Full changelog: v1.6.2...v1.7.0-beta.0

v1.6.2 · v1.6.2

2026-04-09 · by @better-release[bot]

better-auth

❗ Breaking Changes

  • Prevented unverified TOTP enrollment from blocking sign-in (#8711)

    Migration: Schema migration required.

    Add the verified column to the twoFactor table, then regenerate/apply your ORM migration. - Prisma: run npx auth@latest generate, then npx prisma migrate dev (or npx prisma db push) and npx prisma generate. - Drizzle: run npx auth@latest generate, then npx drizzle-kit generate and npx drizzle-kit migrate.

Existing rows do not need a backfill because the column defaults to true.

Features

  • Included enabled 2FA methods in sign-in redirect response (#8772)

Bug Fixes

  • Fixed OAuth state verification against cookie-stored nonce to prevent CSRF (#8949)
  • Fixed infinite router refresh loops in nextCookies() by replacing cookie probe with header-based RSC detection (#9059)
  • Fixed cross-provider account collision in link-social callback (#8983)
  • Included RelayState in signed SAML AuthnRequests (#9058)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed multi-valued query params collapsing through prompt redirects (#9060)
  • Rejected skip_consent at schema level in dynamic client registration (#8998)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed SAMLResponse decoding failures caused by line-wrapped base64 (#8968)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@aarmful, @cyphercodes, @dvanmali, @gustavovalverde, @jaydeep-pipaliya, @ping-maxwell

Full changelog: v1.6.1...v1.6.2

v1.6.1 · v1.6.1

2026-04-08 · by @better-release[bot]

better-auth

Bug Fixes

  • Fixed endpoint instrumentation to always use the route template (#9023)
  • Returned INVALID_PASSWORD for all checkPassword failures (#8902)
  • Restored getSession accessibility in generic Auth<O> context (#9017)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @jonathansamines, @ping-maxwell

Full changelog: v1.6.0...v1.6.1

v1.6.0 · v1.6.0

2026-04-06 · by @better-release[bot] Blog post: Better Auth 1.6

better-auth

❗ Breaking Changes

  • Aligned freshAge calculation with session creation time instead of update time (#8762)

    Migration: session.freshAge now calculates from createdAt. Set session: { freshAge: 0 } to disable the check entirely.

Features

  • Added experimental OpenTelemetry instrumentation for endpoints, hooks, middleware, and database operations (#8027)
  • Added resendStrategy option to reuse existing OTP in email-otp plugin (#8560)
  • Added enable option for HaveIBeenPwned plugin (#8728)
  • Added request metadata to sendMagicLink callback (#8571)
  • Added dedicated secret option to OAuth proxy to reduce shared key exposure (#8699)
  • Added explicit organizationId parameter in team endpoints (#5062)
  • Added WeChat social provider (#5189)
  • Added twoFactorPage config option for custom 2FA page routing (#5329)

Bug Fixes

  • Deprecated oidc-provider plugin in favor of @better-auth/oauth-provider (#8985)
  • Fixed access control indexing type (#8155)
  • Added origin check middleware to password reset request (#8392)
  • Fixed account cookie comparison to use provider accountId instead of internal id (#8786)
  • Fixed session id generation when using secondary storage without database (#8927)
  • Fixed skipOriginCheck array handling (#8582)
  • Fixed misleading rate limit IP warning (#8617)
  • Passed user field through idToken sign-in body for Apple name support (#8417)
  • Preserved custom session fields on focus refresh (#8354)
  • Fixed double encoded cookie (#8133)
  • Prevented revoked sessions from being restored via database fallback (#8708)
  • Resolved duplicate operationId in admin plugin endpoints (#8570)
  • Rethrew phone sendOTP failures instead of silently swallowing them (#8842)
  • Set stateless cookieCache maxAge to match session.expiresIn (#8648)
  • Threw on duplicate email when autoSignIn: false without requireEmailVerification (#8521)
  • Fixed accountInfo endpoint to use accountId instead of internal id (#8346)
  • Restored deprecated createAdapter and type exports for backwards compatibility (#8461)
  • Fixed Response return for HTTP request contexts (#7521)
  • Fixed throw: true handling in client session refresh (#8610)
  • Preserved stale session data on network or server errors (#8437)
  • Fixed bundler re-export type resolution with direct imports (#8261)
  • Fixed Set-Cookie header splitting with lookahead heuristic (#8301)
  • Prioritized generateId: "uuid" over adapter customIdGenerator (#8679)
  • Fixed date string revival in safeJSONParse for pre-parsed objects (#8248)
  • Fixed postgres migration to use CREATE INDEX (#8538)
  • Triggered sessionSignal after requesting email change in email-otp (#8816)
  • Fixed generic-oauth to use discovery userinfo endpoint instead of hardcoded URLs (#8223)
  • Normalized missing resolver path in last-login-method plugin (#8589)
  • Returned additional fields in /magic-link/verify (#7223)
  • Fixed OAuth proxy to read callback params from body for form_post (#8895)
  • Fixed double-hashing of OAuth state when storeIdentifier is hashed (#8980)
  • Fixed redirect_uri validation for prompt=none in oidc-provider (#8398)
  • Opted into FedCM to suppress Google GSI deprecation warnings (#8720)
  • Filtered null organizations in listUserInvitations (#8694)
  • Fixed multi-role user handling in invite and member removal checks (#8442)
  • Enforced authorization on SCIM management endpoints and normalized passkey ownership checks (#8843)
  • Allowed passwordless users to manage 2FA (#7243)
  • Wired twoFactorTable option to schema modelName (#8443)
  • Prevented any from collapsing auth.$Infer and client inference types (#8981)
  • Fixed updateUser to not overwrite unrelated username fields (#7570)
  • Enforced username uniqueness in updateUser (#8731)
  • Used non-blocking scrypt for password hashing to avoid blocking the event loop (#8685)

For detailed changes, see CHANGELOG

@better-auth/sso

❗ Breaking Changes

  • Enabled InResponseTo validation by default for SP-initiated SAML flows (#8736)

    Migration: Set sso({ saml: { enableInResponseToValidation: false } }) to restore the previous behavior.

Features

  • Added logging for OIDC callback code validation failures (#8693)

Bug Fixes

  • Patched transitive node-forge vulnerability via samlify pin (#8838)
  • Fixed bare domain handling in domain verification (#8369)
  • Preferred UserInfo endpoint over ID token and mapped sub claim correctly (#8276)
  • Fixed provisionUser inconsistency and added provisionUserOnEveryLogin option (#8818)
  • Skipped state cookie check for SAML ACS cross-site POST (#8735)
  • Fixed verification operations to use internalAdapter (#8353)
  • Fixed ESM compatibility with namespace import for samlify (#8697)

For detailed changes, see CHANGELOG

@better-auth/mongo-adapter

❗ Breaking Changes

  • Stored UUIDs as native BSON UUID type (#8681)

    Migration: New documents use native BSON UUIDs. Existing string UUIDs continue to work. No data migration required.

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Features

  • Added pairwise subject identifiers (OIDC Core Section 8) (#8292)
  • Added public client prelogin endpoint (#8214)

Bug Fixes

  • Allowed localhost subdomains in isLocalhost function (#8286)
  • Fixed fetch redirect CORS after login (#8519)
  • Allowed customIdTokenClaims to override standard claims (#7865)
  • Enforced DB-backed sessions when secondary storage is enabled (#8894)
  • Fixed dist declaration type errors (#8701)
  • Fixed dynamic baseURL config handling in init (#8649)
  • Improved allowed paths for oauth_query in client plugin (#8320)
  • Allowed customIdTokenClaims to override acr and auth_time (#8633)
  • Normalized auth_time timestamps across adapter shapes (#8761)
  • Returned JSON redirects from post-login OAuth continuation to fix CORS-blocked 302s (#8815)
  • Fixed PAR scope loss, loopback redirect matching, and DCR skip_consent (#8632)
  • Added prompt=none support (#8554)

For detailed changes, see CHANGELOG

@better-auth/stripe

Features

  • Added customizable prorationBehavior per plan (#8525)

Bug Fixes

  • Improved organization customer search by adding customerType check (#8609)
  • Replaced {CHECKOUT_SESSION_ID} placeholder in success callbackURL (#8568)
  • Returned correct priceId for annual subscriptions in list (#8810)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Features

  • Added case-insensitive query support (mode: "insensitive") (#8556)

Bug Fixes

  • Fixed Drizzle adapter failing date transformation (#8289)
  • Used IS NULL / IS NOT NULL for null value comparisons (#8660)

For detailed changes, see CHANGELOG

@better-auth/expo

Features

  • Exposed plugin version field on all built-in plugins (#8750)

Bug Fixes

  • Fixed shim require issue (#8253)
  • Fixed origin override handling across mutable and immutable requests (#8405)

For detailed changes, see CHANGELOG

@better-auth/prisma-adapter

Bug Fixes

  • Moved adapter packages to dependencies to fix missing module errors (#8401)
  • Used updateMany fallback for non-unique updates (#8524)
  • Used deleteMany when deleting by non-unique field (#8314)

For detailed changes, see CHANGELOG

auth

Features

  • Migrated MCP server URL to mcp.better-auth.com (#8747)

Bug Fixes

  • Fixed path alias resolution from extended tsconfig files (#8520)
  • Treated omitted required as true in Drizzle and Prisma generators (#8614)

For detailed changes, see CHANGELOG

@better-auth/electron

Bug Fixes

  • Fixed verification operations with secondary storage (#8247)
  • Handled safeStorage encryption failures gracefully (#8530)

For detailed changes, see CHANGELOG

@better-auth/passkey

Features

  • Added pre-auth registration and WebAuthn extensions support (#7154)

Bug Fixes

  • Fixed error message strings in passkey client (#8751)

For detailed changes, see CHANGELOG

@better-auth/test-utils

Features

  • Exported adapter test suites from @better-auth/test-utils/adapter (#8564)

Bug Fixes

  • Removed using keyword for runtime compatibility (#8756)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

  • Fixed turbo caching, enforced lockfile integrity, and expanded pre-commit hooks (#8892)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

  • Stopped marking redirect APIErrors as span errors in OpenTelemetry traces (#8850)

For detailed changes, see CHANGELOG

@better-auth/kysely-adapter

Bug Fixes

  • Removed deprecated numUpdatedOrDeletedRows from D1 dialect (#8798)

For detailed changes, see CHANGELOG

@better-auth/telemetry

Bug Fixes

  • Used conditional exports to replace dynamic import hacks (#8458)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@aarmful, @bytaesu, @dvanmali, @Eric-Song-Nop, @formatlos, @GautamBytes, @GoPro16, @gustavovalverde, @himself65, @jonathansamines, @jslno, @mrgrauel, @NathanColosimo, @okisdev, @olliethedev, @Oluwatobi-Mustapha, @OscarCornish, @ping-maxwell, @raihanbrillmark, @sicarius97, @Sigmabrogz, @wuzgood98, @xiaoyu2er, @YevheniiKotyrlo

Full changelog: v1.5.6...v1.6.0

v1.5.7-beta.1 · v1.5.7-beta.1

2026-03-23 · by @github-actions[bot] · prerelease No significant changes

    View changes on GitHub

v1.5.1-beta.4 · v1.5.1-beta.4

2026-03-23 · by @github-actions[bot] · prerelease

   🚀 Features

  • Agent auth plugin  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/8696 (5648b)
  • core:
  • Add experimental opentelemetry instrumentation  -  by @jonathansamines and @bytaesu in https://github.com/better-auth/better-auth/issues/8027 (e42ea)
  • email-otp:
  • Add resendStrategy option to reuse existing OTP  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8560 (bbe1a)
  • haveibeenpwned:
  • Add enable option  -  by @aarmful and Taesu in https://github.com/better-auth/better-auth/issues/8728 (df9ab)
  • magic-link:
  • Add request metadata to sendMagicLink  -  by @mrgrauel in https://github.com/better-auth/better-auth/issues/8571 (230cf)
  • mongo-adapter:
  • Store UUIDs as native BSON UUID  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8681 (3aa10)
  • oauth-provider:
  • Pairwise subject identifiers (OIDC Core §8)  -  by @gustavovalverde and @himself65 in https://github.com/better-auth/better-auth/issues/8292 (ab7ec)
  • Public client prelogin endpoint  -  by @dvanmali in https://github.com/better-auth/better-auth/issues/8214 (20e45)
  • oauth-proxy:
  • Add dedicated secret option to reduce shared key exposure surface  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8699 (faffb)
  • organization:
  • Explicit organizationId in team endpoints  -  by @xiaoyu2er and @himself65 in https://github.com/better-auth/better-auth/issues/5062 (5d60d)
  • social-provider:
  • Add wechat social provider  -  by @Eric-Song-Nop, Claude and @himself65 in https://github.com/better-auth/better-auth/issues/5189 (6061b)
  • sso:
  • Add logging for when code validation fails in oidc callback  -  by @OscarCornish in https://github.com/better-auth/better-auth/issues/8693 (ac954)
  • stripe:
  • Allow customizable prorationBehavior per plan  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8525 (9fdd6)
  • test-utils:
  • Export adapter test suites from @better-auth/test-utils/adapter  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8564 (6578b)
  • two-factor:
  • Add twoFactorPage in config  -  by @wuzgood98 in https://github.com/better-auth/better-auth/issues/5329 (caa9f)

   🐞 Bug Fixes

  • Access control indexing type  -  by @YevheniiKotyrlo and @himself65 in https://github.com/better-auth/better-auth/issues/8155 (47bba)
  • Prevent double encoded cookie  -  by @Oluwatobi-Mustapha and @himself65 in https://github.com/better-auth/better-auth/issues/8133 (49921)
  • Move adapter packages to dependencies to fix missing module errors  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8401 (27c4c)
  • Pass user field through idToken sign-in body for Apple name support  -  by @bytaesu and Copilot in https://github.com/better-auth/better-auth/issues/8417 (d8139)
  • Preserve custom session fields on focus refresh  -  by @jslno in https://github.com/better-auth/better-auth/issues/8354 (5e49c)
  • Throw on duplicate email when autoSignIn: false without requireEmailVerification  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8521 (f72e2)
  • Add origin check middleware to password reset request  -  by @jslno in https://github.com/better-auth/better-auth/issues/8392 (271af)
  • Handle skipOriginCheck array  -  by @jslno in https://github.com/better-auth/better-auth/issues/8582 (92895)
  • Resolve duplicate operationId in admin plugin endpoints  -  by @Sigmabrogz and Sigmabrogz in https://github.com/better-auth/better-auth/issues/8570 (3f75e)
  • Misleading rate limit IP warning  -  by @GautamBytes in https://github.com/better-auth/better-auth/issues/8617 (ae861)
  • Prevent revoked sessions from being restored via database fallback  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8708 (767f1)
  • Set stateless cookieCache maxAge to match session expiresIn  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8648 (c8617)
  • account:
  • Use accountId instead of id in accountInfo endpoint  -  by @NathanColosimo and @himself65 in https://github.com/better-auth/better-auth/issues/8346 (f9b8a)
  • adapters:
  • Restore deprecated createAdapter and type exports for backcompat  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8461 (096d9)
  • Use IS NULL / IS NOT NULL for null value comparisons  -  by @olliethedev in https://github.com/better-auth/better-auth/issues/8660 (8682b)
  • api:
  • Return Response for HTTP request contexts  -  by @gustavovalverde in https://github.com/better-auth/better-auth/issues/7521 (8304f)
  • blog:
  • Fix RSS feed link path, image path and blog date  -  by @0-Sandy in https://github.com/better-auth/better-auth/issues/8483 (18e95)
  • cli:
  • Resolve path aliases from extended tsconfig files  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8520 (b5e22)
  • Treat omitted required as true in Drizzle and Prisma generators  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8614 (b0069)
  • client:
  • Preserve stale session data on network or server errors  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8437 (b18b4)
  • Handle throw:true in session refresh  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8610 (f0c1a)
  • core:
  • Prioritize generateId "uuid" over adapter customIdGenerator  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8679 (05565)
  • db:
  • Use CREATE INDEX for postgres migration  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8538 (a980b)
  • docs:
  • Improve AI chat security and cleanup  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8597 (a1a97)
  • Add missing Encore icon to sidebar icons  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8663 (169c2)
  • electron:
  • Handle safeStorage encryption failures gracefully  -  by @jslno in https://github.com/better-auth/better-auth/issues/8530 (b3330)
  • expo:
  • Handle origin override across mutable and immutable requests  -  by @NathanColosimo, Taesu and @bytaesu in https://github.com/better-auth/better-auth/issues/8405 (44ee8)
  • last-login-method:
  • Normalize missing resolver path  -  by @mrgrauel in https://github.com/better-auth/better-auth/issues/8589 (d198a)
  • oauth-provider:
  • CustomIdTokenClaims should override standard claims  -  by @gustavovalverde in https://github.com/better-auth/better-auth/issues/7865 (c5983)
  • Avoid fetch redirect CORS after login  -  by @GautamBytes in https://github.com/better-auth/better-auth/issues/8519 (f46a6)
  • Support prompt=none  -  by @dvanmali in https://github.com/better-auth/better-auth/issues/8554 (54216)
  • Improve allowed paths for oauth_query for client plugin  -  by @dvanmali in https://github.com/better-auth/better-auth/issues/8320 (40e76)
  • Fix dist declaration type errors  -  by @gustavovalverde in https://github.com/better-auth/better-auth/issues/8701 (c41fa)
  • oidc-provider:
  • Validate redirect_uri for prompt=none  -  by @jslno in https://github.com/better-auth/better-auth/issues/8398 (9dff8)
  • one-tap:
  • Opt into FedCM to suppress Google GSI deprecation warnings  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8720 (c2cbb)
  • organization:
  • Handle multi-role users in invite and member removal checks  -  by @himself65 and Copilot Autofix powered by AI in https://github.com/better-auth/better-auth/issues/8442 (6559c)
  • Filter null organizations in listUserInvitations  -  by @raihanbrillmark and Raihan Sharif in https://github.com/better-auth/better-auth/issues/8694 (06e38)
  • prisma-adapter:
  • Use deleteMany when deleting by non-unique field  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8314 (c9b9c)
  • Fall back to updateMany for non-unique updates  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8524 (a5c12)
  • sso:
  • Use internalAdapter for verification operations  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8353 (bd980)
  • Handle bare domains in domain verification  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8369 (71c3a)
  • Use namespace import for samlify to fix ESM compatibility  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8697 (a6763)
  • Skip state cookie check for SAML ACS cross-site POST  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8735 (b647e)
  • stripe:
  • Replace {CHECKOUT_SESSION_ID} placeholder in success callbackURL  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8568 (db470)
  • Improve organization customer search by adding customerType check  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8609 (884e1)
  • telemetry:
  • Use conditional exports to replace dynamic import hacks  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8458 (c8628)
  • two-factor:
  • Wire twoFactorTable option to schema modelName  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8443 (a92a7)
    View changes on GitHub

v1.5.6 · v1.5.6

2026-03-22 · by @github-actions[bot]

   🚀 Features

  • Agent auth plugin  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/8696 (a0b53)
  • core: Add experimental opentelemetry instrumentation  -  by @jonathansamines and @bytaesu in https://github.com/better-auth/better-auth/issues/8027 (1ed42)
  • email-otp: Add resendStrategy option to reuse existing OTP  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8560 (98c8e)
  • magic-link: Add request metadata to sendMagicLink  -  by @mrgrauel in https://github.com/better-auth/better-auth/issues/8571 (cb240)
  • mongo-adapter: Store UUIDs as native BSON UUID  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8681 (d1bff)
  • oauth-provider: Public client prelogin endpoint  -  by @dvanmali in https://github.com/better-auth/better-auth/issues/8214 (a0eb1)
  • organization: Explicit organizationId in team endpoints  -  by @xiaoyu2er and @himself65 in https://github.com/better-auth/better-auth/issues/5062 (8f470)
  • social-provider: Add wechat social provider  -  by @Eric-Song-Nop, Claude and @himself65 in https://github.com/better-auth/better-auth/issues/5189 (c4402)
  • stripe: Allow customizable prorationBehavior per plan  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8525 (98cea)
  • test-utils: Export adapter test suites from @better-auth/test-utils/adapter  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8564 (6be0f)
  • two-factor: Add twoFactorPage in config  -  by @wuzgood98 in https://github.com/better-auth/better-auth/issues/5329 (4f41b)

   🐞 Bug Fixes

  • Handle skipOriginCheck array  -  by @jslno in https://github.com/better-auth/better-auth/issues/8582 (331c4)
  • Prevent revoked sessions from being restored via database fallback  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8708 (d4efa)
  • api:
  • Return Response for HTTP request contexts  -  by @gustavovalverde in https://github.com/better-auth/better-auth/issues/7521 (9e3e8)
  • client:
  • Handle throw:true in session refresh  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8610 (275ca)
  • core:
  • Prioritize generateId "uuid" over adapter customIdGenerator  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8679 (fc0bc)
  • docs:
  • Improve AI chat security and cleanup  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8597 (5c0c8)
  • Add missing Encore icon to sidebar icons  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8663 (cd5b8)
  • electron:
  • Handle safeStorage encryption failures gracefully  -  by @jslno in https://github.com/better-auth/better-auth/issues/8530 (04766)
  • oauth-provider:
  • Support prompt=none  -  by @dvanmali in https://github.com/better-auth/better-auth/issues/8554 (812fd)
  • Improve allowed paths for oauth_query for client plugin  -  by @dvanmali in https://github.com/better-auth/better-auth/issues/8320 (ccded)
  • Fix dist declaration type errors  -  by @gustavovalverde in https://github.com/better-auth/better-auth/issues/8701 (ec79f)
  • organization:
  • Filter null organizations in listUserInvitations  -  by @raihanbrillmark and Raihan Sharif in https://github.com/better-auth/better-auth/issues/8694 (a62cb)
  • sso:
  • Use namespace import for samlify to fix ESM compatibility  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8697 (71f70)
  • stripe:
  • Replace {CHECKOUT_SESSION_ID} placeholder in success callbackURL  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8568 (32704)
  • Improve organization customer search by adding customerType check  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8609 (74ec7)
    View changes on GitHub

v1.4.22 · v1.4.22

2026-03-16 · by @github-actions[bot]

   🐞 Bug Fixes

  • cli: Warn when old @better-auth/cli is used with better-auth v1.5.x+  -  by @himself65 (73ca9)
    View changes on GitHub

v1.5.5 · v1.5.5

2026-03-11 · by @github-actions[bot]

   🚀 Features

  • oauth-provider: Pairwise subject identifiers (OIDC Core §8)  -  by @gustavovalverde and @himself65 in https://github.com/better-auth/better-auth/issues/8292 (6c09f)

   🐞 Bug Fixes

  • Pass user field through idToken sign-in body for Apple name support  -  by @bytaesu and Copilot in https://github.com/better-auth/better-auth/issues/8417 (d364e)
  • Add missing SubpageItem properties for docs-sidebar compatibility  -  by @bytaesu (6bcd7)
  • Add icon prop to SubpageLink component  -  by @bytaesu (95538)
  • Correct sign-in link to dash.better-auth.com  -  by @bytaesu (058bb)
  • Restore features.tsx and align import with canary  -  by @bytaesu (e5ebb)
  • Add suppressHydrationWarning to video elements  -  by @bytaesu (8e0e5)
  • Preserve custom session fields on focus refresh  -  by @jslno in https://github.com/better-auth/better-auth/issues/8354 (2bd99)
  • Throw on duplicate email when autoSignIn: false without requireEmailVerification  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8521 (e3e66)
  • Add origin check middleware to password reset request  -  by @jslno in https://github.com/better-auth/better-auth/issues/8392 (497b1)
  • adapters: Restore deprecated createAdapter and type exports for backcompat  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8461 (eb848)
  • blog: Fix RSS feed link path, image path and blog date  -  by @0-Sandy in https://github.com/better-auth/better-auth/issues/8483 (67c6d)
  • cli: Resolve path aliases from extended tsconfig files  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8520 (11ef0)
  • client: Preserve stale session data on network or server errors  -  by @bytaesu in https://github.com/better-auth/better-auth/issues/8437 (9a229)
  • db: Use CREATE INDEX for postgres migration  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8538 (b9e54)
  • oauth-provider: Avoid fetch redirect CORS after login  -  by @GautamBytes in https://github.com/better-auth/better-auth/issues/8519 (c0366)
  • oidc-provider: Validate redirect_uri for prompt=none  -  by @jslno in https://github.com/better-auth/better-auth/issues/8398 (ff352)
  • organization: Handle multi-role users in invite and member removal checks  -  by @himself65 and Copilot Autofix powered by AI in https://github.com/better-auth/better-auth/issues/8442 (23f18)
  • prisma-adapter: Fall back to updateMany for non-unique updates  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8524 (3f16e)
  • sso: Handle bare domains in domain verification  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8369 (fb7a0)
  • telemetry: Use conditional exports to replace dynamic import hacks  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8458 (3ecd2)
  • two-factor: Wire twoFactorTable option to schema modelName  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8443 (f4604)
    View changes on GitHub

v1.5.4 · v1.5.4

2026-03-06 · by @github-actions[bot]

   🐞 Bug Fixes

  • Move adapter packages to dependencies to fix missing module errors  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8401 (56857)
  • expo: Handle origin override across mutable and immutable requests  -  by @NathanColosimo, Taesu and @bytaesu in https://github.com/better-auth/better-auth/issues/8405 (b7a31)
    View changes on GitHub

v1.5.3 · v1.5.3

2026-03-04 · by @github-actions[bot]

   🐞 Bug Fixes

  • account: Use accountId instead of id in accountInfo endpoint  -  by @NathanColosimo and @himself65 in https://github.com/better-auth/better-auth/issues/8346 (efcc2)
  • sso: Use internalAdapter for verification operations  -  by @himself65 in https://github.com/better-auth/better-auth/issues/8353 (e3bc6)
    View changes on GitHub