All of the changes made will be available here.

Better Auth is comprehensive authentication library for TypeScript that provides a wide range of features to make authentication easier and more secure.

DocumentationGitHubCommunity

BETTER-AUTH.

v1.3.27

🐞 Bug Fixes

  • Session update database hook should expect partial session type – @Bekacru
  • Deprecate options.advanced.generateId type – @himself65
  • Api keys should properly check if a request is from client or server – @Bekacru
  • Improve username transformation logic – @ping-maxwell
  • api-key:
  • organization:
    • Prevent empty name and slug in create/update  -  by @kira-1011 in https://github.com/better-auth/better-auth/issues/5100 <samp>(ed21e)</samp>
  • sso:
    • OIDC scopes should fallback to provider scopes  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/5071 <samp>(01d44)</samp>
    • Add deprecated flag to the old sso plugin export  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/5138 <samp>(2da12)</samp>
  • stripe:
    • Throw error if event failed to be constructed  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/5088 <samp>(6212a)</samp>
  • telemetry:
    • Avoid async import if telemetry disabled, fix for esbuild  -  by @erquhart in https://github.com/better-auth/better-auth/issues/5086 <samp>(a3e57)</samp>
  • url:
    • Handle empty and root path in withPath, prevent double slashes, add tests  -  by @surafel58 in https://github.com/better-auth/better-auth/issues/5091 <samp>(1c466)</samp>
    View changes on GitHub

v1.3.26

🐞 Bug Fixes

  • [security] api keys should properly check if a request is from client or server – @Bekacru
  • api-key: Shouldn't issue api key a mock session by default – @Bekacru
    View changes on GitHub

v1.3.25

🚀 Features

  • Additional fields on account – @dvanmali
  • Add support for custom callback for token url – @acusti
  • captcha: Add support for CaptchaFox – @tgrassl
  • cli: Add mcp client configs from cli@Kinfe123 @himself65

🐞 Bug Fixes

  • Support compressed ipv6 format – @Velka-DEV
  • Add required constraint to slug filed in org plugin – @bytaesu
  • Use consistent messaging on requestPasswordReset@Eazash
  • Cookie size limit shouldn't throw error – @Bekacru @himself65
  • Handle symbols in proxy get trap to prevent TypeError – @zbeyens @himself65
  • Ttl for rate limited secondary storage – @dvanmali
  • adapter:
    • Use updated field values in WHERE clause during update  -  by @QuintenStr and @ping-maxwell in https://github.com/better-auth/better-auth/issues/5004 <samp>(3e298)</samp>
    • Foreign keys that are nullable on number ids can return string of null  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/5036 <samp>(84e99)</samp>
  • api-key:
    • Correct refill interval time calculation  -  by @Pankaj3112 and @himself65 in https://github.com/better-auth/better-auth/issues/4871 <samp>(64ac8)</samp>
  • client:
    • Add lynx client exports  -  by @JagritGumber in https://github.com/better-auth/better-auth/issues/4950 <samp>(70202)</samp>
  • device-authorization:
    • Fix client error type for deny device  -  by @3ddelano in https://github.com/better-auth/better-auth/issues/5022 <samp>(ec788)</samp>
  • last-login-method:
    • Custom resolver method default logic  -  by @ThibautCuchet in https://github.com/better-auth/better-auth/issues/4821 <samp>(2616e)</samp>
  • oauth-proxy:
    • Should skip state check for oauth proxy  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/4991 <samp>(a3c1d)</samp>
  • oidc:
    • Properly enforce consent requirements per OIDC spec  -  by @himself65 in https://github.com/better-auth/better-auth/issues/4974 <samp>(20704)</samp>
  • org:
    • Update type to include undefined  -  by @himself65 in https://github.com/better-auth/better-auth/issues/5003 <samp>(cce9e)</samp>
  • sso:
    • Safe json parsing for saml/oidc configs  -  by @natetewelde and @himself65 in https://github.com/better-auth/better-auth/issues/4858 <samp>(d09c7)</samp>
    • Prevent duplicate SSO provider creation with same providerId  -  by @xiaoyu2er in https://github.com/better-auth/better-auth/issues/5033 <samp>(cfe64)</samp>
  • stripe:
    • Update with an existing subscription  -  by @himself65 in https://github.com/better-auth/better-auth/issues/4988 <samp>(6a288)</samp>
    • Sync customer email on db change  -  by @himself65 in https://github.com/better-auth/better-auth/issues/4995 <samp>(cdd7b)</samp>
    • getCustomerCreateParams not actually being called  -  by @ebalo55 and @himself65 in https://github.com/better-auth/better-auth/issues/5019 <samp>(cdd6f)</samp>

🏎 Performance

  • Lazy load create telemetry – @himself65
    View changes on GitHub

v1.3.24

🚀 Features

  • Add support for custom callback for authorization url – @Bekacru

🐞 Bug Fixes

  • Refresh secondary storage sessions on user update – @frectonz
  • cli: Timestamp in schema for Drizzle with SQLite – @zy1p
  • db: onDelete is ignored – @himself65
  • deps: Update dependency @nanostores/react to v1 –

🏎 Performance

  • Improve type Auth@himself65
    View changes on GitHub

v1.3.19

🐞 Bug Fixes

  • getSession shouldn't expose options and path types – @Bekacru
    View changes on GitHub

v1.3.18

🐞 Bug Fixes

  • Ttl sessions list expiration – @dvanmali
  • Tests failing due to clock drift – @dvanmali
  • Moved email verification check after password check – @QuintenStr
  • cli: DefaultNow is deprecated in schema for Drizzle with SQLite – @himself65
  • custom-session: Don't overwrite the Set-Cookie header – @frectonz
  • email-otp: Call reset password callback – @HoshangDEV
    View changes on GitHub

v1.3.17

🚀 Features

  • sso: Provide default service provider metadata – @dvanmali

🐞 Bug Fixes

  • nuxt: Avoid load env base url for SSR – @himself65
    View changes on GitHub

v1.3.16

No significant changes

    View changes on GitHub

v1.3.15

🐞 Bug Fixes

  • types: Include null in getSession return type – @jcajuab
    View changes on GitHub

v1.3.14

🚀 Features

  • passkey: Allow multiple passkey origins – @kevcube
  • sso: DefaultSSO options and ACS endpoint – @Kinfe123

🐞 Bug Fixes

  • Wrap Math.floor around the division when calculating TTL – @DevDuki, @himself65
  • api-key:
    • Calling client on server side  -  by @himself65 in https://github.com/better-auth/better-auth/issues/4777 <samp>(d384e)</samp>
  • mcp:
    • Missing Content-Type header for mcp DCR  -  by @Berndwl in https://github.com/better-auth/better-auth/issues/4763 <samp>(a6b2e)</samp>
  • organization:
    • Pass ctx to DB hooks  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/4769 <samp>(39c21)</samp>
    • Allow passing id through beforeCreateOrganization  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/4765 <samp>(25a43)</samp>
  • username:
    • Username should respect send on sign config  -  by @QuintenStr in https://github.com/better-auth/better-auth/issues/4799 <samp>(ac49e)</samp>
    View changes on GitHub

v1.3.13

🚀 Features

  • Add returnHeaders to getSession@frectonz
  • last-login-method: Update OAuth login method tracking for multiple auth type – @Kinfe123

🐞 Bug Fixes

  • client: BaseURL is undefined for SSR – @himself65
  • organization: Remove autoCreateOnSignUp option as it's not implemented yet – @Bekacru
  • passkey: Remove email from query – @himself65
    View changes on GitHub

v1.3.12

🚀 Features

  • discord: Allow specification of permissions – @TheUntraceable @Bekacru
  • email-otp: Allow returning undefined in generateOTP@ping-maxwell

🐞 Bug Fixes

  • Device authorization plugin – @bytaesu
  • Reduce any type in generator.ts – @himself65
  • Refresh secondary storage sessions on user update – @frectonz
  • Allow disable database transaction – @himself65
  • adapter:
    • Returning null as string for optional id references  -  by @jslno in https://github.com/better-auth/better-auth/issues/4713 <samp>(c6e5d)</samp>
  • api-key:
    • Cascade api keys on user deletion  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/4703 <samp>(62b50)</samp>
  • create-adapter:
    • Disable transaction by default  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/4750 <samp>(4a434)</samp>
  • organization:
    • Decouple client and server permission checks  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/4707 <samp>(adfc4)</samp>
    • Membership check for organizations with large member counts  -  by @Badbird5907 and @himself65 in https://github.com/better-auth/better-auth/issues/4724 <samp>(97b02)</samp>
  • stripe:
    • OnCustomerCreate should be called even if update user isn't returned  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/4716 <samp>(d3509)</samp>
    View changes on GitHub

v1.3.11

🚀 Features

  • Flip emailVerified when link the account – @himself65

🐞 Bug Fixes

  • Check if user exists before banning the user – @anmol-fzr, @himself65
  • Timestamp issues in kysely – @frectonz @himself65
  • Respect errorCallbackURL in failed oauth flows – @frectonz
  • plugins: Asynchronous init@LightTab2 @himself65
    View changes on GitHub

v1.3.10

   Maintenance update: We fixed lots of issues from the community. Thanks to everyone for contributing to better-auth.

🚀 Features

  • Add getActiveRoleMember – @fathisiddiqi, @Kinfe123 @himself65
  • Database transaction support – @himself65
  • logger: Option to disable colors – @martiinii @himself65
  • passkey: Error codes in passkey client – @frectonz, @Kinfe123 @Bekacru
  • sqlite: Remove autoincrement for SQLite – @pspeter3

🐞 Bug Fixes

  • Ignore cookiecache on auth sensitive functions – @Kinfe123
  • Custom field for refreshTokenExpiresAt@himself65
  • Return local IP in development mode – @DiiiaZoTe @himself65
  • Make cookie cache respect dontRememberMe mode – @frectonz
  • Normalize zod imports – @gabrielmar
  • Check endpoint conflicts respect method@himself65
  • Respect username validator – @azaek @himself65
  • Set clientId in ProviderOptions to unknown by default – @himself65
  • Pick the first clientId for oauth provider – @himself65
  • Remove use of global.crypto@himself65
  • Should infer types correctly when empty list of plugins is provided – @frectonz
  • Correct MongoDB adapter import path in CLI – @aajeeth-m
  • Make sure fetch function doesn't get called repeatedly on onMount@frectonz
  • Prevent lastLoginMethod plugin from setting cookie on failed auth – @Kinfe123
  • admin:
    • Change the order of role and user id check when both are provider on userHasPermission  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/4653 <samp>(29c57)</samp>
  • anonymous:
    • Prevent false positive error on first anonymous sign-in  -  by @ajanraj and @himself65 in https://github.com/better-auth/better-auth/issues/3662 <samp>(96804)</samp>
  • cli:
    • info shows the correct version  -  by @himself65 in https://github.com/better-auth/better-auth/issues/4547 <samp>(7faae)</samp>
    • Add missing JSON type to schema generation  -  by @TheGB0077 and @Kinfe123 in https://github.com/better-auth/better-auth/issues/4494 <samp>(20e87)</samp>
  • demo:
    • Update forgot password link to /forget-password  -  by @GivenBY in https://github.com/better-auth/better-auth/issues/4567 <samp>(94450)</samp>
  • docs:
    • Remove duplicated RFC compliance mention  -  by @TheUntraceable in https://github.com/better-auth/better-auth/issues/4581 <samp>(5f80c)</samp>
  • expo:
    • window.crypto is undefined  -  by @himself65 in https://github.com/better-auth/better-auth/issues/4620 <samp>(7dbc5)</samp>
    • Missing peer deps  -  by @himself65 in https://github.com/better-auth/better-auth/issues/4617 <samp>(16160)</samp>
  • lastLoginMethod:
    • Inherit cross-subdomain cookie settings in lastLoginMethod plugin  -  by @lumpinif in https://github.com/better-auth/better-auth/issues/4572 <samp>(78424)</samp>
  • memory-adapter:
    • Should respect where connector  -  by @jslno in https://github.com/better-auth/better-auth/issues/4549 <samp>(784db)</samp>
  • multi-session:
    • Multi-session cookie name preface preventing multiple accounts signed in  -  by @PacifismPostMortem in https://github.com/better-auth/better-auth/issues/4505 <samp>(8eb64)</samp>
  • one-time-token:
    • Typo and clean  -  by @gabrielmar in https://github.com/better-auth/better-auth/issues/4579 <samp>(01365)</samp>
  • organization:
    • checkRolePermission shouldn't be a promise  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/4533 <samp>(abfc4)</samp>
    • Member and team hooks should apply on create organization  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/4600 <samp>(7fc23)</samp>
    • Before org create hooks not applying customized data  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/4623 <samp>(da9b8)</samp>
    • [security] updateOrgRole should check for userId properly  -  by @Bekacru <samp>(12a9d)</samp>
    • Restrict role check by user id  -  by @himself65 in https://github.com/better-auth/better-auth/issues/4641 <samp>(f5fd8)</samp>
  • prisma:
    • Handle optional field relation types correctly  -  by @LiYulin-s in https://github.com/better-auth/better-auth/issues/4630 <samp>(80b73)</samp>
  • stripe:
    • Properly resolve plans by lookup keys  -  by @AlexProgrammerDE in https://github.com/better-auth/better-auth/issues/4499 <samp>(b531d)</samp>
    • Subscription is created without completing payment  -  by @himself65 in https://github.com/better-auth/better-auth/issues/4548 <samp>(e663f)</samp>
    • Prevent multiple free trials for same user  -  by @RikhiSingh in https://github.com/better-auth/better-auth/issues/4562 <samp>(1bb12)</samp>
    • Use correct request method for billing-portal  -  by @danielepintore in https://github.com/better-auth/better-auth/issues/4613 <samp>(9f23e)</samp>
  • tiktok:
    • Remove client_secrect from authorizationUrl  -  by @arslan2012 in https://github.com/better-auth/better-auth/issues/4511 <samp>(71aeb)</samp>
  • username:
    • Add missing normalization  -  by @bortoz and @himself65 in https://github.com/better-auth/better-auth/issues/3636 <samp>(9d316)</samp>
    • Sign in should work with post normalization  -  by @Bekacru and @himself65 in https://github.com/better-auth/better-auth/issues/4599 <samp>(b2dfb)</samp>
  • vue:
    • Correct baseURL  -  by @himself65 in https://github.com/better-auth/better-auth/issues/4578 <samp>(90ea9)</samp>
    View changes on GitHub