releases.shpreview
Better Auth/better-auth

better-auth

$npx @buildinternet/releases show better-auth
Mon
Wed
Fri
MayJunJulAugSepOctNovDecJanFebMarApr
Less
More
Releases44Avg13/moVersionsv1.4.16 β†’ v1.6.9
Apr 24, 2026

better-auth

Bug Fixes

  • Fixed instrumentation resolution in the adapter factory so edge and browser environments correctly use the pure variant (#9340)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@erquhart

Full changelog: v1.6.8...v1.6.9

Apr 23, 2026

better-auth

Bug Fixes

  • Fixed mapProfileToUser fallback for OAuth providers that may omit email from their profile response (#9331)
  • Fixed support for passing id through beforeCreateTeam and beforeCreateInvitation hooks (#9253)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed authorization flows that do not include a state parameter (#9328)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed incompatibility with TypeScript's exactOptionalPropertyTypes compiler option (#9270)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@baptisteArno, @gustavovalverde, @ping-maxwell

Full changelog: v1.6.7...v1.6.8

Apr 22, 2026

better-auth

Features

  • Added userId and organizationId parameters to the listUserTeams API for scoped team lookups without switching the active organization (#8977)
  • Added support for passing an array of client IDs as the ID token audience in social providers (#9292)

Bug Fixes

  • Fixed forceAllowId UUIDs being ignored on PostgreSQL adapters when advanced.database.generateId is set to "uuid" (#9068)
  • Fixed response headers being lost when an APIError is thrown (#9211)
  • Fixed $sessionSignal not being triggered for session-rotating endpoints (#9087)
  • Fixed the partitioned cookie attribute being dropped on set-cookie round-trips (#9235)
  • Fixed the ./instrumentation module to export a no-op in browser and edge environments (#9281)
  • Fixed disableRefresh query parameter validation in custom sessions to correctly coerce string values to booleans (#9214)
  • Fixed a crash when the request body is undefined during OAuth2 state parsing (#9293)
  • Fixed team additional fields not being inferred correctly in the organization plugin (#9266)
  • Fixed updateUser to allow removing a phone number (#9219)
  • Fixed callbackOnVerification not being called when updatePhoneNumber is enabled (#4894)
  • Reverted two-factor enforcement to credential sign-in flows only, removing the unintended challenge on magic link, OAuth, passkey, and other non-credential sign-in methods (#9205)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

❗ Breaking Changes

  • Updated all OAuth 2.0 endpoints to return RFC-compliant { error, error_description } error envelopes for validation failures (#9277)

Migration: All six OAuth endpoints (/oauth2/token, /oauth2/authorize, /oauth2/revoke, /oauth2/introspect, /oauth2/register, /oauth2/end-session) now emit structured { error, error_description } responses per RFC 6749 Β§5.2. Update any client code that previously parsed the raw validation error format from these endpoints.

Bug Fixes

  • Fixed host classification inconsistencies across packages that could allow SSRF attacks (#9226)
  • Fixed the userinfo endpoint to correctly read the Authorization header when called via auth.api (#9244)

For detailed changes, see CHANGELOG

@better-auth/api-key

Features

  • Added mapConcurrent utility for bounded-concurrency iteration (#9227)

Bug Fixes

  • Fixed secondary-storage API key operations to run in parallel, improving performance (#9187)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Required patched drizzle-orm ^0.45.2 and kysely ^0.28.14 peer versions to track vulnerability fixes (#9165)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

  • Fixed cached session data not being read from SecureStore on app startup (#8953)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed passkey authentication verification not returning the authenticated user (#5209)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @GautamBytes, @gustavovalverde, @Kinfe123, @ouwargui, @ping-maxwell, @ramonclaudio, @ruban-s, @stewartjarod, @TanishValesha, @terijaki

Full changelog: v1.7.0-beta.1...v1.7.0-beta.2

better-auth

Features

  • Added support for an array of client IDs as the ID token audience in social providers (#9292)

Bug Fixes

  • Fixed response headers being lost when an APIError is thrown (#9211)
  • Fixed browser and edge runtime errors by serving a no-op ./instrumentation module in those environments (#9281)
  • Fixed a crash when parsing OAuth2 state with an undefined request body (#9293)
  • Fixed callbackOnVerification not being called when updatePhoneNumber is enabled (#4894)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed the userinfo endpoint to read the Authorization header from request context when using auth.api (#9244)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed passkey authentication verification not returning the user (#5209)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@gustavovalverde, @Kinfe123, @ouwargui, @ramonclaudio, @stewartjarod, @TanishValesha

Full changelog: v1.6.6...v1.6.7

Apr 21, 2026

better-auth

Bug Fixes

  • Fixed preservation of the Partitioned attribute when forwarding Set-Cookie headers (#9235)
  • Fixed boolean coercion for the disableRefresh query parameter in custom session validation (#9214)
  • Fixed incorrect inference of team additional fields in the organization plugin (#9266)
  • Added support for removing a phone number via updateUser({ phoneNumber: null }) (#9219)

For detailed changes, see CHANGELOG

@better-auth/core

Features

  • Added mapConcurrent, a bounded-concurrency async utility, at @better-auth/core/utils/async (#9227)

Bug Fixes

  • Made @opentelemetry/api an optional peer dependency (#9111)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

  • Improved performance by running secondary-storage API key lookups in parallel (#9187)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

  • Fixed session loading to read cached data from SecureStore on app startup, eliminating the login screen flash for returning users (#8953)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed several SSRF vulnerabilities by unifying host classification and closing loopback bypass vectors across packages (#9226)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed an ESM/CJS compatibility issue when loading samlify (#9262)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @gustavovalverde, @jonathansamines, @ping-maxwell, @terijaki

Full changelog: v1.6.5...v1.6.6

Apr 16, 2026

better-auth

Bug Fixes

  • Clarified recommended production usage for the test utils plugin (#9119)
  • Fixed session not refreshing after /change-password and /revoke-other-sessions (#9087)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Security

  • Fixed GHSA-xr8f-h2gw-9xh6, a high-severity authorization bypass in @better-auth/oauth-provider where unprivileged authenticated users could create OAuth clients when deployments relied on clientPrivileges to restrict client creation.
  • First patched stable version: @better-auth/oauth-provider@1.6.5.
  • Note: the published beta line (1.7.0-beta.0 and 1.7.0-beta.1) remains affected until a fixed beta release is published.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@GautamBytes, @ramonclaudio

Full changelog: v1.6.4...v1.6.5

Apr 15, 2026

better-auth

Bug Fixes

  • Fixed forceAllowId UUIDs set in database hooks being ignored on PostgreSQL adapters when advanced.database.generateId is set to "uuid" (#9068)
  • Reverted 2FA enforcement scope to credential sign-in paths only, so magic link, email OTP, OAuth, SSO, passkey, and other non-credential sign-in flows no longer trigger a 2FA challenge (#9205)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@GautamBytes, @gustavovalverde

Full changelog: v1.6.3...v1.6.4

better-auth

Bug Fixes

  • Fixed dynamic baseURL resolution from request headers for direct auth.api calls (#9113)
  • Fixed a race condition in the client that caused excessive requests due to isMounted timing issues (#9078)
  • Fixed 2FA enforcement to apply across all sign-in paths, including magic link, OAuth, passkey, and email OTP (#9122)
  • Fixed backup code updates to respect the configured storeBackupCodes storage strategy after verification (#7231)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

❗ Breaking Changes

  • Rewrote the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults (#9069)

Migration: Replace signIn.oauth2({ providerId }) with signIn.social({ provider }), oauth2.link() with linkSocial(), and update your IdP callback URLs from /api/auth/oauth2/callback/:id to /api/auth/callback/:id. Remove genericOAuthClient(), issuer, and requireIssuerValidation from your config. Set pkce: false for providers that reject PKCE challenges.

Features

  • Added customTokenResponseFields callback to inject custom fields into token endpoint responses, and hardened authorization code validation (#9118)
  • Added at_hash claim to ID tokens to cryptographically bind them to their access tokens, per OIDC Core Β§3.1.3.6 (#9079)

Bug Fixes

  • Fixed dynamic baseURL resolution to correctly handle trusted proxy headers, loopback addresses, and forwarded requests in plugin metadata helpers (#9131)
  • Fixed unauthenticated dynamic client registration to automatically downgrade confidential auth methods to public client, improving compatibility with MCP clients (#9123)

For detailed changes, see CHANGELOG

@better-auth/sso

❗ Breaking Changes

  • Consolidated the SAML ACS endpoint, removed callbackUrl from samlConfig, and fixed SLO session matching (#9117)

Migration: Remove callbackUrl from samlConfig (the ACS URL is now auto-derived from baseURL and providerId) and update your IdP's ACS URL to /sso/saml2/sp/acs/:providerId. Remove decryptionPvk, additionalParams, idpMetadata.entityURL, and idpMetadata.redirectURL from SAMLConfig if present. The spMetadata field is now optional and can be removed.

Bug Fixes

  • Upgraded samlify to 2.12.0, adding XPath injection protection and XXE prevention for SAML XML processing (#9121)

For detailed changes, see CHANGELOG

✨ @better-auth/cimd ✨

Features

  • Added the @better-auth/cimd plugin for Client ID Metadata Document support, enabling URL-based client identification for MCP and dynamic client discovery flows (#9159)

For package details, see README

@better-auth/stripe

Bug Fixes

  • Fixed a prototype pollution vulnerability in the Stripe plugin when handling user-supplied metadata (#9164)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @Byte-Biscuit, @gustavovalverde, @ping-maxwell

Full changelog: v1.7.0-beta.0...v1.7.0-beta.1

Apr 14, 2026

better-auth

Features

  • Added support for Stripe SDK v21 and v22 (#9084)

Bug Fixes

  • Fixed incorrect operationId for the requestPasswordResetCallback endpoint in the OpenAPI spec (#9072)
  • Fixed dynamic baseURL resolution from request headers for direct auth.api calls (#9113)
  • Fixed isMounted race condition that caused excessive requests per second in the client (#9078)
  • Fixed nullable schema for the get-session endpoint in the OpenAPI 3.1 spec (#8389)
  • Fixed checkout and upgrade flows to omit quantity for metered prices (#8926)
  • Fixed 2FA enforcement to trigger on all sign-in paths, including magic-link, OAuth, passkey, email-OTP, and SIWE (#9122)
  • Fixed backup code updates to respect the configured storeBackupCodes storage strategy after verification (#7231)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Features

  • Added customTokenResponseFields callback for injecting custom fields into token endpoint responses, and hardened authorization code validation (#9118)

Bug Fixes

  • Hardened dynamic baseURL resolution for direct auth.api calls and plugin metadata helpers (#9131)
  • Fixed unauthenticated dynamic client registration to silently override confidential auth methods to public, improving compatibility with MCP clients (#9123)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed multiple SAML response processing bugs, including ACS URL generation, encryption field handling, and provider config parsing (#9097)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed prototype pollution vulnerability when merging user-supplied metadata in the Stripe plugin (#9164)

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Fixed tsconfig path alias resolution for extended configs and mid-path wildcards in the CLI (#9032)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @Byte-Biscuit, @gustavovalverde, @Oluwatobi-Mustapha, @ping-maxwell, @ramonclaudio

Full changelog: v1.6.2...v1.6.3

Apr 10, 2026

better-auth

❗ Breaking Changes

  • feat(two-factor)!: add OTP enablement and discriminated response (#9057)

    enableTwoFactor now accepts a method parameter ("otp" | "totp", default "totp") and returns a discriminated response with a method field.

    method: "otp"

    • Sets twoFactorEnabled: true immediately.
    • Returns { method: "otp" }.
    • Requires otpOptions.sendOTP to be configured on the server; rejects with OTP_NOT_CONFIGURED otherwise.

    method: "totp" (default)

    • Returns { method: "totp", totpURI, backupCodes }.
    • Rejects with TOTP_NOT_CONFIGURED if totpOptions.disable is set.

    Breaking changes

    • Removed skipVerificationOnEnable: use method: "otp" for immediate activation, or the standard TOTP verification flow.
    • Response shape changed: enableTwoFactor includes a method field in the response ("otp" or "totp").

Features

  • feat(stripe): support Stripe SDK v21 and v22 (#9084)

Bug Fixes

  • fix: incorrect operationId in password reset callback endpoint (#9072)
  • fix(open-api): correct get-session nullable schema for OAS 3.1 (#8389)
  • fix(stripe): omit quantity for metered prices in checkout and upgrades (#8926)

For detailed changes, see CHANGELOG

@better-auth/sso

❗ Breaking Changes

  • fix(sso)!: harden SAML response validation (InResponseTo, Audience, SessionIndex) (#9055)

    Breaking Changes

    • allowIdpInitiated now defaults to false β€” IdP-initiated SSO (unsolicited SAML responses) is disabled by default. Set saml.allowIdpInitiated: true to restore the previous behavior. This aligns with the SAML2Int interoperability profile which recommends against IdP-initiated SSO due to its susceptibility to injection attacks.

    Bug Fixes

    • InResponseTo validation was completely non-functional β€” The code read extract.inResponseTo (always undefined) instead of samlify's actual path extract.response.inResponseTo. SP-initiated InResponseTo validation now works as intended in both ACS handlers.
    • Audience Restriction was never validated β€” SAML assertions issued for a different service provider were accepted without checking the <AudienceRestriction> element. Audience is now validated against the configured samlConfig.audience value per SAML 2.0 Core Β§2.5.1.
    • SessionIndex stored as object instead of string β€” samlify returns sessionIndex from login responses as { authnInstant, sessionNotOnOrAfter, sessionIndex }, but the code stored the whole object. SLO session-index comparisons always failed silently. The correct inner sessionIndex string is now extracted.

    Improvements

    • Extracted shared validateInResponseTo() and validateAudience() into packages/sso/src/saml/response-validation.ts, eliminating ~160 lines of duplicated validation logic between the two ACS handlers.
    • Fixed SAMLAssertionExtract type to match samlify's actual extractor output shape.

Bug Fixes

  • fix(sso): unify SAML response processing and fix bugs (#9097)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Features

  • feat(oauth): add private_key_jwt client authentication (RFC 7523) (#8836)

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • fix(cli): handle extends and mid-path wildcards in tsconfig paths (#9032)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @gustavovalverde, @Oluwatobi-Mustapha, @ramonclaudio

Full changelog: v1.6.2...v1.7.0-beta.0

Apr 9, 2026

better-auth

❗ Breaking Changes

  • Prevented unverified TOTP enrollment from blocking sign-in (#8711)

Migration: Schema migration required.

Add the verified column to the twoFactor table, then regenerate/apply your ORM migration.

  • Prisma: run npx auth@latest generate, then npx prisma migrate dev (or npx prisma db push) and npx prisma generate.
  • Drizzle: run npx auth@latest generate, then npx drizzle-kit generate and npx drizzle-kit migrate.

Existing rows do not need a backfill because the column defaults to true.

Features

  • Included enabled 2FA methods in sign-in redirect response (#8772)

Bug Fixes

  • Fixed OAuth state verification against cookie-stored nonce to prevent CSRF (#8949)
  • Fixed infinite router refresh loops in nextCookies() by replacing cookie probe with header-based RSC detection (#9059)
  • Fixed cross-provider account collision in link-social callback (#8983)
  • Included RelayState in signed SAML AuthnRequests (#9058)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed multi-valued query params collapsing through prompt redirects (#9060)
  • Rejected skip_consent at schema level in dynamic client registration (#8998)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed SAMLResponse decoding failures caused by line-wrapped base64 (#8968)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@aarmful, @cyphercodes, @dvanmali, @gustavovalverde, @jaydeep-pipaliya, @ping-maxwell

Full changelog: v1.6.1...v1.6.2

Apr 8, 2026

better-auth

Bug Fixes

  • Fixed endpoint instrumentation to always use the route template (#9023)
  • Returned INVALID_PASSWORD for all checkPassword failures (#8902)
  • Restored getSession accessibility in generic Auth<O> context (#9017)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @jonathansamines, @ping-maxwell

Full changelog: v1.6.0...v1.6.1

Apr 6, 2026

Blog post: Better Auth 1.6

better-auth

❗ Breaking Changes

  • Aligned freshAge calculation with session creation time instead of update time (#8762)

Migration: session.freshAge now calculates from createdAt. Set session: { freshAge: 0 } to disable the check entirely.

Features

  • Added experimental OpenTelemetry instrumentation for endpoints, hooks, middleware, and database operations (#8027)
  • Added resendStrategy option to reuse existing OTP in email-otp plugin (#8560)
  • Added enable option for HaveIBeenPwned plugin (#8728)
  • Added request metadata to sendMagicLink callback (#8571)
  • Added dedicated secret option to OAuth proxy to reduce shared key exposure (#8699)
  • Added explicit organizationId parameter in team endpoints (#5062)
  • Added WeChat social provider (#5189)
  • Added twoFactorPage config option for custom 2FA page routing (#5329)

Bug Fixes

  • Deprecated oidc-provider plugin in favor of @better-auth/oauth-provider (#8985)
  • Fixed access control indexing type (#8155)
  • Added origin check middleware to password reset request (#8392)
  • Fixed account cookie comparison to use provider accountId instead of internal id (#8786)
  • Fixed session id generation when using secondary storage without database (#8927)
  • Fixed skipOriginCheck array handling (#8582)
  • Fixed misleading rate limit IP warning (#8617)
  • Passed user field through idToken sign-in body for Apple name support (#8417)
  • Preserved custom session fields on focus refresh (#8354)
  • Fixed double encoded cookie (#8133)
  • Prevented revoked sessions from being restored via database fallback (#8708)
  • Resolved duplicate operationId in admin plugin endpoints (#8570)
  • Rethrew phone sendOTP failures instead of silently swallowing them (#8842)
  • Set stateless cookieCache maxAge to match session.expiresIn (#8648)
  • Threw on duplicate email when autoSignIn: false without requireEmailVerification (#8521)
  • Fixed accountInfo endpoint to use accountId instead of internal id (#8346)
  • Restored deprecated createAdapter and type exports for backwards compatibility (#8461)
  • Fixed Response return for HTTP request contexts (#7521)
  • Fixed throw: true handling in client session refresh (#8610)
  • Preserved stale session data on network or server errors (#8437)
  • Fixed bundler re-export type resolution with direct imports (#8261)
  • Fixed Set-Cookie header splitting with lookahead heuristic (#8301)
  • Prioritized generateId: "uuid" over adapter customIdGenerator (#8679)
  • Fixed date string revival in safeJSONParse for pre-parsed objects (#8248)
  • Fixed postgres migration to use CREATE INDEX (#8538)
  • Triggered sessionSignal after requesting email change in email-otp (#8816)
  • Fixed generic-oauth to use discovery userinfo endpoint instead of hardcoded URLs (#8223)
  • Normalized missing resolver path in last-login-method plugin (#8589)
  • Returned additional fields in /magic-link/verify (#7223)
  • Fixed OAuth proxy to read callback params from body for form_post (#8895)
  • Fixed double-hashing of OAuth state when storeIdentifier is hashed (#8980)
  • Fixed redirect_uri validation for prompt=none in oidc-provider (#8398)
  • Opted into FedCM to suppress Google GSI deprecation warnings (#8720)
  • Filtered null organizations in listUserInvitations (#8694)
  • Fixed multi-role user handling in invite and member removal checks (#8442)
  • Enforced authorization on SCIM management endpoints and normalized passkey ownership checks (#8843)
  • Allowed passwordless users to manage 2FA (#7243)
  • Wired twoFactorTable option to schema modelName (#8443)
  • Prevented any from collapsing auth.$Infer and client inference types (#8981)
  • Fixed updateUser to not overwrite unrelated username fields (#7570)
  • Enforced username uniqueness in updateUser (#8731)
  • Used non-blocking scrypt for password hashing to avoid blocking the event loop (#8685)

For detailed changes, see CHANGELOG

@better-auth/sso

❗ Breaking Changes

  • Enabled InResponseTo validation by default for SP-initiated SAML flows (#8736)

Migration: Set sso({ saml: { enableInResponseToValidation: false } }) to restore the previous behavior.

Features

  • Added logging for OIDC callback code validation failures (#8693)

Bug Fixes

  • Patched transitive node-forge vulnerability via samlify pin (#8838)
  • Fixed bare domain handling in domain verification (#8369)
  • Preferred UserInfo endpoint over ID token and mapped sub claim correctly (#8276)
  • Fixed provisionUser inconsistency and added provisionUserOnEveryLogin option (#8818)
  • Skipped state cookie check for SAML ACS cross-site POST (#8735)
  • Fixed verification operations to use internalAdapter (#8353)
  • Fixed ESM compatibility with namespace import for samlify (#8697)

For detailed changes, see CHANGELOG

@better-auth/mongo-adapter

❗ Breaking Changes

  • Stored UUIDs as native BSON UUID type (#8681)

Migration: New documents use native BSON UUIDs. Existing string UUIDs continue to work. No data migration required.

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Features

  • Added pairwise subject identifiers (OIDC Core Section 8) (#8292)
  • Added public client prelogin endpoint (#8214)

Bug Fixes

  • Allowed localhost subdomains in isLocalhost function (#8286)
  • Fixed fetch redirect CORS after login (#8519)
  • Allowed customIdTokenClaims to override standard claims (#7865)
  • Enforced DB-backed sessions when secondary storage is enabled (#8894)
  • Fixed dist declaration type errors (#8701)
  • Fixed dynamic baseURL config handling in init (#8649)
  • Improved allowed paths for oauth_query in client plugin (#8320)
  • Allowed customIdTokenClaims to override acr and auth_time (#8633)
  • Normalized auth_time timestamps across adapter shapes (#8761)
  • Returned JSON redirects from post-login OAuth continuation to fix CORS-blocked 302s (#8815)
  • Fixed PAR scope loss, loopback redirect matching, and DCR skip_consent (#8632)
  • Added prompt=none support (#8554)

For detailed changes, see CHANGELOG

@better-auth/stripe

Features

  • Added customizable prorationBehavior per plan (#8525)

Bug Fixes

  • Improved organization customer search by adding customerType check (#8609)
  • Replaced {CHECKOUT_SESSION_ID} placeholder in success callbackURL (#8568)
  • Returned correct priceId for annual subscriptions in list (#8810)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Features

  • Added case-insensitive query support (mode: "insensitive") (#8556)

Bug Fixes

  • Fixed Drizzle adapter failing date transformation (#8289)
  • Used IS NULL / IS NOT NULL for null value comparisons (#8660)

For detailed changes, see CHANGELOG

@better-auth/expo

Features

  • Exposed plugin version field on all built-in plugins (#8750)

Bug Fixes

  • Fixed shim require issue (#8253)
  • Fixed origin override handling across mutable and immutable requests (#8405)

For detailed changes, see CHANGELOG

@better-auth/prisma-adapter

Bug Fixes

  • Moved adapter packages to dependencies to fix missing module errors (#8401)
  • Used updateMany fallback for non-unique updates (#8524)
  • Used deleteMany when deleting by non-unique field (#8314)

For detailed changes, see CHANGELOG

auth

Features

  • Migrated MCP server URL to mcp.better-auth.com (#8747)

Bug Fixes

  • Fixed path alias resolution from extended tsconfig files (#8520)
  • Treated omitted required as true in Drizzle and Prisma generators (#8614)

For detailed changes, see CHANGELOG

@better-auth/electron

Bug Fixes

  • Fixed verification operations with secondary storage (#8247)
  • Handled safeStorage encryption failures gracefully (#8530)

For detailed changes, see CHANGELOG

@better-auth/passkey

Features

  • Added pre-auth registration and WebAuthn extensions support (#7154)

Bug Fixes

  • Fixed error message strings in passkey client (#8751)

For detailed changes, see CHANGELOG

@better-auth/test-utils

Features

  • Exported adapter test suites from @better-auth/test-utils/adapter (#8564)

Bug Fixes

  • Removed using keyword for runtime compatibility (#8756)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

  • Fixed turbo caching, enforced lockfile integrity, and expanded pre-commit hooks (#8892)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

  • Stopped marking redirect APIErrors as span errors in OpenTelemetry traces (#8850)

For detailed changes, see CHANGELOG

@better-auth/kysely-adapter

Bug Fixes

  • Removed deprecated numUpdatedOrDeletedRows from D1 dialect (#8798)

For detailed changes, see CHANGELOG

@better-auth/telemetry

Bug Fixes

  • Used conditional exports to replace dynamic import hacks (#8458)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@aarmful, @bytaesu, @dvanmali, @Eric-Song-Nop, @formatlos, @GautamBytes, @GoPro16, @gustavovalverde, @himself65, @jonathansamines, @jslno, @mrgrauel, @NathanColosimo, @okisdev, @olliethedev, @Oluwatobi-Mustapha, @OscarCornish, @ping-maxwell, @raihanbrillmark, @sicarius97, @Sigmabrogz, @wuzgood98, @xiaoyu2er, @YevheniiKotyrlo

Full changelog: v1.5.6...v1.6.0

Mar 23, 2026

No significant changes

Β Β Β Β View changes on GitHub

Β Β Β πŸš€ Features

   🐞 Bug Fixes

Β Β Β Β View changes on GitHub
Mar 22, 2026

Β Β Β πŸš€ Features

   🐞 Bug Fixes

Β Β Β Β View changes on GitHub
Mar 16, 2026

   🐞 Bug Fixes

  • cli: Warn when old @better-auth/cli is used with better-auth v1.5.x+ Β -Β  by @himself65 <samp>(73ca9)</samp>
Β Β Β Β View changes on GitHub
Mar 11, 2026

Β Β Β πŸš€ Features

   🐞 Bug Fixes

Β Β Β Β View changes on GitHub
Mar 6, 2026

   🐞 Bug Fixes

Β Β Β Β View changes on GitHub
Mar 4, 2026

   🐞 Bug Fixes

Β Β Β Β View changes on GitHub
Previous123Next
Latest
v1.6.9
Source
@better-auth/better-auth
Tracking Since
Nov 22, 2025
Last checked May 1, 2026
.jsonΒ·.mdΒ·.atom
better-auth β€” Better Auth β€” releases.sh