{"id":"src_DpPLk-hAFZM3TiDqW6rNq","slug":"better-auth","name":"better-auth","type":"github","url":"https://github.com/better-auth/better-auth","orgId":"org_qwTzE6IsXspSM51cZcufO","org":{"slug":"better-auth","name":"Better Auth"},"isPrimary":true,"metadata":"{}","releaseCount":100,"releasesLast30Days":13,"avgReleasesPerWeek":3,"latestVersion":"v1.6.9","latestDate":"2026-04-24T05:26:46.000Z","changelogUrl":null,"hasChangelogFile":false,"lastFetchedAt":"2026-05-01T21:01:11.587Z","lastPolledAt":"2026-05-01T21:01:07.536Z","trackingSince":"2025-11-22T01:22:14.000Z","releases":[{"id":"rel_HLNGxI0tH84neA5Dq1RuG","version":"v1.6.9","title":"v1.6.9","summary":"## `better-auth`\n\n### Bug Fixes\n\n- Fixed instrumentation resolution in the adapter factory so edge and browser environments correctly use the pure var...","content":"## `better-auth`\n\n### Bug Fixes\n\n- Fixed instrumentation resolution in the adapter factory so edge and browser environments correctly use the pure variant ([#9340](https://github.com/better-auth/better-auth/pull/9340))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/f484269228b7eb8df0e2325e7d264bb8d7796311/packages/better-auth/CHANGELOG.md)\n\n## Contributors\n\nThanks to everyone who contributed to this release:\n\n@erquhart\n\n**Full changelog:** [`v1.6.8...v1.6.9`](https://github.com/better-auth/better-auth/compare/v1.6.8...v1.6.9)\n","publishedAt":"2026-04-24T05:26:46.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.6.9","media":[]},{"id":"rel_WgKN-5ZGRrBelywvG9ryG","version":"v1.6.8","title":"v1.6.8","summary":"## `better-auth`\n\n### Bug Fixes\n\n- Fixed `mapProfileToUser` fallback for OAuth providers that may omit email from their profile response ([#9331](http...","content":"## `better-auth`\n\n### Bug Fixes\n\n- Fixed `mapProfileToUser` fallback for OAuth providers that may omit email from their profile response ([#9331](https://github.com/better-auth/better-auth/pull/9331))\n- Fixed support for passing `id` through `beforeCreateTeam` and `beforeCreateInvitation` hooks ([#9253](https://github.com/better-auth/better-auth/pull/9253))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/b289ac6c4bba10aa260d45a8627adc529e0d3b32/packages/better-auth/CHANGELOG.md)\n\n## `@better-auth/oauth-provider`\n\n### Bug Fixes\n\n- Fixed authorization flows that do not include a `state` parameter ([#9328](https://github.com/better-auth/better-auth/pull/9328))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/b289ac6c4bba10aa260d45a8627adc529e0d3b32/packages/oauth-provider/CHANGELOG.md)\n\n## `@better-auth/passkey`\n\n### Bug Fixes\n\n- Fixed incompatibility with TypeScript's `exactOptionalPropertyTypes` compiler option ([#9270](https://github.com/better-auth/better-auth/pull/9270))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/b289ac6c4bba10aa260d45a8627adc529e0d3b32/packages/passkey/CHANGELOG.md)\n\n## Contributors\n\nThanks to everyone who contributed to this release:\n\n@baptisteArno, @gustavovalverde, @ping-maxwell\n\n**Full changelog:** [`v1.6.7...v1.6.8`](https://github.com/better-auth/better-auth/compare/v1.6.7...v1.6.8)\n","publishedAt":"2026-04-23T10:33:00.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.6.8","media":[]},{"id":"rel_FmEJblXAiOoakHjc2z-2Y","version":"v1.7.0-beta.2","title":"v1.7.0-beta.2","summary":"## `better-auth`\n\n### Features\n\n- Added `userId` and `organizationId` parameters to the `listUserTeams` API for scoped team lookups without switching ...","content":"## `better-auth`\n\n### Features\n\n- Added `userId` and `organizationId` parameters to the `listUserTeams` API for scoped team lookups without switching the active organization ([#8977](https://github.com/better-auth/better-auth/pull/8977))\n- Added support for passing an array of client IDs as the ID token audience in social providers ([#9292](https://github.com/better-auth/better-auth/pull/9292))\n\n### Bug Fixes\n\n- Fixed `forceAllowId` UUIDs being ignored on PostgreSQL adapters when `advanced.database.generateId` is set to `\"uuid\"` ([#9068](https://github.com/better-auth/better-auth/pull/9068))\n- Fixed response headers being lost when an `APIError` is thrown ([#9211](https://github.com/better-auth/better-auth/pull/9211))\n- Fixed `$sessionSignal` not being triggered for session-rotating endpoints ([#9087](https://github.com/better-auth/better-auth/pull/9087))\n- Fixed the `partitioned` cookie attribute being dropped on set-cookie round-trips ([#9235](https://github.com/better-auth/better-auth/pull/9235))\n- Fixed the `./instrumentation` module to export a no-op in browser and edge environments ([#9281](https://github.com/better-auth/better-auth/pull/9281))\n- Fixed `disableRefresh` query parameter validation in custom sessions to correctly coerce string values to booleans ([#9214](https://github.com/better-auth/better-auth/pull/9214))\n- Fixed a crash when the request body is undefined during OAuth2 state parsing ([#9293](https://github.com/better-auth/better-auth/pull/9293))\n- Fixed team additional fields not being inferred correctly in the organization plugin ([#9266](https://github.com/better-auth/better-auth/pull/9266))\n- Fixed `updateUser` to allow removing a phone number ([#9219](https://github.com/better-auth/better-auth/pull/9219))\n- Fixed `callbackOnVerification` not being called when `updatePhoneNumber` is enabled ([#4894](https://github.com/better-auth/better-auth/pull/4894))\n- Reverted two-factor enforcement to credential sign-in flows only, removing the unintended challenge on magic link, OAuth, passkey, and other non-credential sign-in methods ([#9205](https://github.com/better-auth/better-auth/pull/9205))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d3bde2d21f57d7dc37164b7b43f5c2c571ebd3f3/packages/better-auth/CHANGELOG.md)\n\n## `@better-auth/oauth-provider`\n\n### ❗ Breaking Changes\n\n- Updated all OAuth 2.0 endpoints to return RFC-compliant `{ error, error_description }` error envelopes for validation failures ([#9277](https://github.com/better-auth/better-auth/pull/9277))\n> **Migration:** All six OAuth endpoints (`/oauth2/token`, `/oauth2/authorize`, `/oauth2/revoke`, `/oauth2/introspect`, `/oauth2/register`, `/oauth2/end-session`) now emit structured `{ error, error_description }` responses per RFC 6749 §5.2. Update any client code that previously parsed the raw validation error format from these endpoints.\n\n### Bug Fixes\n\n- Fixed host classification inconsistencies across packages that could allow SSRF attacks ([#9226](https://github.com/better-auth/better-auth/pull/9226))\n- Fixed the userinfo endpoint to correctly read the `Authorization` header when called via `auth.api` ([#9244](https://github.com/better-auth/better-auth/pull/9244))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d3bde2d21f57d7dc37164b7b43f5c2c571ebd3f3/packages/oauth-provider/CHANGELOG.md)\n\n## `@better-auth/api-key`\n\n### Features\n\n- Added `mapConcurrent` utility for bounded-concurrency iteration ([#9227](https://github.com/better-auth/better-auth/pull/9227))\n\n### Bug Fixes\n\n- Fixed secondary-storage API key operations to run in parallel, improving performance ([#9187](https://github.com/better-auth/better-auth/pull/9187))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d3bde2d21f57d7dc37164b7b43f5c2c571ebd3f3/packages/api-key/CHANGELOG.md)\n\n## `@better-auth/drizzle-adapter`\n\n### Bug Fixes\n\n- Required patched `drizzle-orm ^0.45.2` and `kysely ^0.28.14` peer versions to track vulnerability fixes ([#9165](https://github.com/better-auth/better-auth/pull/9165))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d3bde2d21f57d7dc37164b7b43f5c2c571ebd3f3/packages/drizzle-adapter/CHANGELOG.md)\n\n## `@better-auth/expo`\n\n### Bug Fixes\n\n- Fixed cached session data not being read from `SecureStore` on app startup ([#8953](https://github.com/better-auth/better-auth/pull/8953))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d3bde2d21f57d7dc37164b7b43f5c2c571ebd3f3/packages/expo/CHANGELOG.md)\n\n## `@better-auth/passkey`\n\n### Bug Fixes\n\n- Fixed passkey authentication verification not returning the authenticated user ([#5209](https://github.com/better-auth/better-auth/pull/5209))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d3bde2d21f57d7dc37164b7b43f5c2c571ebd3f3/packages/passkey/CHANGELOG.md)\n\n## Contributors\n\nThanks to everyone who contributed to this release:\n\n@bytaesu, @GautamBytes, @gustavovalverde, @Kinfe123, @ouwargui, @ping-maxwell, @ramonclaudio, @ruban-s, @stewartjarod, @TanishValesha, @terijaki\n\n**Full changelog:** [`v1.7.0-beta.1...v1.7.0-beta.2`](https://github.com/better-auth/better-auth/compare/v1.7.0-beta.1...v1.7.0-beta.2)\n","publishedAt":"2026-04-22T16:26:15.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.7.0-beta.2","media":[]},{"id":"rel_3JyLw1myRuOmg_gAdROpp","version":"v1.6.7","title":"v1.6.7","summary":"## `better-auth`\n\n### Features\n\n- Added support for an array of client IDs as the ID token audience in social providers ([#9292](https://github.com/be...","content":"## `better-auth`\n\n### Features\n\n- Added support for an array of client IDs as the ID token audience in social providers ([#9292](https://github.com/better-auth/better-auth/pull/9292))\n\n### Bug Fixes\n\n- Fixed response headers being lost when an `APIError` is thrown ([#9211](https://github.com/better-auth/better-auth/pull/9211))\n- Fixed browser and edge runtime errors by serving a no-op `./instrumentation` module in those environments ([#9281](https://github.com/better-auth/better-auth/pull/9281))\n- Fixed a crash when parsing OAuth2 state with an undefined request body ([#9293](https://github.com/better-auth/better-auth/pull/9293))\n- Fixed `callbackOnVerification` not being called when `updatePhoneNumber` is enabled ([#4894](https://github.com/better-auth/better-auth/pull/4894))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/f8076d141aec8f41765eaf7229f386af663f64a0/packages/better-auth/CHANGELOG.md)\n\n## `@better-auth/oauth-provider`\n\n### Bug Fixes\n\n- Fixed the userinfo endpoint to read the `Authorization` header from request context when using `auth.api` ([#9244](https://github.com/better-auth/better-auth/pull/9244))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/f8076d141aec8f41765eaf7229f386af663f64a0/packages/oauth-provider/CHANGELOG.md)\n\n## `@better-auth/passkey`\n\n### Bug Fixes\n\n- Fixed passkey authentication verification not returning the user ([#5209](https://github.com/better-auth/better-auth/pull/5209))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/f8076d141aec8f41765eaf7229f386af663f64a0/packages/passkey/CHANGELOG.md)\n\n## Contributors\n\nThanks to everyone who contributed to this release:\n\n@gustavovalverde, @Kinfe123, @ouwargui, @ramonclaudio, @stewartjarod, @TanishValesha\n\n**Full changelog:** [`v1.6.6...v1.6.7`](https://github.com/better-auth/better-auth/compare/v1.6.6...v1.6.7)\n","publishedAt":"2026-04-22T11:38:22.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.6.7","media":[]},{"id":"rel_B12RZt9EmsMYjrl7ljwH8","version":"v1.6.6","title":"v1.6.6","summary":"## `better-auth`\n\n### Bug Fixes\n\n- Fixed preservation of the `Partitioned` attribute when forwarding `Set-Cookie` headers ([#9235](https://github.com/...","content":"## `better-auth`\n\n### Bug Fixes\n\n- Fixed preservation of the `Partitioned` attribute when forwarding `Set-Cookie` headers ([#9235](https://github.com/better-auth/better-auth/pull/9235))\n- Fixed boolean coercion for the `disableRefresh` query parameter in custom session validation ([#9214](https://github.com/better-auth/better-auth/pull/9214))\n- Fixed incorrect inference of team additional fields in the organization plugin ([#9266](https://github.com/better-auth/better-auth/pull/9266))\n- Added support for removing a phone number via `updateUser({ phoneNumber: null })` ([#9219](https://github.com/better-auth/better-auth/pull/9219))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/029007776025f314bac5cb9c400ff2ce5494e54e/packages/better-auth/CHANGELOG.md)\n\n## `@better-auth/core`\n\n### Features\n\n- Added `mapConcurrent`, a bounded-concurrency async utility, at `@better-auth/core/utils/async` ([#9227](https://github.com/better-auth/better-auth/pull/9227))\n\n### Bug Fixes\n\n- Made `@opentelemetry/api` an optional peer dependency ([#9111](https://github.com/better-auth/better-auth/pull/9111))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/029007776025f314bac5cb9c400ff2ce5494e54e/packages/core/CHANGELOG.md)\n\n## `@better-auth/api-key`\n\n### Bug Fixes\n\n- Improved performance by running secondary-storage API key lookups in parallel ([#9187](https://github.com/better-auth/better-auth/pull/9187))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/029007776025f314bac5cb9c400ff2ce5494e54e/packages/api-key/CHANGELOG.md)\n\n## `@better-auth/expo`\n\n### Bug Fixes\n\n- Fixed session loading to read cached data from `SecureStore` on app startup, eliminating the login screen flash for returning users ([#8953](https://github.com/better-auth/better-auth/pull/8953))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/029007776025f314bac5cb9c400ff2ce5494e54e/packages/expo/CHANGELOG.md)\n\n## `@better-auth/oauth-provider`\n\n### Bug Fixes\n\n- Fixed several SSRF vulnerabilities by unifying host classification and closing loopback bypass vectors across packages ([#9226](https://github.com/better-auth/better-auth/pull/9226))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/029007776025f314bac5cb9c400ff2ce5494e54e/packages/oauth-provider/CHANGELOG.md)\n\n## `@better-auth/sso`\n\n### Bug Fixes\n\n- Fixed an ESM/CJS compatibility issue when loading samlify ([#9262](https://github.com/better-auth/better-auth/pull/9262))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/029007776025f314bac5cb9c400ff2ce5494e54e/packages/sso/CHANGELOG.md)\n\n## Contributors\n\nThanks to everyone who contributed to this release:\n\n@bytaesu, @gustavovalverde, @jonathansamines, @ping-maxwell, @terijaki\n\n**Full changelog:** [`v1.6.5...v1.6.6`](https://github.com/better-auth/better-auth/compare/v1.6.5...v1.6.6)\n","publishedAt":"2026-04-21T16:44:41.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.6.6","media":[]},{"id":"rel_YvOA5U5xdg4u8sx7Y5nFx","version":"v1.6.5","title":"v1.6.5","summary":"## `better-auth`\r\n\r\n### Bug Fixes\r\n\r\n- Clarified recommended production usage for the test utils plugin ([#9119](https://github.com/better-auth/better...","content":"## `better-auth`\r\n\r\n### Bug Fixes\r\n\r\n- Clarified recommended production usage for the test utils plugin ([#9119](https://github.com/better-auth/better-auth/pull/9119))\r\n- Fixed session not refreshing after `/change-password` and `/revoke-other-sessions` ([#9087](https://github.com/better-auth/better-auth/pull/9087))\r\n\r\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/c8a91f4167bd0e5e06e64e0a351307e0094ff0de/packages/better-auth/CHANGELOG.md)\r\n\r\n## `@better-auth/oauth-provider`\r\n\r\n### Security\r\n\r\n- Fixed [GHSA-xr8f-h2gw-9xh6](https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6), a high-severity authorization bypass in `@better-auth/oauth-provider` where unprivileged authenticated users could create OAuth clients when deployments relied on `clientPrivileges` to restrict client creation.\r\n- First patched stable version: `@better-auth/oauth-provider@1.6.5`.\r\n- Note: the published beta line (`1.7.0-beta.0` and `1.7.0-beta.1`) remains affected until a fixed beta release is published.\r\n\r\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/c8a91f4167bd0e5e06e64e0a351307e0094ff0de/packages/oauth-provider/CHANGELOG.md)\r\n\r\n## Contributors\r\n\r\nThanks to everyone who contributed to this release:\r\n\r\n@GautamBytes, @ramonclaudio\r\n\r\n**Full changelog:** [`v1.6.4...v1.6.5`](https://github.com/better-auth/better-auth/compare/v1.6.4...v1.6.5)\r\n","publishedAt":"2026-04-16T10:07:31.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.6.5","media":[]},{"id":"rel_icB-gf-bhlX13wPSQuJLC","version":"v1.6.4","title":"v1.6.4","summary":"## `better-auth`\n\n### Bug Fixes\n\n- Fixed `forceAllowId` UUIDs set in database hooks being ignored on PostgreSQL adapters when `advanced.database.gener...","content":"## `better-auth`\n\n### Bug Fixes\n\n- Fixed `forceAllowId` UUIDs set in database hooks being ignored on PostgreSQL adapters when `advanced.database.generateId` is set to `\"uuid\"` ([#9068](https://github.com/better-auth/better-auth/pull/9068))\n- Reverted 2FA enforcement scope to credential sign-in paths only, so magic link, email OTP, OAuth, SSO, passkey, and other non-credential sign-in flows no longer trigger a 2FA challenge ([#9205](https://github.com/better-auth/better-auth/pull/9205))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/9ec849ff7147f672a2759515e2aae8af7736962c/packages/better-auth/CHANGELOG.md)\n\n## Contributors\n\nThanks to everyone who contributed to this release:\n\n@GautamBytes, @gustavovalverde\n\n**Full changelog:** [`v1.6.3...v1.6.4`](https://github.com/better-auth/better-auth/compare/v1.6.3...v1.6.4)\n","publishedAt":"2026-04-15T12:02:48.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.6.4","media":[]},{"id":"rel_lujravmPS58Fzj8Q8bzhw","version":"v1.7.0-beta.1","title":"v1.7.0-beta.1","summary":"## `better-auth`\n\n### Bug Fixes\n\n- Fixed dynamic `baseURL` resolution from request headers for direct `auth.api` calls ([#9113](https://github.com/bet...","content":"## `better-auth`\n\n### Bug Fixes\n\n- Fixed dynamic `baseURL` resolution from request headers for direct `auth.api` calls ([#9113](https://github.com/better-auth/better-auth/pull/9113))\n- Fixed a race condition in the client that caused excessive requests due to `isMounted` timing issues ([#9078](https://github.com/better-auth/better-auth/pull/9078))\n- Fixed 2FA enforcement to apply across all sign-in paths, including magic link, OAuth, passkey, and email OTP ([#9122](https://github.com/better-auth/better-auth/pull/9122))\n- Fixed backup code updates to respect the configured `storeBackupCodes` storage strategy after verification ([#7231](https://github.com/better-auth/better-auth/pull/7231))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d2a1ec091f5797524cf3b0088c005800ddb07689/packages/better-auth/CHANGELOG.md)\n\n## `@better-auth/oauth-provider`\n\n### ❗ Breaking Changes\n\n- Rewrote the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults ([#9069](https://github.com/better-auth/better-auth/pull/9069))\n> **Migration:** Replace `signIn.oauth2({ providerId })` with `signIn.social({ provider })`, `oauth2.link()` with `linkSocial()`, and update your IdP callback URLs from `/api/auth/oauth2/callback/:id` to `/api/auth/callback/:id`. Remove `genericOAuthClient()`, `issuer`, and `requireIssuerValidation` from your config. Set `pkce: false` for providers that reject PKCE challenges.\n\n### Features\n\n- Added `customTokenResponseFields` callback to inject custom fields into token endpoint responses, and hardened authorization code validation ([#9118](https://github.com/better-auth/better-auth/pull/9118))\n- Added `at_hash` claim to ID tokens to cryptographically bind them to their access tokens, per OIDC Core §3.1.3.6 ([#9079](https://github.com/better-auth/better-auth/pull/9079))\n\n### Bug Fixes\n\n- Fixed dynamic `baseURL` resolution to correctly handle trusted proxy headers, loopback addresses, and forwarded requests in plugin metadata helpers ([#9131](https://github.com/better-auth/better-auth/pull/9131))\n- Fixed unauthenticated dynamic client registration to automatically downgrade confidential auth methods to public client, improving compatibility with MCP clients ([#9123](https://github.com/better-auth/better-auth/pull/9123))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d2a1ec091f5797524cf3b0088c005800ddb07689/packages/oauth-provider/CHANGELOG.md)\n\n## `@better-auth/sso`\n\n### ❗ Breaking Changes\n\n- Consolidated the SAML ACS endpoint, removed `callbackUrl` from `samlConfig`, and fixed SLO session matching ([#9117](https://github.com/better-auth/better-auth/pull/9117))\n> **Migration:** Remove `callbackUrl` from `samlConfig` (the ACS URL is now auto-derived from `baseURL` and `providerId`) and update your IdP's ACS URL to `/sso/saml2/sp/acs/:providerId`. Remove `decryptionPvk`, `additionalParams`, `idpMetadata.entityURL`, and `idpMetadata.redirectURL` from `SAMLConfig` if present. The `spMetadata` field is now optional and can be removed.\n\n### Bug Fixes\n\n- Upgraded `samlify` to 2.12.0, adding XPath injection protection and XXE prevention for SAML XML processing ([#9121](https://github.com/better-auth/better-auth/pull/9121))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d2a1ec091f5797524cf3b0088c005800ddb07689/packages/sso/CHANGELOG.md)\n\n## ✨ `@better-auth/cimd` ✨\n\n### Features\n\n- Added the `@better-auth/cimd` plugin for Client ID Metadata Document support, enabling URL-based client identification for MCP and dynamic client discovery flows ([#9159](https://github.com/better-auth/better-auth/pull/9159))\n\nFor package details, see [`README`](https://github.com/better-auth/better-auth/blob/d2a1ec091f5797524cf3b0088c005800ddb07689/packages/cimd/README.md)\n\n## `@better-auth/stripe`\n\n### Bug Fixes\n\n- Fixed a prototype pollution vulnerability in the Stripe plugin when handling user-supplied metadata ([#9164](https://github.com/better-auth/better-auth/pull/9164))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d2a1ec091f5797524cf3b0088c005800ddb07689/packages/stripe/CHANGELOG.md)\n\n## Contributors\n\nThanks to everyone who contributed to this release:\n\n@bytaesu, @Byte-Biscuit, @gustavovalverde, @ping-maxwell\n\n**Full changelog:** [`v1.7.0-beta.0...v1.7.0-beta.1`](https://github.com/better-auth/better-auth/compare/v1.7.0-beta.0...v1.7.0-beta.1)\n","publishedAt":"2026-04-15T06:56:06.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.7.0-beta.1","media":[]},{"id":"rel_D5-XGCeb6_DTSuor1um5-","version":"v1.6.3","title":"v1.6.3","summary":"## `better-auth`\n\n### Features\n\n- Added support for Stripe SDK v21 and v22 ([#9084](https://github.com/better-auth/better-auth/pull/9084))\n\n### Bug Fi...","content":"## `better-auth`\n\n### Features\n\n- Added support for Stripe SDK v21 and v22 ([#9084](https://github.com/better-auth/better-auth/pull/9084))\n\n### Bug Fixes\n\n- Fixed incorrect `operationId` for the `requestPasswordResetCallback` endpoint in the OpenAPI spec ([#9072](https://github.com/better-auth/better-auth/pull/9072))\n- Fixed dynamic `baseURL` resolution from request headers for direct `auth.api` calls ([#9113](https://github.com/better-auth/better-auth/pull/9113))\n- Fixed `isMounted` race condition that caused excessive requests per second in the client ([#9078](https://github.com/better-auth/better-auth/pull/9078))\n- Fixed nullable schema for the get-session endpoint in the OpenAPI 3.1 spec ([#8389](https://github.com/better-auth/better-auth/pull/8389))\n- Fixed checkout and upgrade flows to omit quantity for metered prices ([#8926](https://github.com/better-auth/better-auth/pull/8926))\n- Fixed 2FA enforcement to trigger on all sign-in paths, including magic-link, OAuth, passkey, email-OTP, and SIWE ([#9122](https://github.com/better-auth/better-auth/pull/9122))\n- Fixed backup code updates to respect the configured `storeBackupCodes` storage strategy after verification ([#7231](https://github.com/better-auth/better-auth/pull/7231))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/6f17bb3ebd992867be968f38d73fdfff28eeeaab/packages/better-auth/CHANGELOG.md)\n\n## `@better-auth/oauth-provider`\n\n### Features\n\n- Added `customTokenResponseFields` callback for injecting custom fields into token endpoint responses, and hardened authorization code validation ([#9118](https://github.com/better-auth/better-auth/pull/9118))\n\n### Bug Fixes\n\n- Hardened dynamic `baseURL` resolution for direct `auth.api` calls and plugin metadata helpers ([#9131](https://github.com/better-auth/better-auth/pull/9131))\n- Fixed unauthenticated dynamic client registration to silently override confidential auth methods to public, improving compatibility with MCP clients ([#9123](https://github.com/better-auth/better-auth/pull/9123))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/6f17bb3ebd992867be968f38d73fdfff28eeeaab/packages/oauth-provider/CHANGELOG.md)\n\n## `@better-auth/sso`\n\n### Bug Fixes\n\n- Fixed multiple SAML response processing bugs, including ACS URL generation, encryption field handling, and provider config parsing ([#9097](https://github.com/better-auth/better-auth/pull/9097))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/6f17bb3ebd992867be968f38d73fdfff28eeeaab/packages/sso/CHANGELOG.md)\n\n## `@better-auth/stripe`\n\n### Bug Fixes\n\n- Fixed prototype pollution vulnerability when merging user-supplied metadata in the Stripe plugin ([#9164](https://github.com/better-auth/better-auth/pull/9164))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/6f17bb3ebd992867be968f38d73fdfff28eeeaab/packages/stripe/CHANGELOG.md)\n\n## `auth`\n\n### Bug Fixes\n\n- Fixed tsconfig path alias resolution for extended configs and mid-path wildcards in the CLI ([#9032](https://github.com/better-auth/better-auth/pull/9032))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/6f17bb3ebd992867be968f38d73fdfff28eeeaab/packages/cli/CHANGELOG.md)\n\n## Contributors\n\nThanks to everyone who contributed to this release:\n\n@bytaesu, @Byte-Biscuit, @gustavovalverde, @Oluwatobi-Mustapha, @ping-maxwell, @ramonclaudio\n\n**Full changelog:** [`v1.6.2...v1.6.3`](https://github.com/better-auth/better-auth/compare/v1.6.2...v1.6.3)\n","publishedAt":"2026-04-14T11:07:07.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.6.3","media":[]},{"id":"rel_5oHNTFYuuBWI7xOBAOIz2","version":"v1.7.0-beta.0","title":"v1.7.0-beta.0","summary":"## `better-auth`\n\n### ❗ Breaking Changes\n\n- feat(two-factor)!: add OTP enablement and discriminated response ([#9057](https://github.com/better-auth/b...","content":"## `better-auth`\n\n### ❗ Breaking Changes\n\n- feat(two-factor)!: add OTP enablement and discriminated response ([#9057](https://github.com/better-auth/better-auth/pull/9057))\n\n  `enableTwoFactor` now accepts a `method` parameter (`\"otp\" | \"totp\"`, default `\"totp\"`) and returns a discriminated response with a `method` field.\n\n  ### `method: \"otp\"`\n\n  - Sets `twoFactorEnabled: true` immediately.\n  - Returns `{ method: \"otp\" }`.\n  - Requires `otpOptions.sendOTP` to be configured on the server; rejects with `OTP_NOT_CONFIGURED` otherwise.\n\n  ### `method: \"totp\"` (default)\n\n  - Returns `{ method: \"totp\", totpURI, backupCodes }`.\n  - Rejects with `TOTP_NOT_CONFIGURED` if `totpOptions.disable` is set.\n\n  ### Breaking changes\n\n  - **Removed `skipVerificationOnEnable`**: use `method: \"otp\"` for immediate activation, or the standard TOTP verification flow.\n  - **Response shape changed**: `enableTwoFactor` includes a `method` field in the response (`\"otp\"` or `\"totp\"`).\n\n### Features\n\n- feat(stripe): support Stripe SDK v21 and v22 ([#9084](https://github.com/better-auth/better-auth/pull/9084))\n\n### Bug Fixes\n\n- fix: incorrect `operationId` in password reset callback endpoint ([#9072](https://github.com/better-auth/better-auth/pull/9072))\n- fix(open-api): correct get-session nullable schema for OAS 3.1 ([#8389](https://github.com/better-auth/better-auth/pull/8389))\n- fix(stripe): omit quantity for metered prices in checkout and upgrades ([#8926](https://github.com/better-auth/better-auth/pull/8926))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/c8cf0f7c1a26ac70504a76f47d736c56cb029320/packages/better-auth/CHANGELOG.md)\n\n## `@better-auth/sso`\n\n### ❗ Breaking Changes\n\n- fix(sso)!: harden SAML response validation (InResponseTo, Audience, SessionIndex) ([#9055](https://github.com/better-auth/better-auth/pull/9055))\n\n  ### Breaking Changes\n\n  - **`allowIdpInitiated` now defaults to `false`** — IdP-initiated SSO (unsolicited SAML responses) is disabled by default. Set `saml.allowIdpInitiated: true` to restore the previous behavior. This aligns with the SAML2Int interoperability profile which recommends against IdP-initiated SSO due to its susceptibility to injection attacks.\n\n  ### Bug Fixes\n\n  - **InResponseTo validation was completely non-functional** — The code read `extract.inResponseTo` (always `undefined`) instead of samlify's actual path `extract.response.inResponseTo`. SP-initiated InResponseTo validation now works as intended in both ACS handlers.\n  - **Audience Restriction was never validated** — SAML assertions issued for a different service provider were accepted without checking the `<AudienceRestriction>` element. Audience is now validated against the configured `samlConfig.audience` value per SAML 2.0 Core §2.5.1.\n  - **SessionIndex stored as object instead of string** — samlify returns `sessionIndex` from login responses as `{ authnInstant, sessionNotOnOrAfter, sessionIndex }`, but the code stored the whole object. SLO session-index comparisons always failed silently. The correct inner `sessionIndex` string is now extracted.\n\n  ### Improvements\n\n  - Extracted shared `validateInResponseTo()` and `validateAudience()` into `packages/sso/src/saml/response-validation.ts`, eliminating ~160 lines of duplicated validation logic between the two ACS handlers.\n  - Fixed `SAMLAssertionExtract` type to match samlify's actual extractor output shape.\n\n### Bug Fixes\n\n- fix(sso): unify SAML response processing and fix bugs ([#9097](https://github.com/better-auth/better-auth/pull/9097))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/c8cf0f7c1a26ac70504a76f47d736c56cb029320/packages/sso/CHANGELOG.md)\n\n## `@better-auth/oauth-provider`\n\n### Features\n\n- feat(oauth): add `private_key_jwt` client authentication (RFC 7523) ([#8836](https://github.com/better-auth/better-auth/pull/8836))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/c8cf0f7c1a26ac70504a76f47d736c56cb029320/packages/oauth-provider/CHANGELOG.md)\n\n## `auth`\n\n### Bug Fixes\n\n- fix(cli): handle extends and mid-path wildcards in tsconfig paths ([#9032](https://github.com/better-auth/better-auth/pull/9032))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/c8cf0f7c1a26ac70504a76f47d736c56cb029320/packages/cli/CHANGELOG.md)\n\n## Contributors\n\nThanks to everyone who contributed to this release:\n\n@bytaesu, @gustavovalverde, @Oluwatobi-Mustapha, @ramonclaudio\n\n**Full changelog:** [`v1.6.2...v1.7.0-beta.0`](https://github.com/better-auth/better-auth/compare/v1.6.2...v1.7.0-beta.0)","publishedAt":"2026-04-10T20:31:59.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.7.0-beta.0","media":[]},{"id":"rel_rqw_fiuW763Hso8UADjM-","version":"v1.6.2","title":"v1.6.2","summary":"## `better-auth`\r\n\r\n### ❗ Breaking Changes\r\n\r\n- Prevented unverified TOTP enrollment from blocking sign-in ([#8711](https://github.com/better-auth/bet...","content":"## `better-auth`\r\n\r\n### ❗ Breaking Changes\r\n\r\n- Prevented unverified TOTP enrollment from blocking sign-in ([#8711](https://github.com/better-auth/better-auth/pull/8711))\r\n> **Migration:** Schema migration required.\r\n>\r\n> Add the `verified` column to the `twoFactor` table, then regenerate/apply your ORM migration.\r\n> - Prisma: run `npx auth@latest generate`, then `npx prisma migrate dev` (or `npx prisma db push`) and `npx prisma generate`.\r\n> - Drizzle: run `npx auth@latest generate`, then `npx drizzle-kit generate` and `npx drizzle-kit migrate`.\r\n\r\n> Existing rows do not need a backfill because the column defaults to `true`.\r\n\r\n### Features\r\n\r\n- Included enabled 2FA methods in sign-in redirect response ([#8772](https://github.com/better-auth/better-auth/pull/8772))\r\n\r\n### Bug Fixes\r\n\r\n- Fixed OAuth state verification against cookie-stored nonce to prevent CSRF ([#8949](https://github.com/better-auth/better-auth/pull/8949))\r\n- Fixed infinite router refresh loops in `nextCookies()` by replacing cookie probe with header-based RSC detection ([#9059](https://github.com/better-auth/better-auth/pull/9059))\r\n- Fixed cross-provider account collision in link-social callback ([#8983](https://github.com/better-auth/better-auth/pull/8983))\r\n- Included `RelayState` in signed SAML AuthnRequests ([#9058](https://github.com/better-auth/better-auth/pull/9058))\r\n\r\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/3c12c2043a0be4bbc4438f32e115c381550edce3/packages/better-auth/CHANGELOG.md)\r\n\r\n## `@better-auth/oauth-provider`\r\n\r\n### Bug Fixes\r\n\r\n- Fixed multi-valued query params collapsing through prompt redirects ([#9060](https://github.com/better-auth/better-auth/pull/9060))\r\n- Rejected `skip_consent` at schema level in dynamic client registration ([#8998](https://github.com/better-auth/better-auth/pull/8998))\r\n\r\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/3c12c2043a0be4bbc4438f32e115c381550edce3/packages/oauth-provider/CHANGELOG.md)\r\n\r\n## `@better-auth/sso`\r\n\r\n### Bug Fixes\r\n\r\n- Fixed SAMLResponse decoding failures caused by line-wrapped base64 ([#8968](https://github.com/better-auth/better-auth/pull/8968))\r\n\r\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/3c12c2043a0be4bbc4438f32e115c381550edce3/packages/sso/CHANGELOG.md)\r\n\r\n## Contributors\r\n\r\nThanks to everyone who contributed to this release:\r\n\r\n@aarmful, @cyphercodes, @dvanmali, @gustavovalverde, @jaydeep-pipaliya, @ping-maxwell\r\n\r\n**Full changelog:** [`v1.6.1...v1.6.2`](https://github.com/better-auth/better-auth/compare/v1.6.1...v1.6.2)","publishedAt":"2026-04-09T14:20:45.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.6.2","media":[]},{"id":"rel_IyKv7MPFgBKprA8u24fRG","version":"v1.6.1","title":"v1.6.1","summary":"## `better-auth`\n\n### Bug Fixes\n\n- Fixed endpoint instrumentation to always use the route template ([#9023](https://github.com/better-auth/better-auth...","content":"## `better-auth`\n\n### Bug Fixes\n\n- Fixed endpoint instrumentation to always use the route template ([#9023](https://github.com/better-auth/better-auth/pull/9023))\n- Returned `INVALID_PASSWORD` for all `checkPassword` failures ([#8902](https://github.com/better-auth/better-auth/pull/8902))\n- Restored `getSession` accessibility in generic `Auth<O>` context ([#9017](https://github.com/better-auth/better-auth/pull/9017))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/3c12c2043a0be4bbc4438f32e115c381550edce3/packages/better-auth/CHANGELOG.md)\n\n## Contributors\n\nThanks to everyone who contributed to this release:\n\n@bytaesu, @jonathansamines, @ping-maxwell\n\n**Full changelog:** [`v1.6.0...v1.6.1`](https://github.com/better-auth/better-auth/compare/v1.6.0...v1.6.1)\n","publishedAt":"2026-04-08T19:31:17.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.6.1","media":[]},{"id":"rel_SVUZF3P-G8d1xTp23jUHL","version":"v1.6.0","title":"v1.6.0","summary":"**Blog post:** [Better Auth 1.6](https://better-auth.com/blog/1-6)\n\n## `better-auth`\n\n### ❗ Breaking Changes\n\n- Aligned `freshAge` calculation with se...","content":"**Blog post:** [Better Auth 1.6](https://better-auth.com/blog/1-6)\n\n## `better-auth`\n\n### ❗ Breaking Changes\n\n- Aligned `freshAge` calculation with session creation time instead of update time ([#8762](https://github.com/better-auth/better-auth/pull/8762))\n> **Migration:** `session.freshAge` now calculates from `createdAt`. Set `session: { freshAge: 0 }` to disable the check entirely.\n\n### Features\n\n- Added experimental OpenTelemetry instrumentation for endpoints, hooks, middleware, and database operations ([#8027](https://github.com/better-auth/better-auth/pull/8027))\n- Added `resendStrategy` option to reuse existing OTP in email-otp plugin ([#8560](https://github.com/better-auth/better-auth/pull/8560))\n- Added `enable` option for HaveIBeenPwned plugin ([#8728](https://github.com/better-auth/better-auth/pull/8728))\n- Added request metadata to `sendMagicLink` callback ([#8571](https://github.com/better-auth/better-auth/pull/8571))\n- Added dedicated `secret` option to OAuth proxy to reduce shared key exposure ([#8699](https://github.com/better-auth/better-auth/pull/8699))\n- Added explicit `organizationId` parameter in team endpoints ([#5062](https://github.com/better-auth/better-auth/pull/5062))\n- Added WeChat social provider ([#5189](https://github.com/better-auth/better-auth/pull/5189))\n- Added `twoFactorPage` config option for custom 2FA page routing ([#5329](https://github.com/better-auth/better-auth/pull/5329))\n\n### Bug Fixes\n\n- Deprecated `oidc-provider` plugin in favor of `@better-auth/oauth-provider` ([#8985](https://github.com/better-auth/better-auth/pull/8985))\n- Fixed access control indexing type ([#8155](https://github.com/better-auth/better-auth/pull/8155))\n- Added origin check middleware to password reset request ([#8392](https://github.com/better-auth/better-auth/pull/8392))\n- Fixed account cookie comparison to use provider `accountId` instead of internal id ([#8786](https://github.com/better-auth/better-auth/pull/8786))\n- Fixed session id generation when using secondary storage without database ([#8927](https://github.com/better-auth/better-auth/pull/8927))\n- Fixed `skipOriginCheck` array handling ([#8582](https://github.com/better-auth/better-auth/pull/8582))\n- Fixed misleading rate limit IP warning ([#8617](https://github.com/better-auth/better-auth/pull/8617))\n- Passed `user` field through idToken sign-in body for Apple name support ([#8417](https://github.com/better-auth/better-auth/pull/8417))\n- Preserved custom session fields on focus refresh ([#8354](https://github.com/better-auth/better-auth/pull/8354))\n- Fixed double encoded cookie ([#8133](https://github.com/better-auth/better-auth/pull/8133))\n- Prevented revoked sessions from being restored via database fallback ([#8708](https://github.com/better-auth/better-auth/pull/8708))\n- Resolved duplicate `operationId` in admin plugin endpoints ([#8570](https://github.com/better-auth/better-auth/pull/8570))\n- Rethrew phone `sendOTP` failures instead of silently swallowing them ([#8842](https://github.com/better-auth/better-auth/pull/8842))\n- Set stateless `cookieCache` maxAge to match `session.expiresIn` ([#8648](https://github.com/better-auth/better-auth/pull/8648))\n- Threw on duplicate email when `autoSignIn: false` without `requireEmailVerification` ([#8521](https://github.com/better-auth/better-auth/pull/8521))\n- Fixed `accountInfo` endpoint to use `accountId` instead of internal id ([#8346](https://github.com/better-auth/better-auth/pull/8346))\n- Restored deprecated `createAdapter` and type exports for backwards compatibility ([#8461](https://github.com/better-auth/better-auth/pull/8461))\n- Fixed `Response` return for HTTP request contexts ([#7521](https://github.com/better-auth/better-auth/pull/7521))\n- Fixed `throw: true` handling in client session refresh ([#8610](https://github.com/better-auth/better-auth/pull/8610))\n- Preserved stale session data on network or server errors ([#8437](https://github.com/better-auth/better-auth/pull/8437))\n- Fixed bundler re-export type resolution with direct imports ([#8261](https://github.com/better-auth/better-auth/pull/8261))\n- Fixed Set-Cookie header splitting with lookahead heuristic ([#8301](https://github.com/better-auth/better-auth/pull/8301))\n- Prioritized `generateId: \"uuid\"` over adapter `customIdGenerator` ([#8679](https://github.com/better-auth/better-auth/pull/8679))\n- Fixed date string revival in `safeJSONParse` for pre-parsed objects ([#8248](https://github.com/better-auth/better-auth/pull/8248))\n- Fixed postgres migration to use `CREATE INDEX` ([#8538](https://github.com/better-auth/better-auth/pull/8538))\n- Triggered `sessionSignal` after requesting email change in email-otp ([#8816](https://github.com/better-auth/better-auth/pull/8816))\n- Fixed generic-oauth to use discovery userinfo endpoint instead of hardcoded URLs ([#8223](https://github.com/better-auth/better-auth/pull/8223))\n- Normalized missing resolver path in last-login-method plugin ([#8589](https://github.com/better-auth/better-auth/pull/8589))\n- Returned additional fields in `/magic-link/verify` ([#7223](https://github.com/better-auth/better-auth/pull/7223))\n- Fixed OAuth proxy to read callback params from body for `form_post` ([#8895](https://github.com/better-auth/better-auth/pull/8895))\n- Fixed double-hashing of OAuth state when `storeIdentifier` is hashed ([#8980](https://github.com/better-auth/better-auth/pull/8980))\n- Fixed `redirect_uri` validation for `prompt=none` in oidc-provider ([#8398](https://github.com/better-auth/better-auth/pull/8398))\n- Opted into FedCM to suppress Google GSI deprecation warnings ([#8720](https://github.com/better-auth/better-auth/pull/8720))\n- Filtered null organizations in `listUserInvitations` ([#8694](https://github.com/better-auth/better-auth/pull/8694))\n- Fixed multi-role user handling in invite and member removal checks ([#8442](https://github.com/better-auth/better-auth/pull/8442))\n- Enforced authorization on SCIM management endpoints and normalized passkey ownership checks ([#8843](https://github.com/better-auth/better-auth/pull/8843))\n- Allowed passwordless users to manage 2FA ([#7243](https://github.com/better-auth/better-auth/pull/7243))\n- Wired `twoFactorTable` option to schema `modelName` ([#8443](https://github.com/better-auth/better-auth/pull/8443))\n- Prevented `any` from collapsing `auth.$Infer` and client inference types ([#8981](https://github.com/better-auth/better-auth/pull/8981))\n- Fixed `updateUser` to not overwrite unrelated username fields ([#7570](https://github.com/better-auth/better-auth/pull/7570))\n- Enforced username uniqueness in `updateUser` ([#8731](https://github.com/better-auth/better-auth/pull/8731))\n- Used non-blocking scrypt for password hashing to avoid blocking the event loop ([#8685](https://github.com/better-auth/better-auth/pull/8685))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/better-auth/CHANGELOG.md)\n\n## `@better-auth/sso`\n\n### ❗ Breaking Changes\n\n- Enabled InResponseTo validation by default for SP-initiated SAML flows ([#8736](https://github.com/better-auth/better-auth/pull/8736))\n> **Migration:** Set `sso({ saml: { enableInResponseToValidation: false } })` to restore the previous behavior.\n\n### Features\n\n- Added logging for OIDC callback code validation failures ([#8693](https://github.com/better-auth/better-auth/pull/8693))\n\n### Bug Fixes\n\n- Patched transitive `node-forge` vulnerability via `samlify` pin ([#8838](https://github.com/better-auth/better-auth/pull/8838))\n- Fixed bare domain handling in domain verification ([#8369](https://github.com/better-auth/better-auth/pull/8369))\n- Preferred UserInfo endpoint over ID token and mapped `sub` claim correctly ([#8276](https://github.com/better-auth/better-auth/pull/8276))\n- Fixed `provisionUser` inconsistency and added `provisionUserOnEveryLogin` option ([#8818](https://github.com/better-auth/better-auth/pull/8818))\n- Skipped state cookie check for SAML ACS cross-site POST ([#8735](https://github.com/better-auth/better-auth/pull/8735))\n- Fixed verification operations to use `internalAdapter` ([#8353](https://github.com/better-auth/better-auth/pull/8353))\n- Fixed ESM compatibility with namespace import for samlify ([#8697](https://github.com/better-auth/better-auth/pull/8697))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/sso/CHANGELOG.md)\n\n## `@better-auth/mongo-adapter`\n\n### ❗ Breaking Changes\n\n- Stored UUIDs as native BSON UUID type ([#8681](https://github.com/better-auth/better-auth/pull/8681))\n> **Migration:** New documents use native BSON UUIDs. Existing string UUIDs continue to work. No data migration required.\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/mongo-adapter/CHANGELOG.md)\n\n## `@better-auth/oauth-provider`\n\n### Features\n\n- Added pairwise subject identifiers (OIDC Core Section 8) ([#8292](https://github.com/better-auth/better-auth/pull/8292))\n- Added public client prelogin endpoint ([#8214](https://github.com/better-auth/better-auth/pull/8214))\n\n### Bug Fixes\n\n- Allowed localhost subdomains in `isLocalhost` function ([#8286](https://github.com/better-auth/better-auth/pull/8286))\n- Fixed fetch redirect CORS after login ([#8519](https://github.com/better-auth/better-auth/pull/8519))\n- Allowed `customIdTokenClaims` to override standard claims ([#7865](https://github.com/better-auth/better-auth/pull/7865))\n- Enforced DB-backed sessions when secondary storage is enabled ([#8894](https://github.com/better-auth/better-auth/pull/8894))\n- Fixed dist declaration type errors ([#8701](https://github.com/better-auth/better-auth/pull/8701))\n- Fixed dynamic `baseURL` config handling in init ([#8649](https://github.com/better-auth/better-auth/pull/8649))\n- Improved allowed paths for `oauth_query` in client plugin ([#8320](https://github.com/better-auth/better-auth/pull/8320))\n- Allowed `customIdTokenClaims` to override `acr` and `auth_time` ([#8633](https://github.com/better-auth/better-auth/pull/8633))\n- Normalized `auth_time` timestamps across adapter shapes ([#8761](https://github.com/better-auth/better-auth/pull/8761))\n- Returned JSON redirects from post-login OAuth continuation to fix CORS-blocked 302s ([#8815](https://github.com/better-auth/better-auth/pull/8815))\n- Fixed PAR scope loss, loopback redirect matching, and DCR `skip_consent` ([#8632](https://github.com/better-auth/better-auth/pull/8632))\n- Added `prompt=none` support ([#8554](https://github.com/better-auth/better-auth/pull/8554))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/oauth-provider/CHANGELOG.md)\n\n## `@better-auth/stripe`\n\n### Features\n\n- Added customizable `prorationBehavior` per plan ([#8525](https://github.com/better-auth/better-auth/pull/8525))\n\n### Bug Fixes\n\n- Improved organization customer search by adding `customerType` check ([#8609](https://github.com/better-auth/better-auth/pull/8609))\n- Replaced `{CHECKOUT_SESSION_ID}` placeholder in success `callbackURL` ([#8568](https://github.com/better-auth/better-auth/pull/8568))\n- Returned correct `priceId` for annual subscriptions in list ([#8810](https://github.com/better-auth/better-auth/pull/8810))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/stripe/CHANGELOG.md)\n\n## `@better-auth/drizzle-adapter`\n\n### Features\n\n- Added case-insensitive query support (`mode: \"insensitive\"`) ([#8556](https://github.com/better-auth/better-auth/pull/8556))\n\n### Bug Fixes\n\n- Fixed Drizzle adapter failing date transformation ([#8289](https://github.com/better-auth/better-auth/pull/8289))\n- Used `IS NULL` / `IS NOT NULL` for null value comparisons ([#8660](https://github.com/better-auth/better-auth/pull/8660))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/drizzle-adapter/CHANGELOG.md)\n\n## `@better-auth/expo`\n\n### Features\n\n- Exposed plugin version field on all built-in plugins ([#8750](https://github.com/better-auth/better-auth/pull/8750))\n\n### Bug Fixes\n\n- Fixed shim `require` issue ([#8253](https://github.com/better-auth/better-auth/pull/8253))\n- Fixed origin override handling across mutable and immutable requests ([#8405](https://github.com/better-auth/better-auth/pull/8405))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/expo/CHANGELOG.md)\n\n## `@better-auth/prisma-adapter`\n\n### Bug Fixes\n\n- Moved adapter packages to dependencies to fix missing module errors ([#8401](https://github.com/better-auth/better-auth/pull/8401))\n- Used `updateMany` fallback for non-unique updates ([#8524](https://github.com/better-auth/better-auth/pull/8524))\n- Used `deleteMany` when deleting by non-unique field ([#8314](https://github.com/better-auth/better-auth/pull/8314))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/prisma-adapter/CHANGELOG.md)\n\n## `auth`\n\n### Features\n\n- Migrated MCP server URL to `mcp.better-auth.com` ([#8747](https://github.com/better-auth/better-auth/pull/8747))\n\n### Bug Fixes\n\n- Fixed path alias resolution from extended tsconfig files ([#8520](https://github.com/better-auth/better-auth/pull/8520))\n- Treated omitted `required` as `true` in Drizzle and Prisma generators ([#8614](https://github.com/better-auth/better-auth/pull/8614))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/cli/CHANGELOG.md)\n\n## `@better-auth/electron`\n\n### Bug Fixes\n\n- Fixed verification operations with secondary storage ([#8247](https://github.com/better-auth/better-auth/pull/8247))\n- Handled `safeStorage` encryption failures gracefully ([#8530](https://github.com/better-auth/better-auth/pull/8530))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/electron/CHANGELOG.md)\n\n## `@better-auth/passkey`\n\n### Features\n\n- Added pre-auth registration and WebAuthn extensions support ([#7154](https://github.com/better-auth/better-auth/pull/7154))\n\n### Bug Fixes\n\n- Fixed error message strings in passkey client ([#8751](https://github.com/better-auth/better-auth/pull/8751))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/passkey/CHANGELOG.md)\n\n## `@better-auth/test-utils`\n\n### Features\n\n- Exported adapter test suites from `@better-auth/test-utils/adapter` ([#8564](https://github.com/better-auth/better-auth/pull/8564))\n\n### Bug Fixes\n\n- Removed `using` keyword for runtime compatibility ([#8756](https://github.com/better-auth/better-auth/pull/8756))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/test-utils/CHANGELOG.md)\n\n## `@better-auth/api-key`\n\n### Bug Fixes\n\n- Fixed turbo caching, enforced lockfile integrity, and expanded pre-commit hooks ([#8892](https://github.com/better-auth/better-auth/pull/8892))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/api-key/CHANGELOG.md)\n\n## `@better-auth/core`\n\n### Bug Fixes\n\n- Stopped marking redirect `APIError`s as span errors in OpenTelemetry traces ([#8850](https://github.com/better-auth/better-auth/pull/8850))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/core/CHANGELOG.md)\n\n## `@better-auth/kysely-adapter`\n\n### Bug Fixes\n\n- Removed deprecated `numUpdatedOrDeletedRows` from D1 dialect ([#8798](https://github.com/better-auth/better-auth/pull/8798))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/kysely-adapter/CHANGELOG.md)\n\n## `@better-auth/telemetry`\n\n### Bug Fixes\n\n- Used conditional exports to replace dynamic import hacks ([#8458](https://github.com/better-auth/better-auth/pull/8458))\n\nFor detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/telemetry/CHANGELOG.md)\n\n## Contributors\n\nThanks to everyone who contributed to this release:\n\n@aarmful, @bytaesu, @dvanmali, @Eric-Song-Nop, @formatlos, @GautamBytes, @GoPro16, @gustavovalverde, @himself65, @jonathansamines, @jslno, @mrgrauel, @NathanColosimo, @okisdev, @olliethedev, @Oluwatobi-Mustapha, @OscarCornish, @ping-maxwell, @raihanbrillmark, @sicarius97, @Sigmabrogz, @wuzgood98, @xiaoyu2er, @YevheniiKotyrlo\n\n**Full changelog:** [`v1.5.6...v1.6.0`](https://github.com/better-auth/better-auth/compare/v1.5.6...v1.6.0)\n","publishedAt":"2026-04-06T16:24:58.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.6.0","media":[]},{"id":"rel_Z0CDwJ4azkeNTQkjwktu6","version":"v1.5.7-beta.1","title":"v1.5.7-beta.1","summary":"*No significant changes*\n\n##### &nbsp;&nbsp;&nbsp;&nbsp;[View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.1-beta.4...v1...","content":"*No significant changes*\n\n##### &nbsp;&nbsp;&nbsp;&nbsp;[View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.1-beta.4...v1.5.7-beta.1)","publishedAt":"2026-03-23T04:10:13.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.5.7-beta.1","media":[]},{"id":"rel_4lQrxbjRYrh8xTCFXLfek","version":"v1.5.1-beta.4","title":"v1.5.1-beta.4","summary":"### &nbsp;&nbsp;&nbsp;🚀 Features\n\n- Agent auth plugin &nbsp;-&nbsp; by @Bekacru in https://github.com/better-auth/better-auth/issues/8696 [<samp>(564...","content":"### &nbsp;&nbsp;&nbsp;🚀 Features\n\n- Agent auth plugin &nbsp;-&nbsp; by @Bekacru in https://github.com/better-auth/better-auth/issues/8696 [<samp>(5648b)</samp>](https://github.com/better-auth/better-auth/commit/5648bd868)\n- **core**:\n  - Add experimental opentelemetry instrumentation &nbsp;-&nbsp; by @jonathansamines and @bytaesu in https://github.com/better-auth/better-auth/issues/8027 [<samp>(e42ea)</samp>](https://github.com/better-auth/better-auth/commit/e42ead580)\n- **email-otp**:\n  - Add `resendStrategy` option to reuse existing OTP &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8560 [<samp>(bbe1a)</samp>](https://github.com/better-auth/better-auth/commit/bbe1affa4)\n- **haveibeenpwned**:\n  - Add enable option &nbsp;-&nbsp; by @aarmful and **Taesu** in https://github.com/better-auth/better-auth/issues/8728 [<samp>(df9ab)</samp>](https://github.com/better-auth/better-auth/commit/df9abae0b)\n- **magic-link**:\n  - Add request metadata to sendMagicLink &nbsp;-&nbsp; by @mrgrauel in https://github.com/better-auth/better-auth/issues/8571 [<samp>(230cf)</samp>](https://github.com/better-auth/better-auth/commit/230cfb9b2)\n- **mongo-adapter**:\n  - Store UUIDs as native BSON UUID &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8681 [<samp>(3aa10)</samp>](https://github.com/better-auth/better-auth/commit/3aa107291)\n- **oauth-provider**:\n  - Pairwise subject identifiers (OIDC Core §8) &nbsp;-&nbsp; by @gustavovalverde and @himself65 in https://github.com/better-auth/better-auth/issues/8292 [<samp>(ab7ec)</samp>](https://github.com/better-auth/better-auth/commit/ab7ec8a70)\n  - Public client prelogin endpoint &nbsp;-&nbsp; by @dvanmali in https://github.com/better-auth/better-auth/issues/8214 [<samp>(20e45)</samp>](https://github.com/better-auth/better-auth/commit/20e4561c9)\n- **oauth-proxy**:\n  - Add dedicated `secret` option to reduce shared key exposure surface &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8699 [<samp>(faffb)</samp>](https://github.com/better-auth/better-auth/commit/faffbd620)\n- **organization**:\n  - Explicit `organizationId` in team endpoints &nbsp;-&nbsp; by @xiaoyu2er and @himself65 in https://github.com/better-auth/better-auth/issues/5062 [<samp>(5d60d)</samp>](https://github.com/better-auth/better-auth/commit/5d60dc585)\n- **social-provider**:\n  - Add wechat social provider &nbsp;-&nbsp; by @Eric-Song-Nop, **Claude** and @himself65 in https://github.com/better-auth/better-auth/issues/5189 [<samp>(6061b)</samp>](https://github.com/better-auth/better-auth/commit/6061bed1f)\n- **sso**:\n  - Add logging for when code validation fails in oidc callback &nbsp;-&nbsp; by @OscarCornish in https://github.com/better-auth/better-auth/issues/8693 [<samp>(ac954)</samp>](https://github.com/better-auth/better-auth/commit/ac9541a84)\n- **stripe**:\n  - Allow customizable `prorationBehavior` per plan &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8525 [<samp>(9fdd6)</samp>](https://github.com/better-auth/better-auth/commit/9fdd66251)\n- **test-utils**:\n  - Export adapter test suites from `@better-auth/test-utils/adapter` &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8564 [<samp>(6578b)</samp>](https://github.com/better-auth/better-auth/commit/6578bd89a)\n- **two-factor**:\n  - Add `twoFactorPage` in config &nbsp;-&nbsp; by @wuzgood98 in https://github.com/better-auth/better-auth/issues/5329 [<samp>(caa9f)</samp>](https://github.com/better-auth/better-auth/commit/caa9fe37c)\n\n### &nbsp;&nbsp;&nbsp;🐞 Bug Fixes\n\n- Access control indexing type &nbsp;-&nbsp; by @YevheniiKotyrlo and @himself65 in https://github.com/better-auth/better-auth/issues/8155 [<samp>(47bba)</samp>](https://github.com/better-auth/better-auth/commit/47bba48f2)\n- Prevent double encoded cookie &nbsp;-&nbsp; by @Oluwatobi-Mustapha and @himself65 in https://github.com/better-auth/better-auth/issues/8133 [<samp>(49921)</samp>](https://github.com/better-auth/better-auth/commit/49921100a)\n- Move adapter packages to dependencies to fix missing module errors &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8401 [<samp>(27c4c)</samp>](https://github.com/better-auth/better-auth/commit/27c4c3d0a)\n- Pass `user` field through idToken sign-in body for Apple name support &nbsp;-&nbsp; by @bytaesu and **Copilot** in https://github.com/better-auth/better-auth/issues/8417 [<samp>(d8139)</samp>](https://github.com/better-auth/better-auth/commit/d8139e5c7)\n- Preserve custom session fields on focus refresh &nbsp;-&nbsp; by @jslno in https://github.com/better-auth/better-auth/issues/8354 [<samp>(5e49c)</samp>](https://github.com/better-auth/better-auth/commit/5e49c2d16)\n- Throw on duplicate email when `autoSignIn: false` without `requireEmailVerification` &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8521 [<samp>(f72e2)</samp>](https://github.com/better-auth/better-auth/commit/f72e28d08)\n- Add origin check middleware to password reset request &nbsp;-&nbsp; by @jslno in https://github.com/better-auth/better-auth/issues/8392 [<samp>(271af)</samp>](https://github.com/better-auth/better-auth/commit/271af9baf)\n- Handle `skipOriginCheck` array &nbsp;-&nbsp; by @jslno in https://github.com/better-auth/better-auth/issues/8582 [<samp>(92895)</samp>](https://github.com/better-auth/better-auth/commit/92895b444)\n- Resolve duplicate operationId in admin plugin endpoints &nbsp;-&nbsp; by @Sigmabrogz and **Sigmabrogz** in https://github.com/better-auth/better-auth/issues/8570 [<samp>(3f75e)</samp>](https://github.com/better-auth/better-auth/commit/3f75ee3ee)\n- Misleading rate limit IP warning &nbsp;-&nbsp; by @GautamBytes in https://github.com/better-auth/better-auth/issues/8617 [<samp>(ae861)</samp>](https://github.com/better-auth/better-auth/commit/ae861cdff)\n- Prevent revoked sessions from being restored via database fallback &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8708 [<samp>(767f1)</samp>](https://github.com/better-auth/better-auth/commit/767f129d1)\n- Set stateless cookieCache maxAge to match session expiresIn &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8648 [<samp>(c8617)</samp>](https://github.com/better-auth/better-auth/commit/c8617fd44)\n- **account**:\n  - Use accountId instead of id in accountInfo endpoint &nbsp;-&nbsp; by @NathanColosimo and @himself65 in https://github.com/better-auth/better-auth/issues/8346 [<samp>(f9b8a)</samp>](https://github.com/better-auth/better-auth/commit/f9b8a616a)\n- **adapters**:\n  - Restore deprecated createAdapter and type exports for backcompat &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8461 [<samp>(096d9)</samp>](https://github.com/better-auth/better-auth/commit/096d9bdf7)\n  - Use IS NULL / IS NOT NULL for null value comparisons &nbsp;-&nbsp; by @olliethedev in https://github.com/better-auth/better-auth/issues/8660 [<samp>(8682b)</samp>](https://github.com/better-auth/better-auth/commit/8682b7aeb)\n- **api**:\n  - Return Response for HTTP request contexts &nbsp;-&nbsp; by @gustavovalverde in https://github.com/better-auth/better-auth/issues/7521 [<samp>(8304f)</samp>](https://github.com/better-auth/better-auth/commit/8304f655a)\n- **blog**:\n  - Fix RSS feed link path, image path and blog date &nbsp;-&nbsp; by @0-Sandy in https://github.com/better-auth/better-auth/issues/8483 [<samp>(18e95)</samp>](https://github.com/better-auth/better-auth/commit/18e95f662)\n- **cli**:\n  - Resolve path aliases from extended tsconfig files &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8520 [<samp>(b5e22)</samp>](https://github.com/better-auth/better-auth/commit/b5e2203f1)\n  - Treat omitted `required` as `true` in Drizzle and Prisma generators &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8614 [<samp>(b0069)</samp>](https://github.com/better-auth/better-auth/commit/b00692d4e)\n- **client**:\n  - Preserve stale session data on network or server errors &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8437 [<samp>(b18b4)</samp>](https://github.com/better-auth/better-auth/commit/b18b4dba0)\n  - Handle `throw:true` in session refresh &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8610 [<samp>(f0c1a)</samp>](https://github.com/better-auth/better-auth/commit/f0c1a6b50)\n- **core**:\n  - Prioritize generateId \"uuid\" over adapter customIdGenerator &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8679 [<samp>(05565)</samp>](https://github.com/better-auth/better-auth/commit/055657545)\n- **db**:\n  - Use `CREATE INDEX` for postgres migration &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8538 [<samp>(a980b)</samp>](https://github.com/better-auth/better-auth/commit/a980b169a)\n- **docs**:\n  - Improve AI chat security and cleanup &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8597 [<samp>(a1a97)</samp>](https://github.com/better-auth/better-auth/commit/a1a974530)\n  - Add missing Encore icon to sidebar icons &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8663 [<samp>(169c2)</samp>](https://github.com/better-auth/better-auth/commit/169c27ed9)\n- **electron**:\n  - Handle safeStorage encryption failures gracefully &nbsp;-&nbsp; by @jslno in https://github.com/better-auth/better-auth/issues/8530 [<samp>(b3330)</samp>](https://github.com/better-auth/better-auth/commit/b33305c33)\n- **expo**:\n  - Handle origin override across mutable and immutable requests &nbsp;-&nbsp; by @NathanColosimo, **Taesu** and @bytaesu in https://github.com/better-auth/better-auth/issues/8405 [<samp>(44ee8)</samp>](https://github.com/better-auth/better-auth/commit/44ee8b45a)\n- **last-login-method**:\n  - Normalize missing resolver path &nbsp;-&nbsp; by @mrgrauel in https://github.com/better-auth/better-auth/issues/8589 [<samp>(d198a)</samp>](https://github.com/better-auth/better-auth/commit/d198a8273)\n- **oauth-provider**:\n  - CustomIdTokenClaims should override standard claims &nbsp;-&nbsp; by @gustavovalverde in https://github.com/better-auth/better-auth/issues/7865 [<samp>(c5983)</samp>](https://github.com/better-auth/better-auth/commit/c59833549)\n  - Avoid fetch redirect CORS after login &nbsp;-&nbsp; by @GautamBytes in https://github.com/better-auth/better-auth/issues/8519 [<samp>(f46a6)</samp>](https://github.com/better-auth/better-auth/commit/f46a65a25)\n  - Support prompt=none &nbsp;-&nbsp; by @dvanmali in https://github.com/better-auth/better-auth/issues/8554 [<samp>(54216)</samp>](https://github.com/better-auth/better-auth/commit/542169b04)\n  - Improve allowed paths for oauth_query for client plugin &nbsp;-&nbsp; by @dvanmali in https://github.com/better-auth/better-auth/issues/8320 [<samp>(40e76)</samp>](https://github.com/better-auth/better-auth/commit/40e767615)\n  - Fix dist declaration type errors &nbsp;-&nbsp; by @gustavovalverde in https://github.com/better-auth/better-auth/issues/8701 [<samp>(c41fa)</samp>](https://github.com/better-auth/better-auth/commit/c41fa044d)\n- **oidc-provider**:\n  - Validate redirect_uri for prompt=none &nbsp;-&nbsp; by @jslno in https://github.com/better-auth/better-auth/issues/8398 [<samp>(9dff8)</samp>](https://github.com/better-auth/better-auth/commit/9dff8c543)\n- **one-tap**:\n  - Opt into FedCM to suppress Google GSI deprecation warnings &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8720 [<samp>(c2cbb)</samp>](https://github.com/better-auth/better-auth/commit/c2cbb9d56)\n- **organization**:\n  - Handle multi-role users in invite and member removal checks &nbsp;-&nbsp; by @himself65 and **Copilot Autofix powered by AI** in https://github.com/better-auth/better-auth/issues/8442 [<samp>(6559c)</samp>](https://github.com/better-auth/better-auth/commit/6559c1e8f)\n  - Filter null organizations in listUserInvitations &nbsp;-&nbsp; by @raihanbrillmark and **Raihan Sharif** in https://github.com/better-auth/better-auth/issues/8694 [<samp>(06e38)</samp>](https://github.com/better-auth/better-auth/commit/06e38a442)\n- **prisma-adapter**:\n  - Use deleteMany when deleting by non-unique field &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8314 [<samp>(c9b9c)</samp>](https://github.com/better-auth/better-auth/commit/c9b9c91ec)\n  - Fall back to updateMany for non-unique updates &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8524 [<samp>(a5c12)</samp>](https://github.com/better-auth/better-auth/commit/a5c1286d3)\n- **sso**:\n  - Use internalAdapter for verification operations &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8353 [<samp>(bd980)</samp>](https://github.com/better-auth/better-auth/commit/bd980f8c5)\n  - Handle bare domains in domain verification &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8369 [<samp>(71c3a)</samp>](https://github.com/better-auth/better-auth/commit/71c3a85d2)\n  - Use namespace import for samlify to fix ESM compatibility &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8697 [<samp>(a6763)</samp>](https://github.com/better-auth/better-auth/commit/a67630edb)\n  - Skip state cookie check for SAML ACS cross-site POST &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8735 [<samp>(b647e)</samp>](https://github.com/better-auth/better-auth/commit/b647ef348)\n- **stripe**:\n  - Replace `{CHECKOUT_SESSION_ID}` placeholder in success callbackURL &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8568 [<samp>(db470)</samp>](https://github.com/better-auth/better-auth/commit/db470986c)\n  - Improve organization customer search by adding customerType check &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8609 [<samp>(884e1)</samp>](https://github.com/better-auth/better-auth/commit/884e14a38)\n- **telemetry**:\n  - Use conditional exports to replace dynamic import hacks &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8458 [<samp>(c8628)</samp>](https://github.com/better-auth/better-auth/commit/c86281d5b)\n- **two-factor**:\n  - Wire twoFactorTable option to schema modelName &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8443 [<samp>(a92a7)</samp>](https://github.com/better-auth/better-auth/commit/a92a71ef8)\n\n##### &nbsp;&nbsp;&nbsp;&nbsp;[View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.1-beta.3...v1.5.1-beta.4)","publishedAt":"2026-03-23T04:04:27.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.5.1-beta.4","media":[]},{"id":"rel_OKD68nhtNVgYKcG19hBaR","version":"v1.5.6","title":"v1.5.6","summary":"### &nbsp;&nbsp;&nbsp;🚀 Features\n\n- Agent auth plugin &nbsp;-&nbsp; by @Bekacru in https://github.com/better-auth/better-auth/issues/8696 [<samp>(a0b...","content":"### &nbsp;&nbsp;&nbsp;🚀 Features\n\n- Agent auth plugin &nbsp;-&nbsp; by @Bekacru in https://github.com/better-auth/better-auth/issues/8696 [<samp>(a0b53)</samp>](https://github.com/better-auth/better-auth/commit/a0b53212a)\n- **core**: Add experimental opentelemetry instrumentation &nbsp;-&nbsp; by @jonathansamines and @bytaesu in https://github.com/better-auth/better-auth/issues/8027 [<samp>(1ed42)</samp>](https://github.com/better-auth/better-auth/commit/1ed42714f)\n- **email-otp**: Add `resendStrategy` option to reuse existing OTP &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8560 [<samp>(98c8e)</samp>](https://github.com/better-auth/better-auth/commit/98c8e4e65)\n- **magic-link**: Add request metadata to sendMagicLink &nbsp;-&nbsp; by @mrgrauel in https://github.com/better-auth/better-auth/issues/8571 [<samp>(cb240)</samp>](https://github.com/better-auth/better-auth/commit/cb240b600)\n- **mongo-adapter**: Store UUIDs as native BSON UUID &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8681 [<samp>(d1bff)</samp>](https://github.com/better-auth/better-auth/commit/d1bfff1d6)\n- **oauth-provider**: Public client prelogin endpoint &nbsp;-&nbsp; by @dvanmali in https://github.com/better-auth/better-auth/issues/8214 [<samp>(a0eb1)</samp>](https://github.com/better-auth/better-auth/commit/a0eb1631f)\n- **organization**: Explicit `organizationId` in team endpoints &nbsp;-&nbsp; by @xiaoyu2er and @himself65 in https://github.com/better-auth/better-auth/issues/5062 [<samp>(8f470)</samp>](https://github.com/better-auth/better-auth/commit/8f47015af)\n- **social-provider**: Add wechat social provider &nbsp;-&nbsp; by @Eric-Song-Nop, **Claude** and @himself65 in https://github.com/better-auth/better-auth/issues/5189 [<samp>(c4402)</samp>](https://github.com/better-auth/better-auth/commit/c440221d7)\n- **stripe**: Allow customizable `prorationBehavior` per plan &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8525 [<samp>(98cea)</samp>](https://github.com/better-auth/better-auth/commit/98cea7e61)\n- **test-utils**: Export adapter test suites from `@better-auth/test-utils/adapter` &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8564 [<samp>(6be0f)</samp>](https://github.com/better-auth/better-auth/commit/6be0f9599)\n- **two-factor**: Add `twoFactorPage` in config &nbsp;-&nbsp; by @wuzgood98 in https://github.com/better-auth/better-auth/issues/5329 [<samp>(4f41b)</samp>](https://github.com/better-auth/better-auth/commit/4f41b62cf)\n\n### &nbsp;&nbsp;&nbsp;🐞 Bug Fixes\n\n- Handle `skipOriginCheck` array &nbsp;-&nbsp; by @jslno in https://github.com/better-auth/better-auth/issues/8582 [<samp>(331c4)</samp>](https://github.com/better-auth/better-auth/commit/331c4c413)\n- Prevent revoked sessions from being restored via database fallback &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8708 [<samp>(d4efa)</samp>](https://github.com/better-auth/better-auth/commit/d4efa8e32)\n- **api**:\n  - Return Response for HTTP request contexts &nbsp;-&nbsp; by @gustavovalverde in https://github.com/better-auth/better-auth/issues/7521 [<samp>(9e3e8)</samp>](https://github.com/better-auth/better-auth/commit/9e3e8e601)\n- **client**:\n  - Handle `throw:true` in session refresh &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8610 [<samp>(275ca)</samp>](https://github.com/better-auth/better-auth/commit/275ca46fe)\n- **core**:\n  - Prioritize generateId \"uuid\" over adapter customIdGenerator &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8679 [<samp>(fc0bc)</samp>](https://github.com/better-auth/better-auth/commit/fc0bc94a6)\n- **docs**:\n  - Improve AI chat security and cleanup &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8597 [<samp>(5c0c8)</samp>](https://github.com/better-auth/better-auth/commit/5c0c87ce7)\n  - Add missing Encore icon to sidebar icons &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8663 [<samp>(cd5b8)</samp>](https://github.com/better-auth/better-auth/commit/cd5b81803)\n- **electron**:\n  - Handle safeStorage encryption failures gracefully &nbsp;-&nbsp; by @jslno in https://github.com/better-auth/better-auth/issues/8530 [<samp>(04766)</samp>](https://github.com/better-auth/better-auth/commit/047662025)\n- **oauth-provider**:\n  - Support prompt=none &nbsp;-&nbsp; by @dvanmali in https://github.com/better-auth/better-auth/issues/8554 [<samp>(812fd)</samp>](https://github.com/better-auth/better-auth/commit/812fd4d8e)\n  - Improve allowed paths for oauth_query for client plugin &nbsp;-&nbsp; by @dvanmali in https://github.com/better-auth/better-auth/issues/8320 [<samp>(ccded)</samp>](https://github.com/better-auth/better-auth/commit/ccded8be3)\n  - Fix dist declaration type errors &nbsp;-&nbsp; by @gustavovalverde in https://github.com/better-auth/better-auth/issues/8701 [<samp>(ec79f)</samp>](https://github.com/better-auth/better-auth/commit/ec79fa275)\n- **organization**:\n  - Filter null organizations in listUserInvitations &nbsp;-&nbsp; by @raihanbrillmark and **Raihan Sharif** in https://github.com/better-auth/better-auth/issues/8694 [<samp>(a62cb)</samp>](https://github.com/better-auth/better-auth/commit/a62cb044f)\n- **sso**:\n  - Use namespace import for samlify to fix ESM compatibility &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8697 [<samp>(71f70)</samp>](https://github.com/better-auth/better-auth/commit/71f708345)\n- **stripe**:\n  - Replace `{CHECKOUT_SESSION_ID}` placeholder in success callbackURL &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8568 [<samp>(32704)</samp>](https://github.com/better-auth/better-auth/commit/3270499c0)\n  - Improve organization customer search by adding customerType check &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8609 [<samp>(74ec7)</samp>](https://github.com/better-auth/better-auth/commit/74ec71cae)\n\n##### &nbsp;&nbsp;&nbsp;&nbsp;[View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.5...v1.5.6)","publishedAt":"2026-03-22T14:51:16.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.5.6","media":[]},{"id":"rel_sQmFDzk072sCF0SpDbFOZ","version":"v1.4.22","title":"v1.4.22","summary":"### &nbsp;&nbsp;&nbsp;🐞 Bug Fixes\n\n- **cli**: Warn when old @better-auth/cli is used with better-auth v1.5.x+ &nbsp;-&nbsp; by @himself65 [<samp>(73c...","content":"### &nbsp;&nbsp;&nbsp;🐞 Bug Fixes\n\n- **cli**: Warn when old @better-auth/cli is used with better-auth v1.5.x+ &nbsp;-&nbsp; by @himself65 [<samp>(73ca9)</samp>](https://github.com/better-auth/better-auth/commit/73ca92ee8)\n\n##### &nbsp;&nbsp;&nbsp;&nbsp;[View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.4.21...v1.4.22)","publishedAt":"2026-03-16T20:23:38.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.4.22","media":[]},{"id":"rel_DsSSLPP906FQswuw8F2yp","version":"v1.5.5","title":"v1.5.5","summary":"### &nbsp;&nbsp;&nbsp;🚀 Features\n\n- **oauth-provider**: Pairwise subject identifiers (OIDC Core §8) &nbsp;-&nbsp; by @gustavovalverde and @himself65 ...","content":"### &nbsp;&nbsp;&nbsp;🚀 Features\n\n- **oauth-provider**: Pairwise subject identifiers (OIDC Core §8) &nbsp;-&nbsp; by @gustavovalverde and @himself65 in https://github.com/better-auth/better-auth/issues/8292 [<samp>(6c09f)</samp>](https://github.com/better-auth/better-auth/commit/6c09f1773)\n\n### &nbsp;&nbsp;&nbsp;🐞 Bug Fixes\n\n- Pass `user` field through idToken sign-in body for Apple name support &nbsp;-&nbsp; by @bytaesu and **Copilot** in https://github.com/better-auth/better-auth/issues/8417 [<samp>(d364e)</samp>](https://github.com/better-auth/better-auth/commit/d364eff68)\n- Add missing SubpageItem properties for docs-sidebar compatibility &nbsp;-&nbsp; by @bytaesu [<samp>(6bcd7)</samp>](https://github.com/better-auth/better-auth/commit/6bcd7c64d)\n- Add icon prop to SubpageLink component &nbsp;-&nbsp; by @bytaesu [<samp>(95538)</samp>](https://github.com/better-auth/better-auth/commit/955381c00)\n- Correct sign-in link to dash.better-auth.com &nbsp;-&nbsp; by @bytaesu [<samp>(058bb)</samp>](https://github.com/better-auth/better-auth/commit/058bb8aaa)\n- Restore features.tsx and align import with canary &nbsp;-&nbsp; by @bytaesu [<samp>(e5ebb)</samp>](https://github.com/better-auth/better-auth/commit/e5ebb669b)\n- Add suppressHydrationWarning to video elements &nbsp;-&nbsp; by @bytaesu [<samp>(8e0e5)</samp>](https://github.com/better-auth/better-auth/commit/8e0e53ed9)\n- Preserve custom session fields on focus refresh &nbsp;-&nbsp; by @jslno in https://github.com/better-auth/better-auth/issues/8354 [<samp>(2bd99)</samp>](https://github.com/better-auth/better-auth/commit/2bd994bab)\n- Throw on duplicate email when `autoSignIn: false` without `requireEmailVerification` &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8521 [<samp>(e3e66)</samp>](https://github.com/better-auth/better-auth/commit/e3e6664d7)\n- Add origin check middleware to password reset request &nbsp;-&nbsp; by @jslno in https://github.com/better-auth/better-auth/issues/8392 [<samp>(497b1)</samp>](https://github.com/better-auth/better-auth/commit/497b1db8d)\n- **adapters**: Restore deprecated createAdapter and type exports for backcompat &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8461 [<samp>(eb848)</samp>](https://github.com/better-auth/better-auth/commit/eb848c4d7)\n- **blog**: Fix RSS feed link path, image path and blog date &nbsp;-&nbsp; by @0-Sandy in https://github.com/better-auth/better-auth/issues/8483 [<samp>(67c6d)</samp>](https://github.com/better-auth/better-auth/commit/67c6dc2d3)\n- **cli**: Resolve path aliases from extended tsconfig files &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8520 [<samp>(11ef0)</samp>](https://github.com/better-auth/better-auth/commit/11ef01a56)\n- **client**: Preserve stale session data on network or server errors &nbsp;-&nbsp; by @bytaesu in https://github.com/better-auth/better-auth/issues/8437 [<samp>(9a229)</samp>](https://github.com/better-auth/better-auth/commit/9a229ce13)\n- **db**: Use `CREATE INDEX` for postgres migration &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8538 [<samp>(b9e54)</samp>](https://github.com/better-auth/better-auth/commit/b9e54c9af)\n- **oauth-provider**: Avoid fetch redirect CORS after login &nbsp;-&nbsp; by @GautamBytes in https://github.com/better-auth/better-auth/issues/8519 [<samp>(c0366)</samp>](https://github.com/better-auth/better-auth/commit/c03666a5d)\n- **oidc-provider**: Validate redirect_uri for prompt=none &nbsp;-&nbsp; by @jslno in https://github.com/better-auth/better-auth/issues/8398 [<samp>(ff352)</samp>](https://github.com/better-auth/better-auth/commit/ff352c629)\n- **organization**: Handle multi-role users in invite and member removal checks &nbsp;-&nbsp; by @himself65 and **Copilot Autofix powered by AI** in https://github.com/better-auth/better-auth/issues/8442 [<samp>(23f18)</samp>](https://github.com/better-auth/better-auth/commit/23f18f256)\n- **prisma-adapter**: Fall back to updateMany for non-unique updates &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8524 [<samp>(3f16e)</samp>](https://github.com/better-auth/better-auth/commit/3f16e9f86)\n- **sso**: Handle bare domains in domain verification &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8369 [<samp>(fb7a0)</samp>](https://github.com/better-auth/better-auth/commit/fb7a0b745)\n- **telemetry**: Use conditional exports to replace dynamic import hacks &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8458 [<samp>(3ecd2)</samp>](https://github.com/better-auth/better-auth/commit/3ecd22d87)\n- **two-factor**: Wire twoFactorTable option to schema modelName &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8443 [<samp>(f4604)</samp>](https://github.com/better-auth/better-auth/commit/f46045ecd)\n\n##### &nbsp;&nbsp;&nbsp;&nbsp;[View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.4...v1.5.5)","publishedAt":"2026-03-11T17:31:07.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.5.5","media":[]},{"id":"rel_WRT_UKYz06rZqL9hFNATw","version":"v1.5.4","title":"v1.5.4","summary":"### &nbsp;&nbsp;&nbsp;🐞 Bug Fixes\n\n- Move adapter packages to dependencies to fix missing module errors &nbsp;-&nbsp; by @himself65 in https://github...","content":"### &nbsp;&nbsp;&nbsp;🐞 Bug Fixes\n\n- Move adapter packages to dependencies to fix missing module errors &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8401 [<samp>(56857)</samp>](https://github.com/better-auth/better-auth/commit/56857d66b)\n- **expo**: Handle origin override across mutable and immutable requests &nbsp;-&nbsp; by @NathanColosimo, **Taesu** and @bytaesu in https://github.com/better-auth/better-auth/issues/8405 [<samp>(b7a31)</samp>](https://github.com/better-auth/better-auth/commit/b7a3129d5)\n\n##### &nbsp;&nbsp;&nbsp;&nbsp;[View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.3...v1.5.4)","publishedAt":"2026-03-06T02:30:48.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.5.4","media":[]},{"id":"rel_Z7l5wSVVNGAztXmKjFZdf","version":"v1.5.3","title":"v1.5.3","summary":"### &nbsp;&nbsp;&nbsp;🐞 Bug Fixes\n\n- **account**: Use accountId instead of id in accountInfo endpoint &nbsp;-&nbsp; by @NathanColosimo and @himself65...","content":"### &nbsp;&nbsp;&nbsp;🐞 Bug Fixes\n\n- **account**: Use accountId instead of id in accountInfo endpoint &nbsp;-&nbsp; by @NathanColosimo and @himself65 in https://github.com/better-auth/better-auth/issues/8346 [<samp>(efcc2)</samp>](https://github.com/better-auth/better-auth/commit/efcc2384b)\n- **sso**: Use internalAdapter for verification operations &nbsp;-&nbsp; by @himself65 in https://github.com/better-auth/better-auth/issues/8353 [<samp>(e3bc6)</samp>](https://github.com/better-auth/better-auth/commit/e3bc6a2e5)\n\n##### &nbsp;&nbsp;&nbsp;&nbsp;[View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.2...v1.5.3)","publishedAt":"2026-03-04T07:50:19.000Z","url":"https://github.com/better-auth/better-auth/releases/tag/v1.5.3","media":[]}],"pagination":{"page":1,"pageSize":20,"totalPages":5,"totalItems":100},"summaries":{"rolling":null,"monthly":[]}}