---
name: better-auth
slug: better-auth
type: github
source_url: https://github.com/better-auth/better-auth
organization: Better Auth
organization_slug: better-auth
total_releases: 100
latest_version: v1.6.9
latest_date: 2026-04-24
last_updated: 2026-05-01
tracking_since: 2025-11-22
canonical: https://releases.sh/better-auth/better-auth
organization_url: https://releases.sh/better-auth
---
## `better-auth`
### Bug Fixes
- Fixed instrumentation resolution in the adapter factory so edge and browser environments correctly use the pure variant ([#9340](https://github.com/better-auth/better-auth/pull/9340))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/f484269228b7eb8df0e2325e7d264bb8d7796311/packages/better-auth/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@erquhart
**Full changelog:** [`v1.6.8...v1.6.9`](https://github.com/better-auth/better-auth/compare/v1.6.8...v1.6.9)
## `better-auth`
### Bug Fixes
- Fixed `mapProfileToUser` fallback for OAuth providers that may omit email from their profile response ([#9331](https://github.com/better-auth/better-auth/pull/9331))
- Fixed support for passing `id` through `beforeCreateTeam` and `beforeCreateInvitation` hooks ([#9253](https://github.com/better-auth/better-auth/pull/9253))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/b289ac6c4bba10aa260d45a8627adc529e0d3b32/packages/better-auth/CHANGELOG.md)
## `@better-auth/oauth-provider`
### Bug Fixes
- Fixed authorization flows that do not include a `state` parameter ([#9328](https://github.com/better-auth/better-auth/pull/9328))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/b289ac6c4bba10aa260d45a8627adc529e0d3b32/packages/oauth-provider/CHANGELOG.md)
## `@better-auth/passkey`
### Bug Fixes
- Fixed incompatibility with TypeScript's `exactOptionalPropertyTypes` compiler option ([#9270](https://github.com/better-auth/better-auth/pull/9270))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/b289ac6c4bba10aa260d45a8627adc529e0d3b32/packages/passkey/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@baptisteArno, @gustavovalverde, @ping-maxwell
**Full changelog:** [`v1.6.7...v1.6.8`](https://github.com/better-auth/better-auth/compare/v1.6.7...v1.6.8)
## `better-auth`
### Features
- Added `userId` and `organizationId` parameters to the `listUserTeams` API for scoped team lookups without switching the active organization ([#8977](https://github.com/better-auth/better-auth/pull/8977))
- Added support for passing an array of client IDs as the ID token audience in social providers ([#9292](https://github.com/better-auth/better-auth/pull/9292))
### Bug Fixes
- Fixed `forceAllowId` UUIDs being ignored on PostgreSQL adapters when `advanced.database.generateId` is set to `"uuid"` ([#9068](https://github.com/better-auth/better-auth/pull/9068))
- Fixed response headers being lost when an `APIError` is thrown ([#9211](https://github.com/better-auth/better-auth/pull/9211))
- Fixed `$sessionSignal` not being triggered for session-rotating endpoints ([#9087](https://github.com/better-auth/better-auth/pull/9087))
- Fixed the `partitioned` cookie attribute being dropped on set-cookie round-trips ([#9235](https://github.com/better-auth/better-auth/pull/9235))
- Fixed the `./instrumentation` module to export a no-op in browser and edge environments ([#9281](https://github.com/better-auth/better-auth/pull/9281))
- Fixed `disableRefresh` query parameter validation in custom sessions to correctly coerce string values to booleans ([#9214](https://github.com/better-auth/better-auth/pull/9214))
- Fixed a crash when the request body is undefined during OAuth2 state parsing ([#9293](https://github.com/better-auth/better-auth/pull/9293))
- Fixed team additional fields not being inferred correctly in the organization plugin ([#9266](https://github.com/better-auth/better-auth/pull/9266))
- Fixed `updateUser` to allow removing a phone number ([#9219](https://github.com/better-auth/better-auth/pull/9219))
- Fixed `callbackOnVerification` not being called when `updatePhoneNumber` is enabled ([#4894](https://github.com/better-auth/better-auth/pull/4894))
- Reverted two-factor enforcement to credential sign-in flows only, removing the unintended challenge on magic link, OAuth, passkey, and other non-credential sign-in methods ([#9205](https://github.com/better-auth/better-auth/pull/9205))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d3bde2d21f57d7dc37164b7b43f5c2c571ebd3f3/packages/better-auth/CHANGELOG.md)
## `@better-auth/oauth-provider`
### ❗ Breaking Changes
- Updated all OAuth 2.0 endpoints to return RFC-compliant `{ error, error_description }` error envelopes for validation failures ([#9277](https://github.com/better-auth/better-auth/pull/9277))
> **Migration:** All six OAuth endpoints (`/oauth2/token`, `/oauth2/authorize`, `/oauth2/revoke`, `/oauth2/introspect`, `/oauth2/register`, `/oauth2/end-session`) now emit structured `{ error, error_description }` responses per RFC 6749 §5.2. Update any client code that previously parsed the raw validation error format from these endpoints.
### Bug Fixes
- Fixed host classification inconsistencies across packages that could allow SSRF attacks ([#9226](https://github.com/better-auth/better-auth/pull/9226))
- Fixed the userinfo endpoint to correctly read the `Authorization` header when called via `auth.api` ([#9244](https://github.com/better-auth/better-auth/pull/9244))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d3bde2d21f57d7dc37164b7b43f5c2c571ebd3f3/packages/oauth-provider/CHANGELOG.md)
## `@better-auth/api-key`
### Features
- Added `mapConcurrent` utility for bounded-concurrency iteration ([#9227](https://github.com/better-auth/better-auth/pull/9227))
### Bug Fixes
- Fixed secondary-storage API key operations to run in parallel, improving performance ([#9187](https://github.com/better-auth/better-auth/pull/9187))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d3bde2d21f57d7dc37164b7b43f5c2c571ebd3f3/packages/api-key/CHANGELOG.md)
## `@better-auth/drizzle-adapter`
### Bug Fixes
- Required patched `drizzle-orm ^0.45.2` and `kysely ^0.28.14` peer versions to track vulnerability fixes ([#9165](https://github.com/better-auth/better-auth/pull/9165))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d3bde2d21f57d7dc37164b7b43f5c2c571ebd3f3/packages/drizzle-adapter/CHANGELOG.md)
## `@better-auth/expo`
### Bug Fixes
- Fixed cached session data not being read from `SecureStore` on app startup ([#8953](https://github.com/better-auth/better-auth/pull/8953))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d3bde2d21f57d7dc37164b7b43f5c2c571ebd3f3/packages/expo/CHANGELOG.md)
## `@better-auth/passkey`
### Bug Fixes
- Fixed passkey authentication verification not returning the authenticated user ([#5209](https://github.com/better-auth/better-auth/pull/5209))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d3bde2d21f57d7dc37164b7b43f5c2c571ebd3f3/packages/passkey/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@bytaesu, @GautamBytes, @gustavovalverde, @Kinfe123, @ouwargui, @ping-maxwell, @ramonclaudio, @ruban-s, @stewartjarod, @TanishValesha, @terijaki
**Full changelog:** [`v1.7.0-beta.1...v1.7.0-beta.2`](https://github.com/better-auth/better-auth/compare/v1.7.0-beta.1...v1.7.0-beta.2)
## `better-auth`
### Features
- Added support for an array of client IDs as the ID token audience in social providers ([#9292](https://github.com/better-auth/better-auth/pull/9292))
### Bug Fixes
- Fixed response headers being lost when an `APIError` is thrown ([#9211](https://github.com/better-auth/better-auth/pull/9211))
- Fixed browser and edge runtime errors by serving a no-op `./instrumentation` module in those environments ([#9281](https://github.com/better-auth/better-auth/pull/9281))
- Fixed a crash when parsing OAuth2 state with an undefined request body ([#9293](https://github.com/better-auth/better-auth/pull/9293))
- Fixed `callbackOnVerification` not being called when `updatePhoneNumber` is enabled ([#4894](https://github.com/better-auth/better-auth/pull/4894))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/f8076d141aec8f41765eaf7229f386af663f64a0/packages/better-auth/CHANGELOG.md)
## `@better-auth/oauth-provider`
### Bug Fixes
- Fixed the userinfo endpoint to read the `Authorization` header from request context when using `auth.api` ([#9244](https://github.com/better-auth/better-auth/pull/9244))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/f8076d141aec8f41765eaf7229f386af663f64a0/packages/oauth-provider/CHANGELOG.md)
## `@better-auth/passkey`
### Bug Fixes
- Fixed passkey authentication verification not returning the user ([#5209](https://github.com/better-auth/better-auth/pull/5209))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/f8076d141aec8f41765eaf7229f386af663f64a0/packages/passkey/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@gustavovalverde, @Kinfe123, @ouwargui, @ramonclaudio, @stewartjarod, @TanishValesha
**Full changelog:** [`v1.6.6...v1.6.7`](https://github.com/better-auth/better-auth/compare/v1.6.6...v1.6.7)
## `better-auth`
### Bug Fixes
- Fixed preservation of the `Partitioned` attribute when forwarding `Set-Cookie` headers ([#9235](https://github.com/better-auth/better-auth/pull/9235))
- Fixed boolean coercion for the `disableRefresh` query parameter in custom session validation ([#9214](https://github.com/better-auth/better-auth/pull/9214))
- Fixed incorrect inference of team additional fields in the organization plugin ([#9266](https://github.com/better-auth/better-auth/pull/9266))
- Added support for removing a phone number via `updateUser({ phoneNumber: null })` ([#9219](https://github.com/better-auth/better-auth/pull/9219))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/029007776025f314bac5cb9c400ff2ce5494e54e/packages/better-auth/CHANGELOG.md)
## `@better-auth/core`
### Features
- Added `mapConcurrent`, a bounded-concurrency async utility, at `@better-auth/core/utils/async` ([#9227](https://github.com/better-auth/better-auth/pull/9227))
### Bug Fixes
- Made `@opentelemetry/api` an optional peer dependency ([#9111](https://github.com/better-auth/better-auth/pull/9111))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/029007776025f314bac5cb9c400ff2ce5494e54e/packages/core/CHANGELOG.md)
## `@better-auth/api-key`
### Bug Fixes
- Improved performance by running secondary-storage API key lookups in parallel ([#9187](https://github.com/better-auth/better-auth/pull/9187))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/029007776025f314bac5cb9c400ff2ce5494e54e/packages/api-key/CHANGELOG.md)
## `@better-auth/expo`
### Bug Fixes
- Fixed session loading to read cached data from `SecureStore` on app startup, eliminating the login screen flash for returning users ([#8953](https://github.com/better-auth/better-auth/pull/8953))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/029007776025f314bac5cb9c400ff2ce5494e54e/packages/expo/CHANGELOG.md)
## `@better-auth/oauth-provider`
### Bug Fixes
- Fixed several SSRF vulnerabilities by unifying host classification and closing loopback bypass vectors across packages ([#9226](https://github.com/better-auth/better-auth/pull/9226))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/029007776025f314bac5cb9c400ff2ce5494e54e/packages/oauth-provider/CHANGELOG.md)
## `@better-auth/sso`
### Bug Fixes
- Fixed an ESM/CJS compatibility issue when loading samlify ([#9262](https://github.com/better-auth/better-auth/pull/9262))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/029007776025f314bac5cb9c400ff2ce5494e54e/packages/sso/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@bytaesu, @gustavovalverde, @jonathansamines, @ping-maxwell, @terijaki
**Full changelog:** [`v1.6.5...v1.6.6`](https://github.com/better-auth/better-auth/compare/v1.6.5...v1.6.6)
## `better-auth`
### Bug Fixes
- Clarified recommended production usage for the test utils plugin ([#9119](https://github.com/better-auth/better-auth/pull/9119))
- Fixed session not refreshing after `/change-password` and `/revoke-other-sessions` ([#9087](https://github.com/better-auth/better-auth/pull/9087))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/c8a91f4167bd0e5e06e64e0a351307e0094ff0de/packages/better-auth/CHANGELOG.md)
## `@better-auth/oauth-provider`
### Security
- Fixed [GHSA-xr8f-h2gw-9xh6](https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6), a high-severity authorization bypass in `@better-auth/oauth-provider` where unprivileged authenticated users could create OAuth clients when deployments relied on `clientPrivileges` to restrict client creation.
- First patched stable version: `@better-auth/oauth-provider@1.6.5`.
- Note: the published beta line (`1.7.0-beta.0` and `1.7.0-beta.1`) remains affected until a fixed beta release is published.
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/c8a91f4167bd0e5e06e64e0a351307e0094ff0de/packages/oauth-provider/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@GautamBytes, @ramonclaudio
**Full changelog:** [`v1.6.4...v1.6.5`](https://github.com/better-auth/better-auth/compare/v1.6.4...v1.6.5)
## `better-auth`
### Bug Fixes
- Fixed `forceAllowId` UUIDs set in database hooks being ignored on PostgreSQL adapters when `advanced.database.generateId` is set to `"uuid"` ([#9068](https://github.com/better-auth/better-auth/pull/9068))
- Reverted 2FA enforcement scope to credential sign-in paths only, so magic link, email OTP, OAuth, SSO, passkey, and other non-credential sign-in flows no longer trigger a 2FA challenge ([#9205](https://github.com/better-auth/better-auth/pull/9205))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/9ec849ff7147f672a2759515e2aae8af7736962c/packages/better-auth/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@GautamBytes, @gustavovalverde
**Full changelog:** [`v1.6.3...v1.6.4`](https://github.com/better-auth/better-auth/compare/v1.6.3...v1.6.4)
## `better-auth`
### Bug Fixes
- Fixed dynamic `baseURL` resolution from request headers for direct `auth.api` calls ([#9113](https://github.com/better-auth/better-auth/pull/9113))
- Fixed a race condition in the client that caused excessive requests due to `isMounted` timing issues ([#9078](https://github.com/better-auth/better-auth/pull/9078))
- Fixed 2FA enforcement to apply across all sign-in paths, including magic link, OAuth, passkey, and email OTP ([#9122](https://github.com/better-auth/better-auth/pull/9122))
- Fixed backup code updates to respect the configured `storeBackupCodes` storage strategy after verification ([#7231](https://github.com/better-auth/better-auth/pull/7231))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d2a1ec091f5797524cf3b0088c005800ddb07689/packages/better-auth/CHANGELOG.md)
## `@better-auth/oauth-provider`
### ❗ Breaking Changes
- Rewrote the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults ([#9069](https://github.com/better-auth/better-auth/pull/9069))
> **Migration:** Replace `signIn.oauth2({ providerId })` with `signIn.social({ provider })`, `oauth2.link()` with `linkSocial()`, and update your IdP callback URLs from `/api/auth/oauth2/callback/:id` to `/api/auth/callback/:id`. Remove `genericOAuthClient()`, `issuer`, and `requireIssuerValidation` from your config. Set `pkce: false` for providers that reject PKCE challenges.
### Features
- Added `customTokenResponseFields` callback to inject custom fields into token endpoint responses, and hardened authorization code validation ([#9118](https://github.com/better-auth/better-auth/pull/9118))
- Added `at_hash` claim to ID tokens to cryptographically bind them to their access tokens, per OIDC Core §3.1.3.6 ([#9079](https://github.com/better-auth/better-auth/pull/9079))
### Bug Fixes
- Fixed dynamic `baseURL` resolution to correctly handle trusted proxy headers, loopback addresses, and forwarded requests in plugin metadata helpers ([#9131](https://github.com/better-auth/better-auth/pull/9131))
- Fixed unauthenticated dynamic client registration to automatically downgrade confidential auth methods to public client, improving compatibility with MCP clients ([#9123](https://github.com/better-auth/better-auth/pull/9123))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d2a1ec091f5797524cf3b0088c005800ddb07689/packages/oauth-provider/CHANGELOG.md)
## `@better-auth/sso`
### ❗ Breaking Changes
- Consolidated the SAML ACS endpoint, removed `callbackUrl` from `samlConfig`, and fixed SLO session matching ([#9117](https://github.com/better-auth/better-auth/pull/9117))
> **Migration:** Remove `callbackUrl` from `samlConfig` (the ACS URL is now auto-derived from `baseURL` and `providerId`) and update your IdP's ACS URL to `/sso/saml2/sp/acs/:providerId`. Remove `decryptionPvk`, `additionalParams`, `idpMetadata.entityURL`, and `idpMetadata.redirectURL` from `SAMLConfig` if present. The `spMetadata` field is now optional and can be removed.
### Bug Fixes
- Upgraded `samlify` to 2.12.0, adding XPath injection protection and XXE prevention for SAML XML processing ([#9121](https://github.com/better-auth/better-auth/pull/9121))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d2a1ec091f5797524cf3b0088c005800ddb07689/packages/sso/CHANGELOG.md)
## ✨ `@better-auth/cimd` ✨
### Features
- Added the `@better-auth/cimd` plugin for Client ID Metadata Document support, enabling URL-based client identification for MCP and dynamic client discovery flows ([#9159](https://github.com/better-auth/better-auth/pull/9159))
For package details, see [`README`](https://github.com/better-auth/better-auth/blob/d2a1ec091f5797524cf3b0088c005800ddb07689/packages/cimd/README.md)
## `@better-auth/stripe`
### Bug Fixes
- Fixed a prototype pollution vulnerability in the Stripe plugin when handling user-supplied metadata ([#9164](https://github.com/better-auth/better-auth/pull/9164))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/d2a1ec091f5797524cf3b0088c005800ddb07689/packages/stripe/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@bytaesu, @Byte-Biscuit, @gustavovalverde, @ping-maxwell
**Full changelog:** [`v1.7.0-beta.0...v1.7.0-beta.1`](https://github.com/better-auth/better-auth/compare/v1.7.0-beta.0...v1.7.0-beta.1)
## `better-auth`
### Features
- Added support for Stripe SDK v21 and v22 ([#9084](https://github.com/better-auth/better-auth/pull/9084))
### Bug Fixes
- Fixed incorrect `operationId` for the `requestPasswordResetCallback` endpoint in the OpenAPI spec ([#9072](https://github.com/better-auth/better-auth/pull/9072))
- Fixed dynamic `baseURL` resolution from request headers for direct `auth.api` calls ([#9113](https://github.com/better-auth/better-auth/pull/9113))
- Fixed `isMounted` race condition that caused excessive requests per second in the client ([#9078](https://github.com/better-auth/better-auth/pull/9078))
- Fixed nullable schema for the get-session endpoint in the OpenAPI 3.1 spec ([#8389](https://github.com/better-auth/better-auth/pull/8389))
- Fixed checkout and upgrade flows to omit quantity for metered prices ([#8926](https://github.com/better-auth/better-auth/pull/8926))
- Fixed 2FA enforcement to trigger on all sign-in paths, including magic-link, OAuth, passkey, email-OTP, and SIWE ([#9122](https://github.com/better-auth/better-auth/pull/9122))
- Fixed backup code updates to respect the configured `storeBackupCodes` storage strategy after verification ([#7231](https://github.com/better-auth/better-auth/pull/7231))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/6f17bb3ebd992867be968f38d73fdfff28eeeaab/packages/better-auth/CHANGELOG.md)
## `@better-auth/oauth-provider`
### Features
- Added `customTokenResponseFields` callback for injecting custom fields into token endpoint responses, and hardened authorization code validation ([#9118](https://github.com/better-auth/better-auth/pull/9118))
### Bug Fixes
- Hardened dynamic `baseURL` resolution for direct `auth.api` calls and plugin metadata helpers ([#9131](https://github.com/better-auth/better-auth/pull/9131))
- Fixed unauthenticated dynamic client registration to silently override confidential auth methods to public, improving compatibility with MCP clients ([#9123](https://github.com/better-auth/better-auth/pull/9123))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/6f17bb3ebd992867be968f38d73fdfff28eeeaab/packages/oauth-provider/CHANGELOG.md)
## `@better-auth/sso`
### Bug Fixes
- Fixed multiple SAML response processing bugs, including ACS URL generation, encryption field handling, and provider config parsing ([#9097](https://github.com/better-auth/better-auth/pull/9097))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/6f17bb3ebd992867be968f38d73fdfff28eeeaab/packages/sso/CHANGELOG.md)
## `@better-auth/stripe`
### Bug Fixes
- Fixed prototype pollution vulnerability when merging user-supplied metadata in the Stripe plugin ([#9164](https://github.com/better-auth/better-auth/pull/9164))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/6f17bb3ebd992867be968f38d73fdfff28eeeaab/packages/stripe/CHANGELOG.md)
## `auth`
### Bug Fixes
- Fixed tsconfig path alias resolution for extended configs and mid-path wildcards in the CLI ([#9032](https://github.com/better-auth/better-auth/pull/9032))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/6f17bb3ebd992867be968f38d73fdfff28eeeaab/packages/cli/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@bytaesu, @Byte-Biscuit, @gustavovalverde, @Oluwatobi-Mustapha, @ping-maxwell, @ramonclaudio
**Full changelog:** [`v1.6.2...v1.6.3`](https://github.com/better-auth/better-auth/compare/v1.6.2...v1.6.3)
## `better-auth`
### ❗ Breaking Changes
- feat(two-factor)!: add OTP enablement and discriminated response ([#9057](https://github.com/better-auth/better-auth/pull/9057))
`enableTwoFactor` now accepts a `method` parameter (`"otp" | "totp"`, default `"totp"`) and returns a discriminated response with a `method` field.
### `method: "otp"`
- Sets `twoFactorEnabled: true` immediately.
- Returns `{ method: "otp" }`.
- Requires `otpOptions.sendOTP` to be configured on the server; rejects with `OTP_NOT_CONFIGURED` otherwise.
### `method: "totp"` (default)
- Returns `{ method: "totp", totpURI, backupCodes }`.
- Rejects with `TOTP_NOT_CONFIGURED` if `totpOptions.disable` is set.
### Breaking changes
- **Removed `skipVerificationOnEnable`**: use `method: "otp"` for immediate activation, or the standard TOTP verification flow.
- **Response shape changed**: `enableTwoFactor` includes a `method` field in the response (`"otp"` or `"totp"`).
### Features
- feat(stripe): support Stripe SDK v21 and v22 ([#9084](https://github.com/better-auth/better-auth/pull/9084))
### Bug Fixes
- fix: incorrect `operationId` in password reset callback endpoint ([#9072](https://github.com/better-auth/better-auth/pull/9072))
- fix(open-api): correct get-session nullable schema for OAS 3.1 ([#8389](https://github.com/better-auth/better-auth/pull/8389))
- fix(stripe): omit quantity for metered prices in checkout and upgrades ([#8926](https://github.com/better-auth/better-auth/pull/8926))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/c8cf0f7c1a26ac70504a76f47d736c56cb029320/packages/better-auth/CHANGELOG.md)
## `@better-auth/sso`
### ❗ Breaking Changes
- fix(sso)!: harden SAML response validation (InResponseTo, Audience, SessionIndex) ([#9055](https://github.com/better-auth/better-auth/pull/9055))
### Breaking Changes
- **`allowIdpInitiated` now defaults to `false`** — IdP-initiated SSO (unsolicited SAML responses) is disabled by default. Set `saml.allowIdpInitiated: true` to restore the previous behavior. This aligns with the SAML2Int interoperability profile which recommends against IdP-initiated SSO due to its susceptibility to injection attacks.
### Bug Fixes
- **InResponseTo validation was completely non-functional** — The code read `extract.inResponseTo` (always `undefined`) instead of samlify's actual path `extract.response.inResponseTo`. SP-initiated InResponseTo validation now works as intended in both ACS handlers.
- **Audience Restriction was never validated** — SAML assertions issued for a different service provider were accepted without checking the `` element. Audience is now validated against the configured `samlConfig.audience` value per SAML 2.0 Core §2.5.1.
- **SessionIndex stored as object instead of string** — samlify returns `sessionIndex` from login responses as `{ authnInstant, sessionNotOnOrAfter, sessionIndex }`, but the code stored the whole object. SLO session-index comparisons always failed silently. The correct inner `sessionIndex` string is now extracted.
### Improvements
- Extracted shared `validateInResponseTo()` and `validateAudience()` into `packages/sso/src/saml/response-validation.ts`, eliminating ~160 lines of duplicated validation logic between the two ACS handlers.
- Fixed `SAMLAssertionExtract` type to match samlify's actual extractor output shape.
### Bug Fixes
- fix(sso): unify SAML response processing and fix bugs ([#9097](https://github.com/better-auth/better-auth/pull/9097))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/c8cf0f7c1a26ac70504a76f47d736c56cb029320/packages/sso/CHANGELOG.md)
## `@better-auth/oauth-provider`
### Features
- feat(oauth): add `private_key_jwt` client authentication (RFC 7523) ([#8836](https://github.com/better-auth/better-auth/pull/8836))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/c8cf0f7c1a26ac70504a76f47d736c56cb029320/packages/oauth-provider/CHANGELOG.md)
## `auth`
### Bug Fixes
- fix(cli): handle extends and mid-path wildcards in tsconfig paths ([#9032](https://github.com/better-auth/better-auth/pull/9032))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/c8cf0f7c1a26ac70504a76f47d736c56cb029320/packages/cli/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@bytaesu, @gustavovalverde, @Oluwatobi-Mustapha, @ramonclaudio
**Full changelog:** [`v1.6.2...v1.7.0-beta.0`](https://github.com/better-auth/better-auth/compare/v1.6.2...v1.7.0-beta.0)
## `better-auth`
### ❗ Breaking Changes
- Prevented unverified TOTP enrollment from blocking sign-in ([#8711](https://github.com/better-auth/better-auth/pull/8711))
> **Migration:** Schema migration required.
>
> Add the `verified` column to the `twoFactor` table, then regenerate/apply your ORM migration.
> - Prisma: run `npx auth@latest generate`, then `npx prisma migrate dev` (or `npx prisma db push`) and `npx prisma generate`.
> - Drizzle: run `npx auth@latest generate`, then `npx drizzle-kit generate` and `npx drizzle-kit migrate`.
> Existing rows do not need a backfill because the column defaults to `true`.
### Features
- Included enabled 2FA methods in sign-in redirect response ([#8772](https://github.com/better-auth/better-auth/pull/8772))
### Bug Fixes
- Fixed OAuth state verification against cookie-stored nonce to prevent CSRF ([#8949](https://github.com/better-auth/better-auth/pull/8949))
- Fixed infinite router refresh loops in `nextCookies()` by replacing cookie probe with header-based RSC detection ([#9059](https://github.com/better-auth/better-auth/pull/9059))
- Fixed cross-provider account collision in link-social callback ([#8983](https://github.com/better-auth/better-auth/pull/8983))
- Included `RelayState` in signed SAML AuthnRequests ([#9058](https://github.com/better-auth/better-auth/pull/9058))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/3c12c2043a0be4bbc4438f32e115c381550edce3/packages/better-auth/CHANGELOG.md)
## `@better-auth/oauth-provider`
### Bug Fixes
- Fixed multi-valued query params collapsing through prompt redirects ([#9060](https://github.com/better-auth/better-auth/pull/9060))
- Rejected `skip_consent` at schema level in dynamic client registration ([#8998](https://github.com/better-auth/better-auth/pull/8998))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/3c12c2043a0be4bbc4438f32e115c381550edce3/packages/oauth-provider/CHANGELOG.md)
## `@better-auth/sso`
### Bug Fixes
- Fixed SAMLResponse decoding failures caused by line-wrapped base64 ([#8968](https://github.com/better-auth/better-auth/pull/8968))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/3c12c2043a0be4bbc4438f32e115c381550edce3/packages/sso/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@aarmful, @cyphercodes, @dvanmali, @gustavovalverde, @jaydeep-pipaliya, @ping-maxwell
**Full changelog:** [`v1.6.1...v1.6.2`](https://github.com/better-auth/better-auth/compare/v1.6.1...v1.6.2)
## `better-auth`
### Bug Fixes
- Fixed endpoint instrumentation to always use the route template ([#9023](https://github.com/better-auth/better-auth/pull/9023))
- Returned `INVALID_PASSWORD` for all `checkPassword` failures ([#8902](https://github.com/better-auth/better-auth/pull/8902))
- Restored `getSession` accessibility in generic `Auth` context ([#9017](https://github.com/better-auth/better-auth/pull/9017))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/3c12c2043a0be4bbc4438f32e115c381550edce3/packages/better-auth/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@bytaesu, @jonathansamines, @ping-maxwell
**Full changelog:** [`v1.6.0...v1.6.1`](https://github.com/better-auth/better-auth/compare/v1.6.0...v1.6.1)
**Blog post:** [Better Auth 1.6](https://better-auth.com/blog/1-6)
## `better-auth`
### ❗ Breaking Changes
- Aligned `freshAge` calculation with session creation time instead of update time ([#8762](https://github.com/better-auth/better-auth/pull/8762))
> **Migration:** `session.freshAge` now calculates from `createdAt`. Set `session: { freshAge: 0 }` to disable the check entirely.
### Features
- Added experimental OpenTelemetry instrumentation for endpoints, hooks, middleware, and database operations ([#8027](https://github.com/better-auth/better-auth/pull/8027))
- Added `resendStrategy` option to reuse existing OTP in email-otp plugin ([#8560](https://github.com/better-auth/better-auth/pull/8560))
- Added `enable` option for HaveIBeenPwned plugin ([#8728](https://github.com/better-auth/better-auth/pull/8728))
- Added request metadata to `sendMagicLink` callback ([#8571](https://github.com/better-auth/better-auth/pull/8571))
- Added dedicated `secret` option to OAuth proxy to reduce shared key exposure ([#8699](https://github.com/better-auth/better-auth/pull/8699))
- Added explicit `organizationId` parameter in team endpoints ([#5062](https://github.com/better-auth/better-auth/pull/5062))
- Added WeChat social provider ([#5189](https://github.com/better-auth/better-auth/pull/5189))
- Added `twoFactorPage` config option for custom 2FA page routing ([#5329](https://github.com/better-auth/better-auth/pull/5329))
### Bug Fixes
- Deprecated `oidc-provider` plugin in favor of `@better-auth/oauth-provider` ([#8985](https://github.com/better-auth/better-auth/pull/8985))
- Fixed access control indexing type ([#8155](https://github.com/better-auth/better-auth/pull/8155))
- Added origin check middleware to password reset request ([#8392](https://github.com/better-auth/better-auth/pull/8392))
- Fixed account cookie comparison to use provider `accountId` instead of internal id ([#8786](https://github.com/better-auth/better-auth/pull/8786))
- Fixed session id generation when using secondary storage without database ([#8927](https://github.com/better-auth/better-auth/pull/8927))
- Fixed `skipOriginCheck` array handling ([#8582](https://github.com/better-auth/better-auth/pull/8582))
- Fixed misleading rate limit IP warning ([#8617](https://github.com/better-auth/better-auth/pull/8617))
- Passed `user` field through idToken sign-in body for Apple name support ([#8417](https://github.com/better-auth/better-auth/pull/8417))
- Preserved custom session fields on focus refresh ([#8354](https://github.com/better-auth/better-auth/pull/8354))
- Fixed double encoded cookie ([#8133](https://github.com/better-auth/better-auth/pull/8133))
- Prevented revoked sessions from being restored via database fallback ([#8708](https://github.com/better-auth/better-auth/pull/8708))
- Resolved duplicate `operationId` in admin plugin endpoints ([#8570](https://github.com/better-auth/better-auth/pull/8570))
- Rethrew phone `sendOTP` failures instead of silently swallowing them ([#8842](https://github.com/better-auth/better-auth/pull/8842))
- Set stateless `cookieCache` maxAge to match `session.expiresIn` ([#8648](https://github.com/better-auth/better-auth/pull/8648))
- Threw on duplicate email when `autoSignIn: false` without `requireEmailVerification` ([#8521](https://github.com/better-auth/better-auth/pull/8521))
- Fixed `accountInfo` endpoint to use `accountId` instead of internal id ([#8346](https://github.com/better-auth/better-auth/pull/8346))
- Restored deprecated `createAdapter` and type exports for backwards compatibility ([#8461](https://github.com/better-auth/better-auth/pull/8461))
- Fixed `Response` return for HTTP request contexts ([#7521](https://github.com/better-auth/better-auth/pull/7521))
- Fixed `throw: true` handling in client session refresh ([#8610](https://github.com/better-auth/better-auth/pull/8610))
- Preserved stale session data on network or server errors ([#8437](https://github.com/better-auth/better-auth/pull/8437))
- Fixed bundler re-export type resolution with direct imports ([#8261](https://github.com/better-auth/better-auth/pull/8261))
- Fixed Set-Cookie header splitting with lookahead heuristic ([#8301](https://github.com/better-auth/better-auth/pull/8301))
- Prioritized `generateId: "uuid"` over adapter `customIdGenerator` ([#8679](https://github.com/better-auth/better-auth/pull/8679))
- Fixed date string revival in `safeJSONParse` for pre-parsed objects ([#8248](https://github.com/better-auth/better-auth/pull/8248))
- Fixed postgres migration to use `CREATE INDEX` ([#8538](https://github.com/better-auth/better-auth/pull/8538))
- Triggered `sessionSignal` after requesting email change in email-otp ([#8816](https://github.com/better-auth/better-auth/pull/8816))
- Fixed generic-oauth to use discovery userinfo endpoint instead of hardcoded URLs ([#8223](https://github.com/better-auth/better-auth/pull/8223))
- Normalized missing resolver path in last-login-method plugin ([#8589](https://github.com/better-auth/better-auth/pull/8589))
- Returned additional fields in `/magic-link/verify` ([#7223](https://github.com/better-auth/better-auth/pull/7223))
- Fixed OAuth proxy to read callback params from body for `form_post` ([#8895](https://github.com/better-auth/better-auth/pull/8895))
- Fixed double-hashing of OAuth state when `storeIdentifier` is hashed ([#8980](https://github.com/better-auth/better-auth/pull/8980))
- Fixed `redirect_uri` validation for `prompt=none` in oidc-provider ([#8398](https://github.com/better-auth/better-auth/pull/8398))
- Opted into FedCM to suppress Google GSI deprecation warnings ([#8720](https://github.com/better-auth/better-auth/pull/8720))
- Filtered null organizations in `listUserInvitations` ([#8694](https://github.com/better-auth/better-auth/pull/8694))
- Fixed multi-role user handling in invite and member removal checks ([#8442](https://github.com/better-auth/better-auth/pull/8442))
- Enforced authorization on SCIM management endpoints and normalized passkey ownership checks ([#8843](https://github.com/better-auth/better-auth/pull/8843))
- Allowed passwordless users to manage 2FA ([#7243](https://github.com/better-auth/better-auth/pull/7243))
- Wired `twoFactorTable` option to schema `modelName` ([#8443](https://github.com/better-auth/better-auth/pull/8443))
- Prevented `any` from collapsing `auth.$Infer` and client inference types ([#8981](https://github.com/better-auth/better-auth/pull/8981))
- Fixed `updateUser` to not overwrite unrelated username fields ([#7570](https://github.com/better-auth/better-auth/pull/7570))
- Enforced username uniqueness in `updateUser` ([#8731](https://github.com/better-auth/better-auth/pull/8731))
- Used non-blocking scrypt for password hashing to avoid blocking the event loop ([#8685](https://github.com/better-auth/better-auth/pull/8685))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/better-auth/CHANGELOG.md)
## `@better-auth/sso`
### ❗ Breaking Changes
- Enabled InResponseTo validation by default for SP-initiated SAML flows ([#8736](https://github.com/better-auth/better-auth/pull/8736))
> **Migration:** Set `sso({ saml: { enableInResponseToValidation: false } })` to restore the previous behavior.
### Features
- Added logging for OIDC callback code validation failures ([#8693](https://github.com/better-auth/better-auth/pull/8693))
### Bug Fixes
- Patched transitive `node-forge` vulnerability via `samlify` pin ([#8838](https://github.com/better-auth/better-auth/pull/8838))
- Fixed bare domain handling in domain verification ([#8369](https://github.com/better-auth/better-auth/pull/8369))
- Preferred UserInfo endpoint over ID token and mapped `sub` claim correctly ([#8276](https://github.com/better-auth/better-auth/pull/8276))
- Fixed `provisionUser` inconsistency and added `provisionUserOnEveryLogin` option ([#8818](https://github.com/better-auth/better-auth/pull/8818))
- Skipped state cookie check for SAML ACS cross-site POST ([#8735](https://github.com/better-auth/better-auth/pull/8735))
- Fixed verification operations to use `internalAdapter` ([#8353](https://github.com/better-auth/better-auth/pull/8353))
- Fixed ESM compatibility with namespace import for samlify ([#8697](https://github.com/better-auth/better-auth/pull/8697))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/sso/CHANGELOG.md)
## `@better-auth/mongo-adapter`
### ❗ Breaking Changes
- Stored UUIDs as native BSON UUID type ([#8681](https://github.com/better-auth/better-auth/pull/8681))
> **Migration:** New documents use native BSON UUIDs. Existing string UUIDs continue to work. No data migration required.
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/mongo-adapter/CHANGELOG.md)
## `@better-auth/oauth-provider`
### Features
- Added pairwise subject identifiers (OIDC Core Section 8) ([#8292](https://github.com/better-auth/better-auth/pull/8292))
- Added public client prelogin endpoint ([#8214](https://github.com/better-auth/better-auth/pull/8214))
### Bug Fixes
- Allowed localhost subdomains in `isLocalhost` function ([#8286](https://github.com/better-auth/better-auth/pull/8286))
- Fixed fetch redirect CORS after login ([#8519](https://github.com/better-auth/better-auth/pull/8519))
- Allowed `customIdTokenClaims` to override standard claims ([#7865](https://github.com/better-auth/better-auth/pull/7865))
- Enforced DB-backed sessions when secondary storage is enabled ([#8894](https://github.com/better-auth/better-auth/pull/8894))
- Fixed dist declaration type errors ([#8701](https://github.com/better-auth/better-auth/pull/8701))
- Fixed dynamic `baseURL` config handling in init ([#8649](https://github.com/better-auth/better-auth/pull/8649))
- Improved allowed paths for `oauth_query` in client plugin ([#8320](https://github.com/better-auth/better-auth/pull/8320))
- Allowed `customIdTokenClaims` to override `acr` and `auth_time` ([#8633](https://github.com/better-auth/better-auth/pull/8633))
- Normalized `auth_time` timestamps across adapter shapes ([#8761](https://github.com/better-auth/better-auth/pull/8761))
- Returned JSON redirects from post-login OAuth continuation to fix CORS-blocked 302s ([#8815](https://github.com/better-auth/better-auth/pull/8815))
- Fixed PAR scope loss, loopback redirect matching, and DCR `skip_consent` ([#8632](https://github.com/better-auth/better-auth/pull/8632))
- Added `prompt=none` support ([#8554](https://github.com/better-auth/better-auth/pull/8554))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/oauth-provider/CHANGELOG.md)
## `@better-auth/stripe`
### Features
- Added customizable `prorationBehavior` per plan ([#8525](https://github.com/better-auth/better-auth/pull/8525))
### Bug Fixes
- Improved organization customer search by adding `customerType` check ([#8609](https://github.com/better-auth/better-auth/pull/8609))
- Replaced `{CHECKOUT_SESSION_ID}` placeholder in success `callbackURL` ([#8568](https://github.com/better-auth/better-auth/pull/8568))
- Returned correct `priceId` for annual subscriptions in list ([#8810](https://github.com/better-auth/better-auth/pull/8810))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/stripe/CHANGELOG.md)
## `@better-auth/drizzle-adapter`
### Features
- Added case-insensitive query support (`mode: "insensitive"`) ([#8556](https://github.com/better-auth/better-auth/pull/8556))
### Bug Fixes
- Fixed Drizzle adapter failing date transformation ([#8289](https://github.com/better-auth/better-auth/pull/8289))
- Used `IS NULL` / `IS NOT NULL` for null value comparisons ([#8660](https://github.com/better-auth/better-auth/pull/8660))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/drizzle-adapter/CHANGELOG.md)
## `@better-auth/expo`
### Features
- Exposed plugin version field on all built-in plugins ([#8750](https://github.com/better-auth/better-auth/pull/8750))
### Bug Fixes
- Fixed shim `require` issue ([#8253](https://github.com/better-auth/better-auth/pull/8253))
- Fixed origin override handling across mutable and immutable requests ([#8405](https://github.com/better-auth/better-auth/pull/8405))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/expo/CHANGELOG.md)
## `@better-auth/prisma-adapter`
### Bug Fixes
- Moved adapter packages to dependencies to fix missing module errors ([#8401](https://github.com/better-auth/better-auth/pull/8401))
- Used `updateMany` fallback for non-unique updates ([#8524](https://github.com/better-auth/better-auth/pull/8524))
- Used `deleteMany` when deleting by non-unique field ([#8314](https://github.com/better-auth/better-auth/pull/8314))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/prisma-adapter/CHANGELOG.md)
## `auth`
### Features
- Migrated MCP server URL to `mcp.better-auth.com` ([#8747](https://github.com/better-auth/better-auth/pull/8747))
### Bug Fixes
- Fixed path alias resolution from extended tsconfig files ([#8520](https://github.com/better-auth/better-auth/pull/8520))
- Treated omitted `required` as `true` in Drizzle and Prisma generators ([#8614](https://github.com/better-auth/better-auth/pull/8614))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/cli/CHANGELOG.md)
## `@better-auth/electron`
### Bug Fixes
- Fixed verification operations with secondary storage ([#8247](https://github.com/better-auth/better-auth/pull/8247))
- Handled `safeStorage` encryption failures gracefully ([#8530](https://github.com/better-auth/better-auth/pull/8530))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/electron/CHANGELOG.md)
## `@better-auth/passkey`
### Features
- Added pre-auth registration and WebAuthn extensions support ([#7154](https://github.com/better-auth/better-auth/pull/7154))
### Bug Fixes
- Fixed error message strings in passkey client ([#8751](https://github.com/better-auth/better-auth/pull/8751))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/passkey/CHANGELOG.md)
## `@better-auth/test-utils`
### Features
- Exported adapter test suites from `@better-auth/test-utils/adapter` ([#8564](https://github.com/better-auth/better-auth/pull/8564))
### Bug Fixes
- Removed `using` keyword for runtime compatibility ([#8756](https://github.com/better-auth/better-auth/pull/8756))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/test-utils/CHANGELOG.md)
## `@better-auth/api-key`
### Bug Fixes
- Fixed turbo caching, enforced lockfile integrity, and expanded pre-commit hooks ([#8892](https://github.com/better-auth/better-auth/pull/8892))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/api-key/CHANGELOG.md)
## `@better-auth/core`
### Bug Fixes
- Stopped marking redirect `APIError`s as span errors in OpenTelemetry traces ([#8850](https://github.com/better-auth/better-auth/pull/8850))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/core/CHANGELOG.md)
## `@better-auth/kysely-adapter`
### Bug Fixes
- Removed deprecated `numUpdatedOrDeletedRows` from D1 dialect ([#8798](https://github.com/better-auth/better-auth/pull/8798))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/kysely-adapter/CHANGELOG.md)
## `@better-auth/telemetry`
### Bug Fixes
- Used conditional exports to replace dynamic import hacks ([#8458](https://github.com/better-auth/better-auth/pull/8458))
For detailed changes, see [`CHANGELOG`](https://github.com/better-auth/better-auth/blob/0956e59d9181bf9d24039564fad3c7d3bdcc3c49/packages/telemetry/CHANGELOG.md)
## Contributors
Thanks to everyone who contributed to this release:
@aarmful, @bytaesu, @dvanmali, @Eric-Song-Nop, @formatlos, @GautamBytes, @GoPro16, @gustavovalverde, @himself65, @jonathansamines, @jslno, @mrgrauel, @NathanColosimo, @okisdev, @olliethedev, @Oluwatobi-Mustapha, @OscarCornish, @ping-maxwell, @raihanbrillmark, @sicarius97, @Sigmabrogz, @wuzgood98, @xiaoyu2er, @YevheniiKotyrlo
**Full changelog:** [`v1.5.6...v1.6.0`](https://github.com/better-auth/better-auth/compare/v1.5.6...v1.6.0)
*No significant changes*
##### [View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.1-beta.4...v1.5.7-beta.1)
### 🚀 Features
- Agent auth plugin - by @Bekacru in https://github.com/better-auth/better-auth/issues/8696 [(5648b)](https://github.com/better-auth/better-auth/commit/5648bd868)
- **core**:
- Add experimental opentelemetry instrumentation - by @jonathansamines and @bytaesu in https://github.com/better-auth/better-auth/issues/8027 [(e42ea)](https://github.com/better-auth/better-auth/commit/e42ead580)
- **email-otp**:
- Add `resendStrategy` option to reuse existing OTP - by @bytaesu in https://github.com/better-auth/better-auth/issues/8560 [(bbe1a)](https://github.com/better-auth/better-auth/commit/bbe1affa4)
- **haveibeenpwned**:
- Add enable option - by @aarmful and **Taesu** in https://github.com/better-auth/better-auth/issues/8728 [(df9ab)](https://github.com/better-auth/better-auth/commit/df9abae0b)
- **magic-link**:
- Add request metadata to sendMagicLink - by @mrgrauel in https://github.com/better-auth/better-auth/issues/8571 [(230cf)](https://github.com/better-auth/better-auth/commit/230cfb9b2)
- **mongo-adapter**:
- Store UUIDs as native BSON UUID - by @bytaesu in https://github.com/better-auth/better-auth/issues/8681 [(3aa10)](https://github.com/better-auth/better-auth/commit/3aa107291)
- **oauth-provider**:
- Pairwise subject identifiers (OIDC Core §8) - by @gustavovalverde and @himself65 in https://github.com/better-auth/better-auth/issues/8292 [(ab7ec)](https://github.com/better-auth/better-auth/commit/ab7ec8a70)
- Public client prelogin endpoint - by @dvanmali in https://github.com/better-auth/better-auth/issues/8214 [(20e45)](https://github.com/better-auth/better-auth/commit/20e4561c9)
- **oauth-proxy**:
- Add dedicated `secret` option to reduce shared key exposure surface - by @bytaesu in https://github.com/better-auth/better-auth/issues/8699 [(faffb)](https://github.com/better-auth/better-auth/commit/faffbd620)
- **organization**:
- Explicit `organizationId` in team endpoints - by @xiaoyu2er and @himself65 in https://github.com/better-auth/better-auth/issues/5062 [(5d60d)](https://github.com/better-auth/better-auth/commit/5d60dc585)
- **social-provider**:
- Add wechat social provider - by @Eric-Song-Nop, **Claude** and @himself65 in https://github.com/better-auth/better-auth/issues/5189 [(6061b)](https://github.com/better-auth/better-auth/commit/6061bed1f)
- **sso**:
- Add logging for when code validation fails in oidc callback - by @OscarCornish in https://github.com/better-auth/better-auth/issues/8693 [(ac954)](https://github.com/better-auth/better-auth/commit/ac9541a84)
- **stripe**:
- Allow customizable `prorationBehavior` per plan - by @bytaesu in https://github.com/better-auth/better-auth/issues/8525 [(9fdd6)](https://github.com/better-auth/better-auth/commit/9fdd66251)
- **test-utils**:
- Export adapter test suites from `@better-auth/test-utils/adapter` - by @bytaesu in https://github.com/better-auth/better-auth/issues/8564 [(6578b)](https://github.com/better-auth/better-auth/commit/6578bd89a)
- **two-factor**:
- Add `twoFactorPage` in config - by @wuzgood98 in https://github.com/better-auth/better-auth/issues/5329 [(caa9f)](https://github.com/better-auth/better-auth/commit/caa9fe37c)
### 🐞 Bug Fixes
- Access control indexing type - by @YevheniiKotyrlo and @himself65 in https://github.com/better-auth/better-auth/issues/8155 [(47bba)](https://github.com/better-auth/better-auth/commit/47bba48f2)
- Prevent double encoded cookie - by @Oluwatobi-Mustapha and @himself65 in https://github.com/better-auth/better-auth/issues/8133 [(49921)](https://github.com/better-auth/better-auth/commit/49921100a)
- Move adapter packages to dependencies to fix missing module errors - by @himself65 in https://github.com/better-auth/better-auth/issues/8401 [(27c4c)](https://github.com/better-auth/better-auth/commit/27c4c3d0a)
- Pass `user` field through idToken sign-in body for Apple name support - by @bytaesu and **Copilot** in https://github.com/better-auth/better-auth/issues/8417 [(d8139)](https://github.com/better-auth/better-auth/commit/d8139e5c7)
- Preserve custom session fields on focus refresh - by @jslno in https://github.com/better-auth/better-auth/issues/8354 [(5e49c)](https://github.com/better-auth/better-auth/commit/5e49c2d16)
- Throw on duplicate email when `autoSignIn: false` without `requireEmailVerification` - by @himself65 in https://github.com/better-auth/better-auth/issues/8521 [(f72e2)](https://github.com/better-auth/better-auth/commit/f72e28d08)
- Add origin check middleware to password reset request - by @jslno in https://github.com/better-auth/better-auth/issues/8392 [(271af)](https://github.com/better-auth/better-auth/commit/271af9baf)
- Handle `skipOriginCheck` array - by @jslno in https://github.com/better-auth/better-auth/issues/8582 [(92895)](https://github.com/better-auth/better-auth/commit/92895b444)
- Resolve duplicate operationId in admin plugin endpoints - by @Sigmabrogz and **Sigmabrogz** in https://github.com/better-auth/better-auth/issues/8570 [(3f75e)](https://github.com/better-auth/better-auth/commit/3f75ee3ee)
- Misleading rate limit IP warning - by @GautamBytes in https://github.com/better-auth/better-auth/issues/8617 [(ae861)](https://github.com/better-auth/better-auth/commit/ae861cdff)
- Prevent revoked sessions from being restored via database fallback - by @bytaesu in https://github.com/better-auth/better-auth/issues/8708 [(767f1)](https://github.com/better-auth/better-auth/commit/767f129d1)
- Set stateless cookieCache maxAge to match session expiresIn - by @himself65 in https://github.com/better-auth/better-auth/issues/8648 [(c8617)](https://github.com/better-auth/better-auth/commit/c8617fd44)
- **account**:
- Use accountId instead of id in accountInfo endpoint - by @NathanColosimo and @himself65 in https://github.com/better-auth/better-auth/issues/8346 [(f9b8a)](https://github.com/better-auth/better-auth/commit/f9b8a616a)
- **adapters**:
- Restore deprecated createAdapter and type exports for backcompat - by @himself65 in https://github.com/better-auth/better-auth/issues/8461 [(096d9)](https://github.com/better-auth/better-auth/commit/096d9bdf7)
- Use IS NULL / IS NOT NULL for null value comparisons - by @olliethedev in https://github.com/better-auth/better-auth/issues/8660 [(8682b)](https://github.com/better-auth/better-auth/commit/8682b7aeb)
- **api**:
- Return Response for HTTP request contexts - by @gustavovalverde in https://github.com/better-auth/better-auth/issues/7521 [(8304f)](https://github.com/better-auth/better-auth/commit/8304f655a)
- **blog**:
- Fix RSS feed link path, image path and blog date - by @0-Sandy in https://github.com/better-auth/better-auth/issues/8483 [(18e95)](https://github.com/better-auth/better-auth/commit/18e95f662)
- **cli**:
- Resolve path aliases from extended tsconfig files - by @himself65 in https://github.com/better-auth/better-auth/issues/8520 [(b5e22)](https://github.com/better-auth/better-auth/commit/b5e2203f1)
- Treat omitted `required` as `true` in Drizzle and Prisma generators - by @bytaesu in https://github.com/better-auth/better-auth/issues/8614 [(b0069)](https://github.com/better-auth/better-auth/commit/b00692d4e)
- **client**:
- Preserve stale session data on network or server errors - by @bytaesu in https://github.com/better-auth/better-auth/issues/8437 [(b18b4)](https://github.com/better-auth/better-auth/commit/b18b4dba0)
- Handle `throw:true` in session refresh - by @bytaesu in https://github.com/better-auth/better-auth/issues/8610 [(f0c1a)](https://github.com/better-auth/better-auth/commit/f0c1a6b50)
- **core**:
- Prioritize generateId "uuid" over adapter customIdGenerator - by @bytaesu in https://github.com/better-auth/better-auth/issues/8679 [(05565)](https://github.com/better-auth/better-auth/commit/055657545)
- **db**:
- Use `CREATE INDEX` for postgres migration - by @himself65 in https://github.com/better-auth/better-auth/issues/8538 [(a980b)](https://github.com/better-auth/better-auth/commit/a980b169a)
- **docs**:
- Improve AI chat security and cleanup - by @himself65 in https://github.com/better-auth/better-auth/issues/8597 [(a1a97)](https://github.com/better-auth/better-auth/commit/a1a974530)
- Add missing Encore icon to sidebar icons - by @himself65 in https://github.com/better-auth/better-auth/issues/8663 [(169c2)](https://github.com/better-auth/better-auth/commit/169c27ed9)
- **electron**:
- Handle safeStorage encryption failures gracefully - by @jslno in https://github.com/better-auth/better-auth/issues/8530 [(b3330)](https://github.com/better-auth/better-auth/commit/b33305c33)
- **expo**:
- Handle origin override across mutable and immutable requests - by @NathanColosimo, **Taesu** and @bytaesu in https://github.com/better-auth/better-auth/issues/8405 [(44ee8)](https://github.com/better-auth/better-auth/commit/44ee8b45a)
- **last-login-method**:
- Normalize missing resolver path - by @mrgrauel in https://github.com/better-auth/better-auth/issues/8589 [(d198a)](https://github.com/better-auth/better-auth/commit/d198a8273)
- **oauth-provider**:
- CustomIdTokenClaims should override standard claims - by @gustavovalverde in https://github.com/better-auth/better-auth/issues/7865 [(c5983)](https://github.com/better-auth/better-auth/commit/c59833549)
- Avoid fetch redirect CORS after login - by @GautamBytes in https://github.com/better-auth/better-auth/issues/8519 [(f46a6)](https://github.com/better-auth/better-auth/commit/f46a65a25)
- Support prompt=none - by @dvanmali in https://github.com/better-auth/better-auth/issues/8554 [(54216)](https://github.com/better-auth/better-auth/commit/542169b04)
- Improve allowed paths for oauth_query for client plugin - by @dvanmali in https://github.com/better-auth/better-auth/issues/8320 [(40e76)](https://github.com/better-auth/better-auth/commit/40e767615)
- Fix dist declaration type errors - by @gustavovalverde in https://github.com/better-auth/better-auth/issues/8701 [(c41fa)](https://github.com/better-auth/better-auth/commit/c41fa044d)
- **oidc-provider**:
- Validate redirect_uri for prompt=none - by @jslno in https://github.com/better-auth/better-auth/issues/8398 [(9dff8)](https://github.com/better-auth/better-auth/commit/9dff8c543)
- **one-tap**:
- Opt into FedCM to suppress Google GSI deprecation warnings - by @himself65 in https://github.com/better-auth/better-auth/issues/8720 [(c2cbb)](https://github.com/better-auth/better-auth/commit/c2cbb9d56)
- **organization**:
- Handle multi-role users in invite and member removal checks - by @himself65 and **Copilot Autofix powered by AI** in https://github.com/better-auth/better-auth/issues/8442 [(6559c)](https://github.com/better-auth/better-auth/commit/6559c1e8f)
- Filter null organizations in listUserInvitations - by @raihanbrillmark and **Raihan Sharif** in https://github.com/better-auth/better-auth/issues/8694 [(06e38)](https://github.com/better-auth/better-auth/commit/06e38a442)
- **prisma-adapter**:
- Use deleteMany when deleting by non-unique field - by @himself65 in https://github.com/better-auth/better-auth/issues/8314 [(c9b9c)](https://github.com/better-auth/better-auth/commit/c9b9c91ec)
- Fall back to updateMany for non-unique updates - by @himself65 in https://github.com/better-auth/better-auth/issues/8524 [(a5c12)](https://github.com/better-auth/better-auth/commit/a5c1286d3)
- **sso**:
- Use internalAdapter for verification operations - by @himself65 in https://github.com/better-auth/better-auth/issues/8353 [(bd980)](https://github.com/better-auth/better-auth/commit/bd980f8c5)
- Handle bare domains in domain verification - by @himself65 in https://github.com/better-auth/better-auth/issues/8369 [(71c3a)](https://github.com/better-auth/better-auth/commit/71c3a85d2)
- Use namespace import for samlify to fix ESM compatibility - by @himself65 in https://github.com/better-auth/better-auth/issues/8697 [(a6763)](https://github.com/better-auth/better-auth/commit/a67630edb)
- Skip state cookie check for SAML ACS cross-site POST - by @bytaesu in https://github.com/better-auth/better-auth/issues/8735 [(b647e)](https://github.com/better-auth/better-auth/commit/b647ef348)
- **stripe**:
- Replace `{CHECKOUT_SESSION_ID}` placeholder in success callbackURL - by @bytaesu in https://github.com/better-auth/better-auth/issues/8568 [(db470)](https://github.com/better-auth/better-auth/commit/db470986c)
- Improve organization customer search by adding customerType check - by @bytaesu in https://github.com/better-auth/better-auth/issues/8609 [(884e1)](https://github.com/better-auth/better-auth/commit/884e14a38)
- **telemetry**:
- Use conditional exports to replace dynamic import hacks - by @himself65 in https://github.com/better-auth/better-auth/issues/8458 [(c8628)](https://github.com/better-auth/better-auth/commit/c86281d5b)
- **two-factor**:
- Wire twoFactorTable option to schema modelName - by @himself65 in https://github.com/better-auth/better-auth/issues/8443 [(a92a7)](https://github.com/better-auth/better-auth/commit/a92a71ef8)
##### [View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.1-beta.3...v1.5.1-beta.4)
### 🚀 Features
- Agent auth plugin - by @Bekacru in https://github.com/better-auth/better-auth/issues/8696 [(a0b53)](https://github.com/better-auth/better-auth/commit/a0b53212a)
- **core**: Add experimental opentelemetry instrumentation - by @jonathansamines and @bytaesu in https://github.com/better-auth/better-auth/issues/8027 [(1ed42)](https://github.com/better-auth/better-auth/commit/1ed42714f)
- **email-otp**: Add `resendStrategy` option to reuse existing OTP - by @bytaesu in https://github.com/better-auth/better-auth/issues/8560 [(98c8e)](https://github.com/better-auth/better-auth/commit/98c8e4e65)
- **magic-link**: Add request metadata to sendMagicLink - by @mrgrauel in https://github.com/better-auth/better-auth/issues/8571 [(cb240)](https://github.com/better-auth/better-auth/commit/cb240b600)
- **mongo-adapter**: Store UUIDs as native BSON UUID - by @bytaesu in https://github.com/better-auth/better-auth/issues/8681 [(d1bff)](https://github.com/better-auth/better-auth/commit/d1bfff1d6)
- **oauth-provider**: Public client prelogin endpoint - by @dvanmali in https://github.com/better-auth/better-auth/issues/8214 [(a0eb1)](https://github.com/better-auth/better-auth/commit/a0eb1631f)
- **organization**: Explicit `organizationId` in team endpoints - by @xiaoyu2er and @himself65 in https://github.com/better-auth/better-auth/issues/5062 [(8f470)](https://github.com/better-auth/better-auth/commit/8f47015af)
- **social-provider**: Add wechat social provider - by @Eric-Song-Nop, **Claude** and @himself65 in https://github.com/better-auth/better-auth/issues/5189 [(c4402)](https://github.com/better-auth/better-auth/commit/c440221d7)
- **stripe**: Allow customizable `prorationBehavior` per plan - by @bytaesu in https://github.com/better-auth/better-auth/issues/8525 [(98cea)](https://github.com/better-auth/better-auth/commit/98cea7e61)
- **test-utils**: Export adapter test suites from `@better-auth/test-utils/adapter` - by @bytaesu in https://github.com/better-auth/better-auth/issues/8564 [(6be0f)](https://github.com/better-auth/better-auth/commit/6be0f9599)
- **two-factor**: Add `twoFactorPage` in config - by @wuzgood98 in https://github.com/better-auth/better-auth/issues/5329 [(4f41b)](https://github.com/better-auth/better-auth/commit/4f41b62cf)
### 🐞 Bug Fixes
- Handle `skipOriginCheck` array - by @jslno in https://github.com/better-auth/better-auth/issues/8582 [(331c4)](https://github.com/better-auth/better-auth/commit/331c4c413)
- Prevent revoked sessions from being restored via database fallback - by @bytaesu in https://github.com/better-auth/better-auth/issues/8708 [(d4efa)](https://github.com/better-auth/better-auth/commit/d4efa8e32)
- **api**:
- Return Response for HTTP request contexts - by @gustavovalverde in https://github.com/better-auth/better-auth/issues/7521 [(9e3e8)](https://github.com/better-auth/better-auth/commit/9e3e8e601)
- **client**:
- Handle `throw:true` in session refresh - by @bytaesu in https://github.com/better-auth/better-auth/issues/8610 [(275ca)](https://github.com/better-auth/better-auth/commit/275ca46fe)
- **core**:
- Prioritize generateId "uuid" over adapter customIdGenerator - by @bytaesu in https://github.com/better-auth/better-auth/issues/8679 [(fc0bc)](https://github.com/better-auth/better-auth/commit/fc0bc94a6)
- **docs**:
- Improve AI chat security and cleanup - by @himself65 in https://github.com/better-auth/better-auth/issues/8597 [(5c0c8)](https://github.com/better-auth/better-auth/commit/5c0c87ce7)
- Add missing Encore icon to sidebar icons - by @himself65 in https://github.com/better-auth/better-auth/issues/8663 [(cd5b8)](https://github.com/better-auth/better-auth/commit/cd5b81803)
- **electron**:
- Handle safeStorage encryption failures gracefully - by @jslno in https://github.com/better-auth/better-auth/issues/8530 [(04766)](https://github.com/better-auth/better-auth/commit/047662025)
- **oauth-provider**:
- Support prompt=none - by @dvanmali in https://github.com/better-auth/better-auth/issues/8554 [(812fd)](https://github.com/better-auth/better-auth/commit/812fd4d8e)
- Improve allowed paths for oauth_query for client plugin - by @dvanmali in https://github.com/better-auth/better-auth/issues/8320 [(ccded)](https://github.com/better-auth/better-auth/commit/ccded8be3)
- Fix dist declaration type errors - by @gustavovalverde in https://github.com/better-auth/better-auth/issues/8701 [(ec79f)](https://github.com/better-auth/better-auth/commit/ec79fa275)
- **organization**:
- Filter null organizations in listUserInvitations - by @raihanbrillmark and **Raihan Sharif** in https://github.com/better-auth/better-auth/issues/8694 [(a62cb)](https://github.com/better-auth/better-auth/commit/a62cb044f)
- **sso**:
- Use namespace import for samlify to fix ESM compatibility - by @himself65 in https://github.com/better-auth/better-auth/issues/8697 [(71f70)](https://github.com/better-auth/better-auth/commit/71f708345)
- **stripe**:
- Replace `{CHECKOUT_SESSION_ID}` placeholder in success callbackURL - by @bytaesu in https://github.com/better-auth/better-auth/issues/8568 [(32704)](https://github.com/better-auth/better-auth/commit/3270499c0)
- Improve organization customer search by adding customerType check - by @bytaesu in https://github.com/better-auth/better-auth/issues/8609 [(74ec7)](https://github.com/better-auth/better-auth/commit/74ec71cae)
##### [View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.5...v1.5.6)
### 🐞 Bug Fixes
- **cli**: Warn when old @better-auth/cli is used with better-auth v1.5.x+ - by @himself65 [(73ca9)](https://github.com/better-auth/better-auth/commit/73ca92ee8)
##### [View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.4.21...v1.4.22)
### 🚀 Features
- **oauth-provider**: Pairwise subject identifiers (OIDC Core §8) - by @gustavovalverde and @himself65 in https://github.com/better-auth/better-auth/issues/8292 [(6c09f)](https://github.com/better-auth/better-auth/commit/6c09f1773)
### 🐞 Bug Fixes
- Pass `user` field through idToken sign-in body for Apple name support - by @bytaesu and **Copilot** in https://github.com/better-auth/better-auth/issues/8417 [(d364e)](https://github.com/better-auth/better-auth/commit/d364eff68)
- Add missing SubpageItem properties for docs-sidebar compatibility - by @bytaesu [(6bcd7)](https://github.com/better-auth/better-auth/commit/6bcd7c64d)
- Add icon prop to SubpageLink component - by @bytaesu [(95538)](https://github.com/better-auth/better-auth/commit/955381c00)
- Correct sign-in link to dash.better-auth.com - by @bytaesu [(058bb)](https://github.com/better-auth/better-auth/commit/058bb8aaa)
- Restore features.tsx and align import with canary - by @bytaesu [(e5ebb)](https://github.com/better-auth/better-auth/commit/e5ebb669b)
- Add suppressHydrationWarning to video elements - by @bytaesu [(8e0e5)](https://github.com/better-auth/better-auth/commit/8e0e53ed9)
- Preserve custom session fields on focus refresh - by @jslno in https://github.com/better-auth/better-auth/issues/8354 [(2bd99)](https://github.com/better-auth/better-auth/commit/2bd994bab)
- Throw on duplicate email when `autoSignIn: false` without `requireEmailVerification` - by @himself65 in https://github.com/better-auth/better-auth/issues/8521 [(e3e66)](https://github.com/better-auth/better-auth/commit/e3e6664d7)
- Add origin check middleware to password reset request - by @jslno in https://github.com/better-auth/better-auth/issues/8392 [(497b1)](https://github.com/better-auth/better-auth/commit/497b1db8d)
- **adapters**: Restore deprecated createAdapter and type exports for backcompat - by @himself65 in https://github.com/better-auth/better-auth/issues/8461 [(eb848)](https://github.com/better-auth/better-auth/commit/eb848c4d7)
- **blog**: Fix RSS feed link path, image path and blog date - by @0-Sandy in https://github.com/better-auth/better-auth/issues/8483 [(67c6d)](https://github.com/better-auth/better-auth/commit/67c6dc2d3)
- **cli**: Resolve path aliases from extended tsconfig files - by @himself65 in https://github.com/better-auth/better-auth/issues/8520 [(11ef0)](https://github.com/better-auth/better-auth/commit/11ef01a56)
- **client**: Preserve stale session data on network or server errors - by @bytaesu in https://github.com/better-auth/better-auth/issues/8437 [(9a229)](https://github.com/better-auth/better-auth/commit/9a229ce13)
- **db**: Use `CREATE INDEX` for postgres migration - by @himself65 in https://github.com/better-auth/better-auth/issues/8538 [(b9e54)](https://github.com/better-auth/better-auth/commit/b9e54c9af)
- **oauth-provider**: Avoid fetch redirect CORS after login - by @GautamBytes in https://github.com/better-auth/better-auth/issues/8519 [(c0366)](https://github.com/better-auth/better-auth/commit/c03666a5d)
- **oidc-provider**: Validate redirect_uri for prompt=none - by @jslno in https://github.com/better-auth/better-auth/issues/8398 [(ff352)](https://github.com/better-auth/better-auth/commit/ff352c629)
- **organization**: Handle multi-role users in invite and member removal checks - by @himself65 and **Copilot Autofix powered by AI** in https://github.com/better-auth/better-auth/issues/8442 [(23f18)](https://github.com/better-auth/better-auth/commit/23f18f256)
- **prisma-adapter**: Fall back to updateMany for non-unique updates - by @himself65 in https://github.com/better-auth/better-auth/issues/8524 [(3f16e)](https://github.com/better-auth/better-auth/commit/3f16e9f86)
- **sso**: Handle bare domains in domain verification - by @himself65 in https://github.com/better-auth/better-auth/issues/8369 [(fb7a0)](https://github.com/better-auth/better-auth/commit/fb7a0b745)
- **telemetry**: Use conditional exports to replace dynamic import hacks - by @himself65 in https://github.com/better-auth/better-auth/issues/8458 [(3ecd2)](https://github.com/better-auth/better-auth/commit/3ecd22d87)
- **two-factor**: Wire twoFactorTable option to schema modelName - by @himself65 in https://github.com/better-auth/better-auth/issues/8443 [(f4604)](https://github.com/better-auth/better-auth/commit/f46045ecd)
##### [View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.4...v1.5.5)
### 🐞 Bug Fixes
- Move adapter packages to dependencies to fix missing module errors - by @himself65 in https://github.com/better-auth/better-auth/issues/8401 [(56857)](https://github.com/better-auth/better-auth/commit/56857d66b)
- **expo**: Handle origin override across mutable and immutable requests - by @NathanColosimo, **Taesu** and @bytaesu in https://github.com/better-auth/better-auth/issues/8405 [(b7a31)](https://github.com/better-auth/better-auth/commit/b7a3129d5)
##### [View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.3...v1.5.4)
### 🐞 Bug Fixes
- **account**: Use accountId instead of id in accountInfo endpoint - by @NathanColosimo and @himself65 in https://github.com/better-auth/better-auth/issues/8346 [(efcc2)](https://github.com/better-auth/better-auth/commit/efcc2384b)
- **sso**: Use internalAdapter for verification operations - by @himself65 in https://github.com/better-auth/better-auth/issues/8353 [(e3bc6)](https://github.com/better-auth/better-auth/commit/e3bc6a2e5)
##### [View changes on GitHub](https://github.com/better-auth/better-auth/compare/v1.5.2...v1.5.3)