Better Auth
npx @buildinternet/releases get better-authRecently shipped v1.7.0-rc.0 and rc.1, moving OAuth provider and MCP support into separate packages.
OAuth provider extracted as its own package — @better-auth/oauth-provider ships as a standalone OAuth 2.0 / OIDC provider, and custom customIdTokenClaims can no longer override protected protocol claims (iss, sub, aud, exp, etc.). Breaking change: Remove any protected claim keys from ID token claim configuration.
MCP support becomes @better-auth/mcp — the MCP server is now distributed as its own package, with renamed route helpers (requireMcpAuth replaces withMcpAuth) and a new jwt() plugin requirement. The database schema changed: oauthApplication is now oauthClient, with new oauthRefreshToken and oauthClientAssertion tables. Run npx auth migrate or npx auth generate to update.
OAuth and security hardening across the stable line — v1.6.21 through v1.6.23 closed several gaps:
- Rate limits are now enforced before plugin request handlers run
- Admin permission changes and bans take effect immediately, even with session cookie caching enabled
- Google hosted-domain validation now applies consistently across all sign-in flows, including One Tap
- OAuth proxy rejects profile callbacks that don't match an issued state, preventing session creation with stale state
- OAuth sign-up and account linking ignore provider profile values for fields marked
input: false - Google
hdenforcement was fixed to reject accounts outside the configured Workspace domain
Stripe and SCIM plugin fixes — organization subscription actions (cancel, upgrade, restore, billing portal) no longer act on the wrong organization. SCIM write-path operations are now properly scoped and correctly honor the active attribute.
Yandex added as an OAuth social provider, available with v1.6.23 and v1.7.0-rc.1.