releases.shpreview
Home/Collections/Auth & Identity/Week of June 8, 2026

Better Auth hardens concurrent flows while Clerk standardises metadata APIs

June 8–14, 2026

Better Auth shipped fixes for dozens of race conditions and replay vulnerabilities across authentication flows, while Clerk deprecated unsafeMetadata in favour of dedicated updateMetadata methods and added new metadata replacement APIs to its backend SDK.

Concurrency fixes and experimental features in Better Auth

Better Auth had the most consequential week of any product in this collection. Version 1.6.18 fixes a set of race conditions that could allow duplicate account deletions, multiple redemptions of one-time tokens and password reset tokens, and duplicate sign-ins across providers — all under concurrent request loads. The same release improves rate-limiting logic, JWT validation, and SCIM security. On the heels of that came v1.7.0-beta.5, a breaking beta that consolidates id_token verification for social providers into a single shared verifier — custom providers using the old verifyIdToken method on UpstreamProvider must migrate to an idToken config object. The beta also enforces the max_age parameter (forcing re-authentication when sessions exceed a requested age) and adds client assertion support for Microsoft Entra ID, a per-provider requireEmailVerification option, and id_token verification for generic OAuth providers. Separately, v1.6.17 introduced an experimental oauthPopup plugin that enables OAuth sign-in inside cross-site iframes by completing the flow in a popup window.

Clerk standardises metadata operations

Clerk shipped a significant API standardisation across its stack. The backend SDK now exposes replaceOrganizationMetadata and replaceUserMetadata for full replacement of metadata fields, complementing the existing updateOrganizationMetadata and updateUserMetadata which perform partial deep-merge updates. The older metadata parameters on updateOrganization() and updateUser() are deprecated. This pattern is consistent with the parallel deprecation of unsafeMetadata in user.update() across the core JS SDK, shared package, and iOS SDK — developers should now use user.updateMetadata() for partial updates. The Express SDK also received a critical auth-bypass fix where a req.auth value set by another library such as express-jwt or Passport could cause Clerk middleware to silently skip authentication; Clerk now brands its own handler and overwrites any foreign value.

Auth0 adds refresh token management and API search

Auth0 entered Early Access with new granular refresh token management endpoints: a GET endpoint to retrieve tokens by user ID (optionally scoped to a client ID) and a POST endpoint for bulk revocation by up to 100 IDs, user ID, or user ID plus client and audience. Closer to the surface, the Auth0 Dashboard now lets administrators search APIs in real time by ID, identifier, or name — a welcome alternative to paginating through long lists.

SAML improvements and billing changes

Clerk now supports multi-value mapping for SAML custom attributes: when an identity provider sends an attribute with multiple values (common for groups or roles in Okta and Microsoft Entra ID), every value is written to publicMetadata as an array instead of dropping all but the first. This is off by default and doesn't affect existing mappings. Separately, Clerk's JS SDK v6.16.0 and testing package added support for per-seat Clerk Billing plans, including an invite-to-checkout flow and new parameters for plan queries and checkout creation.

Releases covered