v1.6.3

`better-auth`

Fixed incorrect operationId for the requestPasswordResetCallback endpoint in the OpenAPI spec (#9072)
Fixed dynamic baseURL resolution from request headers for direct auth.api calls (#9113)
Fixed isMounted race condition that caused excessive requests per second in the client (#9078)
Fixed nullable schema for the get-session endpoint in the OpenAPI 3.1 spec (#8389)
Fixed checkout and upgrade flows to omit quantity for metered prices (#8926)
Fixed 2FA enforcement to trigger on all sign-in paths, including magic-link, OAuth, passkey, email-OTP, and SIWE (#9122)
Fixed backup code updates to respect the configured storeBackupCodes storage strategy after verification (#7231)

For detailed changes, see CHANGELOG

Added customTokenResponseFields callback for injecting custom fields into token endpoint responses, and hardened authorization code validation (#9118)

Hardened dynamic baseURL resolution for direct auth.api calls and plugin metadata helpers (#9131)
Fixed unauthenticated dynamic client registration to silently override confidential auth methods to public, improving compatibility with MCP clients (#9123)

For detailed changes, see CHANGELOG

Fixed multiple SAML response processing bugs, including ACS URL generation, encryption field handling, and provider config parsing (#9097)

For detailed changes, see CHANGELOG

Fixed prototype pollution vulnerability when merging user-supplied metadata in the Stripe plugin (#9164)

For detailed changes, see CHANGELOG

Fixed tsconfig path alias resolution for extended configs and mid-path wildcards in the CLI (#9032)

For detailed changes, see CHANGELOG

Thanks to everyone who contributed to this release:

@bytaesu, @Byte-Biscuit, @gustavovalverde, @Oluwatobi-Mustapha, @ping-maxwell, @ramonclaudio

Full changelog: v1.6.2...v1.6.3