v1.7.0-beta.2

better-auth

Features

• Added userId and organizationId parameters to the listUserTeams API for scoped team lookups without switching the active organization (#8977)
• Added support for passing an array of client IDs as the ID token audience in social providers (#9292)

Bug Fixes

• Fixed forceAllowId UUIDs being ignored on PostgreSQL adapters when advanced.database.generateId is set to "uuid" (#9068)
• Fixed response headers being lost when an APIError is thrown (#9211)
• Fixed $sessionSignal not being triggered for session-rotating endpoints (#9087)
• Fixed the partitioned cookie attribute being dropped on set-cookie round-trips (#9235)
• Fixed the ./instrumentation module to export a no-op in browser and edge environments (#9281)
• Fixed disableRefresh query parameter validation in custom sessions to correctly coerce string values to booleans (#9214)
• Fixed a crash when the request body is undefined during OAuth2 state parsing (#9293)
• Fixed team additional fields not being inferred correctly in the organization plugin (#9266)
• Fixed updateUser to allow removing a phone number (#9219)
• Fixed callbackOnVerification not being called when updatePhoneNumber is enabled (#4894)
• Reverted two-factor enforcement to credential sign-in flows only, removing the unintended challenge on magic link, OAuth, passkey, and other non-credential sign-in methods (#9205)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

❗ Breaking Changes

• Updated all OAuth 2.0 endpoints to return RFC-compliant { error, error_description } error envelopes for validation failures (#9277)

Migration: All six OAuth endpoints (/oauth2/token, /oauth2/authorize, /oauth2/revoke, /oauth2/introspect, /oauth2/register, /oauth2/end-session) now emit structured { error, error_description } responses per RFC 6749 §5.2. Update any client code that previously parsed the raw validation error format from these endpoints.

Bug Fixes

• Fixed host classification inconsistencies across packages that could allow SSRF attacks (#9226)
• Fixed the userinfo endpoint to correctly read the Authorization header when called via auth.api (#9244)

For detailed changes, see CHANGELOG

@better-auth/api-key

Features

• Added mapConcurrent utility for bounded-concurrency iteration (#9227)

Bug Fixes

• Fixed secondary-storage API key operations to run in parallel, improving performance (#9187)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

• Required patched drizzle-orm ^0.45.2 and kysely ^0.28.14 peer versions to track vulnerability fixes (#9165)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

• Fixed cached session data not being read from SecureStore on app startup (#8953)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

• Fixed passkey authentication verification not returning the authenticated user (#5209)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @GautamBytes, @gustavovalverde, @Kinfe123, @ouwargui, @ping-maxwell, @ramonclaudio, @ruban-s, @stewartjarod, @TanishValesha, @terijaki

Full changelog: v1.7.0-beta.1...v1.7.0-beta.2