releases.shpreview
Better Auth/better-auth/v1.6.10

v1.6.10

May 9, 2026better-authView original ↗
$npx @buildinternet/releases get rel_Hlx5hd29luqecRGWb-FfH

better-auth

Bug Fixes

  • Exposed refreshUserSessions on the internal adapter (#7764)
  • Fixed organization invitation roles to accept dynamic access control roles (#9437)
  • Improved link accessibility (#9521)
  • Fixed incorrect email casing in one-tap, email-otp, and email-verification flows (#9369)
  • Fixed OpenAPI schema for POST /sign-in/social mis-declaring required fields (#9268)
  • Added a warning when the cookie plugin is placed last in the plugins array (#9484)
  • Fixed useSession not revalidating after admin impersonation starts or stops (#9402)
  • Fixed duplicate Set-Cookie headers being emitted on redirect responses from social sign-in and magic-link endpoints (#9497)
  • Fixed the bearer plugin writing duplicate cookie entries when merging the session token into request headers (#9387)
  • Fixed captcha plugin breaking the email-otp flow (#8339)
  • Fixed email enumeration protection not applying when emailAndPassword.autoSignIn is false (#8839)
  • Fixed a TypeError caused by non-ASCII characters in OAuth error descriptions on redirect (#9065)
  • Renamed internalAdapter.deleteAccount parameter from accountId to id to reflect that it queries by primary key (#9503)
  • Fixed OAuth callbacks accepting a missing provider account ID, which could link accounts under an undefined id (#9456)
  • Fixed cancelPendingInvitationsOnReInvite having no effect, where re-inviting the same email always returned USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION (#9453)
  • Fixed a TS2742 type error caused by missing re-exports when using additionalFields in the organization plugin (#9349)
  • Fixed useActiveMemberRole retaining a previous user's role after sign-out in SPA flows (#9440)
  • Fixed setActiveTeam to only accept teams from the currently active organization (#9239)
  • Added authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint (#9461)
  • Fixed callbackURL being ignored on signIn.username, so it now redirects correctly like signIn.email (#9475)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed sessionId typing in refresh token types to be optional, matching the schema (#9324)
  • Fixed stale prompt=login consent continuations not completing after a forced login
  • Exported OAuth provider helper types needed for portable downstream TypeScript declaration emit (#9406)
  • Fixed prompt=login not being honored after consent continuation, preventing session bypass (#9344)
  • Added database indexes to OAuth provider foreign-key fields in generated schemas (#9389)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed onSubscriptionUpdate to receive the raw stripeSubscription object, and fixed onSubscriptionCancel to receive the post-update subscription row instead of a stale snapshot (#9354)
  • Fixed getCheckoutSessionParams overriding internally managed Stripe Checkout Session fields such as success_url, cancel_url, customer, and line_items (#9481)
  • Fixed onSubscriptionDeleted, onTrialEnd, and onTrialExpired receiving a stale pre-update subscription snapshot instead of the post-update row (#9356)
  • Fixed getCheckoutSessionParams overriding free trial and internal metadata, which could hide trial periods and create duplicate subscription rows on webhook (#9474)
  • Renamed internal subscription webhook variables for clarity (#9355)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

  • Fixed api.verifyApiKey not validating the key's configId against the request body (#9393)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

  • Fixed Cloudflare Workers instrumentation imports to use a no-op entry when OpenTelemetry is not installed (#9395)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed passkey autofill authentication to return a handled cancellation instead of an unhandled error when it cannot start (#9429)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed /sso/saml2/sp/metadata throwing NOT_FOUND for providers configured via defaultSSO (#9398)

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Fixed auth init generating broken MySQL and PostgreSQL Kysely database configs (#9455)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @Craga89, @cyphercodes, @dipan-ck, @dvanmali, @GautamBytes, @gustavovalverde, @IcanDivideBy0, @jaydeep-pipaliya, @mausic, @onmax, @ping-maxwell, @programming-with-ia, @zllovesuki

Full changelog: v1.6.9...v1.6.10

Fetched May 9, 2026