chore(deps): update dependency @better-auth/passkey to v1.5.1

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@better-auth/passkey (source)	1.4.13 → 1.5.1

---

Release Notes

better-auth/better-auth (@​better-auth/passkey)

v1.5.1

Compare Source

   🐞 Bug Fixes

• client: Use direct imports to fix bundler re-export type resolution  -  by @​himself65 in #​8261 (63bb7)
• core: Revive date strings in safeJSONParse for pre-parsed objects  -  by @​himself65 in #​8248 (56db7)
• db: Support verification operations with secondary storage  -  by @​himself65 in #​8247 (8a047)
• expo: Avoid shim require  -  by @​himself65 in #​8253 (977bf)
• generic-oauth: Use discovery userinfo endpoint instead of hardcoded URLs  -  by @​himself65 in #​8223 (58940)

    View changes on GitHub

v1.5.0

Compare Source

Better Auth 1.5 Release

We’re excited to announce the release of Better Auth 1.5! 🎉

This is our biggest release yet, with over 600 commits, 70 new features, 200 bug fixes, and 7 entirely new packages. From MCP authentication to Electron desktop support, this release brings Better Auth to new platforms and use cases.

We’re also announcing our new Infrastructure product. It lets you use a full user management and analytics dashboard, security and protection tooling, audit logs, a self-service SSO UI, and more, all with your own Better Auth instance.

Starting with this release, the self-service SSO dashboard — which lets your enterprise customers onboard their own SAML providers without support tickets — is powered by Better Auth Infrastructure. If you’re using the SSO plugin in production, we recommend upgrading to the Pro or Business tier to get access to the dashboard and streamline your enterprise onboarding.

And soon, you’ll be able to host your Better Auth instance on our infrastructure as well, so you can own your auth at scale without worrying about infrastructure needs.

Sign up now: https://better-auth.com/sign-in 🚀

To upgrade, run:

npx auth upgrade

---

🚀 Highlights

New Better Auth CLI

We’re introducing a new standalone CLI: npx auth. This replaces the previous @better-auth/cli package, which will be deprecated in a future release.

npx auth init

With a single interactive command, npx auth init scaffolds a complete Better Auth setup — configuration file, database adapter, and framework integration.

All existing commands like migrate and generate are available through the new CLI as well:

npx auth migrate   # Run database migrations
npx auth generate  # Generate auth schema
npx auth upgrade   # Upgrade Better Auth to the latest version

The generate command now also supports a --adapter flag, letting you generate schema output tailored to your specific database adapter without needing a full Better Auth config file:

npx auth generate --adapter prisma
npx auth generate --adapter drizzle

Remote MCP Auth Client

The MCP plugin now ships a framework-agnostic remote auth client. If your MCP server is separate from your Better Auth instance, you can verify tokens and protect resources without duplicating auth logic.

👉 Read more about MCP authentication

import { createMcpAuthClient } from "better-auth/plugins/mcp/client";

const mcpAuth = createMcpAuthClient({
    authURL: "<https://my-app.com/api/auth>",
});

// Use as a handler wrapper
const handler = mcpAuth.handler(async (req, session) => {
    // session contains userId, scopes, accessToken, clientId, etc.
    return new Response("OK");
});

// Or verify tokens directly
const session = await mcpAuth.verifyToken(token);

It also comes with built-in framework adapters for Hono and Express-like servers:

import { mcpAuthHono } from "better-auth/plugins/mcp/client/adapters";

const middleware = mcpAuthHono(mcpAuth);

---

OAuth 2.1 Provider

The new @better-auth/oauth-provider plugin turns your Better Auth instance into a full OAuth 2.1 authorization server with OIDC compatibility. Issue access tokens, manage client registrations, and let third-party apps authenticate against your API — including MCP agents.

👉 Read more about the OAuth Provider

import { betterAuth } from "better-auth";
import { jwt } from "better-auth/plugins";
import { oauthProvider } from "@​better-auth/oauth-provider";

export const auth = betterAuth({
    plugins: [
        jwt(),
        oauthProvider({
            loginPage: "/sign-in",
            consentPage: "/consent",
        }),
    ],
});

Key features:

• OAuth 2.1 with OIDC: Supports authorization_code, refresh_token, and client_credentials grants with openid scope support.
• MCP-ready: Works out of the box as an authorization server for MCP tools and agents.
• Dynamic Client Registration: Allow clients to register dynamically, with support for both public and confidential clients.
• JWT & JWKS verification: Sign access tokens as JWTs and verify them remotely via the /jwks endpoint.
• Consent & authorization flows: Built-in consent, account selection, and post-login redirect screens.
• Token introspection & revocation: RFC 7662 and RFC 7009 compliant endpoints.
• Per-endpoint rate limiting: Configurable rate limits for each OAuth endpoint.

Note:

The OAuth 2.1 Provider replaces the previous OIDC Provider plugin, which will be deprecated in a future release. The MCP plugin will also transition to use the OAuth 2.1 Provider as its foundation. See the migration guide for upgrading from the OIDC Provider plugin.

---

Electron Integration

Full desktop authentication support for Electron apps. The plugin handles the complete OAuth flow — opening the system browser, exchanging authorization codes via custom protocol, and managing cookies securely.

👉 Read more about Electron integration

import { betterAuth } from "better-auth";
import { electron } from "@​better-auth/electron";

export const auth = betterAuth({
    plugins: [electron()],
});

import { createAuthClient } from "better-auth/client";
import { electronClient } from "@​better-auth/electron/client";

const client = createAuthClient({
    plugins: [
        electronClient({
            protocol: "com.example.myapp",
        }),
    ],
});

// Opens system browser, handles callback, returns session
await client.requestAuth();

---

Internationalization (i18n)

The new i18n plugin provides type-safe error message translations with automatic locale detection from headers, cookies, or sessions.

👉 Read more about i18n

import { betterAuth } from "better-auth";
import { i18n } from "@​better-auth/i18n";

export const auth = betterAuth({
    plugins: [
        i18n({
            defaultLocale: "en",
            detection: ["header", "cookie"],
            translations: {
                en: { USER_NOT_FOUND: "User not found" },
                fr: { USER_NOT_FOUND: "Utilisateur non trouvé" },
                es: { USER_NOT_FOUND: "Usuario no encontrado" },
            },
        }),
    ],
});

Error codes are fully typed — your IDE will autocomplete all available error codes from every registered plugin.

---

Typed Error Codes

Every error response now includes a machine-readable code field. All first-party plugins define their own typed error codes using defineErrorCodes, and the APIError class supports them natively.

import { defineErrorCodes } from "@​better-auth/core";

export const MY_ERROR_CODES = defineErrorCodes({
    USER_NOT_FOUND: "User not found",
    INVALID_TOKEN: "The provided token is invalid",
});

// In route handlers:
throw APIError.from("BAD_REQUEST", MY_ERROR_CODES.USER_NOT_FOUND);

Error responses now look like:

{
    "code": "USER_NOT_FOUND",
    "message": "User not found"
}

This is the foundation that the i18n plugin builds on — every error code from every plugin is discoverable at compile time, so translation dictionaries are fully type-checked.

---

SSO — Production Ready

The SSO plugin has received extensive hardening to be production-ready, with 23+ commits improving security and compliance.

Self-Service SSO Dashboard

As part of our new Infrastructure product, the SSO plugin is now accompanied by a self-service dashboard for onboarding enterprise customers. Organization admins can generate a shareable link that walks enterprise customers through configuring their SAML identity provider — no back-and-forth support tickets required.

The dashboard is available at:

https://better-auth.com/dashboard/[project]/organization/[orgId]/enterprise

From there, you can generate onboarding links, monitor SSO connection status, and manage provider configurations for each organization.

SAML Single Logout (SLO)

Full support for both SP-initiated and IdP-initiated SAML Single Logout:

import { betterAuth } from "better-auth";
import { sso } from "@​better-auth/sso";

export const auth = betterAuth({
    plugins: [
        sso({
            saml: {
                enableSingleLogout: true, // [!code highlight]
                wantLogoutRequestSigned: true,
                wantLogoutResponseSigned: true,
            },
        }),
    ],
});

Additional SSO Improvements

• Signed SAML AuthnRequests: Configurable signature and digest algorithms.
• Multi-domain providers: Bind SSO providers to multiple domains.
• InResponseTo validation: Prevent replay attacks on SAML assertions.
• Algorithm restrictions: Block deprecated signature/digest algorithms.
• Clock skew tolerance: Configurable tolerance for SAML timestamp validation.
• OIDC ID token aud claim validation: Verify audience in OpenID Connect flows.
• Provider CRUD endpoints: List, get, update, and delete SSO providers via API.
• Shared OIDC redirect URI: Single redirect URI for all OIDC providers.

---

Unified Before & After Hooks

Plugin hooks and global hooks now share the same AuthMiddleware type, making the hooks system consistent and composable across the entire auth pipeline.

import { betterAuth } from "better-auth";
import { createAuthMiddleware } from "better-auth/api";

export const auth = betterAuth({
    hooks: {
        before: createAuthMiddleware(async (ctx) => {
            // Runs before every endpoint
            console.log("Request to:", ctx.path);
        }),
        after: createAuthMiddleware(async (ctx) => {
            // Runs after every endpoint, with access to the response
            console.log("Response:", ctx.context.returned);
        }),
    },
});

Plugins use the same middleware type with matchers for targeted interception:

hooks: {
    before: [{
        matcher: (ctx) => ctx.path === "/sign-in/email",
        handler: createAuthMiddleware(async (ctx) => { /* ... */ }),
    }],
},

---

Dynamic Base URL

Better Auth can now resolve the base URL dynamically from incoming requests, making it work seamlessly with Vercel preview deployments, multi-domain setups, and reverse proxies.

👉 Read more about dynamic base URL

import { betterAuth } from "better-auth";

export const auth = betterAuth({
    baseURL: {
        allowedHosts: [
            "myapp.com",
            "*.vercel.app",       // Any Vercel preview
            "preview-*.myapp.com", // Pattern match
        ],
        fallback: "<https://myapp.com>",
        protocol: "auto",
    },
});

---

Verification on Secondary Storage

Verification tokens can now be stored in secondary storage (e.g., Redis) instead of — or in addition to — the database. Identifiers can be hashed for extra security.

import { betterAuth } from "better-auth";

export const auth = betterAuth({
    secondaryStorage: {
        // ... your Redis config
    },
    verification: {
        storeIdentifier: "hashed",     // Hash verification identifiers // [!code highlight]
        storeInDatabase: false,        // Only use secondary storage // [!code highlight]
    },
});

You can also configure per-identifier overrides:

verification: {
    storeIdentifier: {
        default: "plain",
        overrides: {
            "email-verification": "hashed",
            "password-reset": "hashed",
        },
    },
},

---

Rate Limiter Improvements

The rate limiter has been improved with separate request/response handling, hardened defaults, and IPv6 support.

• Separate request and response phases: Rejected requests are no longer counted against the rate limit.
• Hardened default rules: Sign-in/sign-up limited to 3 requests per 10 seconds; password reset/OTP limited to 3 requests per 60 seconds.
• IPv6 subnet support: Rate limiting by IPv6 prefix with configurable subnet size.
• Plugin-level rate limit rules: Plugins can define their own rate limit rules.
• Expired entry cleanup: Automatic cleanup for the memory storage backend.

import { betterAuth } from "better-auth";

export const auth = betterAuth({
    advanced: {
        ipAddress: {
            ipv6Subnet: 64, // Rate limit by /64 subnet
        },
    },
});

---

Non-Destructive Secret Key Rotation

Better Auth now supports rotating BETTER_AUTH_SECRET without invalidating existing sessions, tokens, or encrypted data. When you need to rotate your secret — whether for scheduled rotation or incident response — you can introduce a new key while keeping old keys available for decryption.

import { betterAuth } from "better-auth";

export const auth = betterAuth({
    secrets: [
        { version: 2, value: "new-secret-key-at-least-32-chars" },   // current (first = active)
        { version: 1, value: "old-secret-key-still-used-to-decrypt" }, // previous
    ],
});

Or via environment variable:

BETTER_AUTH_SECRETS="2:new-secret-key,1:old-secret-key"

New data is always encrypted with the latest key (first in the array), while decryption automatically tries all configured keys. This lets you roll secrets gradually without downtime or data loss.

---

Seat-Based Billing (Stripe)

The Stripe plugin now supports per-seat billing for organizations. Member changes automatically sync seat quantity with Stripe.

import { betterAuth } from "better-auth";
import { stripe } from "@​better-auth/stripe";
import { organization } from "better-auth/plugins";

export const auth = betterAuth({
    plugins: [
        organization(),
        stripe({
            stripeClient,
            stripeWebhookSecret: "whsec_...",
            subscription: {
                enabled: true,
                plans: [
                    {
                        name: "team",
                        priceId: "price_base_monthly",
                        seatPriceId: "price_per_seat", // [!code highlight]
                    },
                ],
            },
            organization: { enabled: true }, // [!code highlight]
        }),
    ],
});

The plugin also adds support for usage-based billing via lineItems, subscription schedules with scheduleAtPeriodEnd, and billingInterval tracking.

---

Test Utilities Plugin

A new testUtils plugin provides factories, database helpers, and auth utilities for integration and E2E testing.

👉 Read more about test utilities

import { betterAuth } from "better-auth";
import { testUtils } from "better-auth/plugins";

export const auth = betterAuth({
    plugins: [testUtils({ captureOTP: true })],
});

const ctx = await auth.$context;
const test = ctx.test;

// Create and save a test user
const user = test.createUser({ email: "test@example.com" });
const savedUser = await test.saveUser(user);

// Login and get auth headers
const { headers, session, token } = await test.login({ userId: user.id });

// Capture OTPs for verification tests
const otp = test.getOTP("test@example.com");

---

Update Session Endpoint

A new /update-session endpoint allows updating custom additional session fields on the fly.

// Client-side
await authClient.updateSession({
    theme: "dark",
    language: "en",
});

This is useful when you have additional session fields that need to change without re-authentication.

---

Adapter Extraction

Database adapters have been extracted into their own packages. This is a major architectural change that reduces bundle size and allows adapters to be versioned independently.

Package	Description
@better-auth/drizzle-adapter	Drizzle ORM adapter
@better-auth/prisma-adapter	Prisma adapter
@better-auth/kysely-adapter	Kysely adapter
@better-auth/mongo-adapter	MongoDB adapter
@better-auth/memory-adapter	In-memory adapter

The main better-auth package re-exports all adapters, so existing imports continue to work. But you can now install only the adapter you need for smaller bundles:

import { drizzleAdapter } from "@​better-auth/drizzle-adapter";
import { betterAuth } from "better-auth/minimal";

export const auth = betterAuth({
    database: drizzleAdapter(db, { provider: "pg" }),
});

---

Cloudflare D1 Support

Better Auth now natively supports Cloudflare D1 as a first-class database option. Pass your D1 binding directly — no custom adapter setup required.

import { betterAuth } from "better-auth";

export default {
    async fetch(request, env) {
        const auth = betterAuth({
            database: env.DB, // D1 binding, auto-detected // [!code highlight]
        });
        return auth.handler(request);
    },
} satisfies ExportedHandler<{ DB: D1Database }>;

The built-in D1 dialect handles query execution, batch operations, and introspection through D1's native API. Note that D1 does not support interactive transactions — Better Auth uses D1's batch() API for atomicity instead.

---

✨ More Features

Authentication & Sessions

• verifyPassword API: New server-side endpoint to verify the current user's password.
• setShouldSkipSessionRefresh: Programmatically skip session refresh for specific requests.
• deferSessionRefresh: Support for read-replica database setups.
• Awaitable social provider config: Provider configuration can now be async.
• Limit enumeration on sign-up: When email verification is required, sign-up no longer reveals existing accounts.
• customSyntheticUser option: Support plugin fields in enumeration-protected responses (#​8097).
• Form data support for email sign-in/sign-up: In addition to JSON bodies.
• Automatic base URL detection from VERCEL_URL and NEXTAUTH_URL: The client now falls back to VERCEL_URL and NEXTAUTH_URL environment variables when no explicit baseURL is configured, making server-side rendering on Vercel work out of the box.

OAuth & Providers

• Railway OAuth provider: New social provider.
• Trusted providers callback: Dynamic trusted provider resolution.
• Case-insensitive email matching: For social account linking.
• Legacy OAuth clients without PKCE: Backward compatibility support.

Stripe Plugin

• seatPriceId and lineItems enable flexible subscription checkouts, supporting modern pricing models like per-seat and usage-based billing.
• scheduleAtPeriodEnd: Defer plan changes to end of billing period.
• Subscription schedule tracking: Monitor upcoming subscription changes.
• Organization customer support: Organization as a Stripe customer.
• Flexible cancellation and termination: More control over subscription lifecycle.

SCIM

• SCIM ownership model: Link SCIM provider connections to users.
• SCIM connection management: List, get, and delete SCIM provider connections.
• Microsoft Entra ID compatibility: Full support for Entra provisioning.

OAuth Provider Plugin

• HTTPS enforcement for redirect URIs: HTTP only allowed for localhost.
• RFC 9207 iss parameter: Authorization response issuer identifier.
• Per-client PKCE configuration: Opt-out of PKCE for admin-created clients.
• Scope narrowing at consent: Users can reduce requested scopes.
• prompt=none support: Silent authentication for OIDC.
• Configurable rate limiting: Per-endpoint rate limit configuration.

Plugin Improvements

• magic-link: allowedAttempts option: Limit verification attempts.
• email-otp: Change email flow with OTP: Users can change their email address via OTP verification, with optional current-email confirmation for added security.
• email-otp: Name, image, and additional fields in sign-in: Richer OTP sign-in.
• phone-number: Additional fields in signUpOnVerification: Pass extra data.
• two-factor: twoFactorCookieMaxAge and server-side trust device expiration.
• one-tap: Button mode for Google sign-in.
• anonymous: Delete anonymous user endpoint.
• admin: Optional password on user creation.
• api-keys: Pagination for list endpoint, organization reference via metadata.
• organization: Function support for membershipLimit, reject expired invites.

Core & Infrastructure

• BetterAuthPluginRegistry type system: Typed plugin discovery via getPlugin() and hasPlugin().
• Version in AuthContext: Access the Better Auth version at runtime.
• Redis secondary storage: Extracted to @better-auth/redis-storage.
• Session ID handling for secondary storage: Proper ID generation when database is not used.

---

🔒 Security Improvements

• Prevent OTP reuse via race condition: Atomically invalidate OTPs on use.
• Prevent user enumeration: In email-otp when sign-up is disabled, and on sign-up with required email verification.
• Prevent email enumeration on /change-email: Always returns { status: true } and simulates token generation for timing safety (#​8097).
• Stricter default rate limits: For password reset and phone number verification endpoints.
• Separate CSRF and origin checks: More granular request validation.
• Prevent trial abuse: Check all user subscriptions before granting a free trial.
• SAML ACS error redirect hardening: Prevent open redirect in error flows.
• IPv6 address normalization and subnet support: For rate limiting and IP-based rules.
• XML parser hardening: Configurable size limits for SAML responses and metadata.

---

⚠️ Breaking Changes

We recommend going through each breaking change to ensure a smooth upgrade.

Deprecated API Removal

The /forget-password/email-otp endpoint has been removed. Use the standard password reset flow instead.

Adapter Imports

The better-auth/adapters/test export has been removed. Use the testUtils plugin instead.

API Key Plugin Moved to @better-auth/api-key

The api-key plugin has been extracted into its own package. Install it separately:

npm install @​better-auth/api-key

- import { apiKey } from "better-auth/plugins";
+ import { apiKey } from "@​better-auth/api-key";

Schema changes:

• The userId field on the ApiKey table has been renamed to referenceId.
• A new configId field has been added (defaults to "default").

Plugin options changes:

The permissions.defaultPermissions callback's first argument is now referenceId instead of userId:

export const auth = betterAuth({
    plugins: [
        apiKey({
            permissions: {
-               defaultPermissions: async (userId, ctx) => {
+               defaultPermissions: async (referenceId, ctx) => {
                    return {
                        files: ["read"],
                        users: ["read"],
                    };
                },
            }
        })
    ]
})

Client SDK changes:

- const ownerId = apiKey.userId;
+ const ownerId = apiKey.referenceId;
+ const ownerType = apiKey.references; // "user" or "organization"
+ const configId = apiKey.configId;

---

🛠 Developer Changes

If you are building a plugin on top of Better Auth, there are a few things you should know.

@deprecated APIs Are Removed

All previously deprecated APIs have been removed. This includes deprecated adapter types, client types, helper types, and plugin options. If you were relying on any @deprecated methods or options, you'll need to migrate to their replacements:

Removed	Replacement
createAdapter	createAdapterFactory
Adapter	DBAdapter
TransactionAdapter	DBTransactionAdapter
Store (client)	ClientStore
AtomListener (client)	ClientAtomListener
ClientOptions	BetterAuthClientOptions
LiteralUnion, DeepPartial (from better-auth/types/helper)	Import from @better-auth/core
onEmailVerification	afterEmailVerification
sendChangeEmailVerification	sendChangeEmailConfirmation
advanced.database.useNumberId	advanced.database.generateId: "serial"
Organization permission field	permissions (plural)

@better-auth/core/utils Barrel Export Removed

The @better-auth/core/utils barrel export has been split into individual subpath exports to improve tree-shaking:

- import { generateId, safeJSONParse, defineErrorCodes } from "@​better-auth/core/utils";
+ import { generateId } from "@​better-auth/core/utils/id";
+ import { safeJSONParse } from "@​better-auth/core/utils/json";
+ import { defineErrorCodes } from "@​better-auth/core/utils/error-codes";

$ERROR_CODES Type Changed to RawError Objects

The $ERROR_CODES field on plugins now expects Record<string, RawError> instead of Record<string, string>. Use defineErrorCodes() which now returns RawError objects with { code, message } instead of plain strings:

- $ERROR_CODES: {
-     MY_ERROR: "My error message",
- },
+ $ERROR_CODES: defineErrorCodes({
+     MY_ERROR: "My error message",
+ }),
+ // Returns: { MY_ERROR: { code: "MY_ERROR", message: "My error message" } }

Use the new APIError.from() static method to throw errors with error codes:

import { APIError } from "@​better-auth/core/error";

throw APIError.from("BAD_REQUEST", MY_ERROR_CODES.MY_ERROR);

PluginContext Is Now Generic

PluginContext is now parameterized with Options:

type PluginContext<Options extends BetterAuthOptions> = {
    getPlugin: <ID extends string>(pluginId: ID) => /* inferred from registry */ | null;
    hasPlugin: <ID extends string>(pluginId: ID) => boolean; // narrows to `true` when plugin is registered
};

Plugins can register themselves via module augmentation for type-safe getPlugin() and hasPlugin():

declare module "@​better-auth/core" {
    interface BetterAuthPluginRegistry<AuthOptions, Options> {
        "my-plugin": { creator: typeof myPlugin };
    }
}

InferUser / InferSession Types Removed

The InferUser<O> and InferSession<O> types have been removed. Use the generic User and Session types instead:

- import type { InferUser, InferSession } from "better-auth/types";
- type MyUser = InferUser<typeof auth>;
+ import type { User, Session } from "better-auth";
+ type MyUser = User<typeof auth.$options["user"], typeof auth.$options["plugins"]>;

After Hooks Now Run Post-Transaction

Database "after" hooks (create.after, update.after, delete.after) now execute after the transaction commits, not during it. This prevents issues where hooks interacting with external systems (sending emails, calling APIs) could fail and roll back the entire transaction.

If your plugin relies on after hooks running inside the transaction for additional atomic database writes, you'll need to use the adapter directly within the main operation instead.

getMigrations Moved to better-auth/db/migration Subpath

We found that the getMigrations function includes many third-party dependencies, which caused some bundlers to unexpectedly include extra dependencies and increase output size. It's now available from a dedicated subpath:

- import { getMigrations } from "better-auth";
+ import { getMigrations } from "better-auth/db/migration";

id Field Removed from Session in Secondary Storage

The id field is used to determine relationships between structures in database models. We've removed it from secondary storage since it's not necessary there, simplifying the storage logic. If your plugin reads sessions from secondary storage and relies on the id field, you'll need to update your code accordingly.

Plugin init() Context Is Now Mutable

The context object passed to a plugin's init() callback is now the same reference used throughout the auth lifecycle. init() can also return arbitrary keys via Record<string, unknown>, enabling plugins to inject custom context values that other plugins can access.

---

🐛 Bug Fixes & Improvements

This release includes over 220 bug fixes addressing issues across all areas:

• Drizzle Adapter: Fixed date transformation crashes and input handling.
• Cookie Handling: Centralized parsing, fixed Expo leading semicolons, secure detection fallbacks.
• Database Hooks: Delayed execution until after transaction commits to prevent inconsistencies.
• Transaction Deadlock Prevention: Improved locking strategies across adapters.
• Prisma Adapter: Fixed null condition handling and unique where field detection.
• OAuth: Fixed refresh_token_expires_in handling, callback routing, and token encryption.
• Organization: Fixed role deletion prevention, active member refetch, and dynamic access control inference.
• Expo: Fixed immutable headers on Cloudflare Workers, cookie injection wildcards, and skipped cookie/expo-origin headers for ID token requests.
• Kysely Adapter: Fixed edge case with aliased joined table names.
• Last Login Method: Fixed handling of multiple Set-Cookie headers.
• Session Listing: Fixed endpoints returning empty arrays when more than 100 inactive sessions exist.
• Organization: Fixed path matching for active member signals.
• OAuth: Fixed preserving refresh tokens when provider omits them on refresh.
• Secondary Storage: Synced updateSession changes and removed duplicate writes.
• And many more!

---

A lot of refinements to make everything smoother, faster, and more reliable.
👉 Check the full changelog

❤️ Contributors

Thanks to all the contributors for making this release possible!

v1.4.21

Compare Source

   🐞 Bug Fixes

• Update workspace dependency ranges to workspace:*  -  by @​himself65 (4e7cf)
• ci:
  • Use version-specific npm tag for version branches  -  by @​himself65 (41d6c)
  • Prefix version branch npm tag with "v" to avoid SemVer conflict  -  by @​himself65 (93a2d)
  • Use "release-X.Y" npm tag format for version branches  -  by @​himself65 (c8ef9)
• expo:
  • Support Expo SDK 55 new versioning scheme  -  by @​himself65 in #​8212 (67125)

    View changes on GitHub

v1.4.20

Compare Source

   🐞 Bug Fixes

• cookie: Add deprecated options alias for backward compatibility  -  by @​himself65 in #​8139 (07447)

    View changes on GitHub

v1.4.19

Compare Source

   🚀 Features

• adapter:
  • Improve select support  -  by @​jslno in #​7667 (4aae0)
• oauth-provider:
  • Add iss parameter to authorization responses (RFC 9207)  -  by @​Paola3stefania in #​7669 (766fc)
  • Add configurable rate limiting for OAuth endpoints  -  by @​Paola3stefania in #​7666 (2410d)
  • Enforce HTTPS for redirect URIs  -  by @​Paola3stefania in #​7670 (cf473)
• phone-number:
  • Support user additionalFields in signUpOnVerification flow  -  by @​bytaesu and @​himself65 in #​7699 (f3080)

   🐞 Bug Fixes

• Skip sending email verification to already verified users without a session  -  by @​bytaesu in #​7712 (1667f)
• Improve Headers detection with instanceof check and cross-realm fallback  -  by @​bytaesu in #​7651 (1dc6a)
• Safely coerce date values from DB in OAuth provider plugin  -  by @​himself65 in #​7937 (f7074)
• Correct error redirect URL construction  -  by @​bytaesu in #​7799 (61cc2)
• Encode callbackURL in delete-user verification email  -  by @​Paola3stefania in #​8007 (fab61)
• Add error handling for id token verification in Apple and Google providers  -  by @​Paola3stefania in #​8011 (90ffd)
• access:
  • Allow passing statements directly into newRole  -  by @​jslno in #​7687 (9312d)
• adapter:
  • Use getCurrentAdapter for user lookup to avoid transaction deadlock  -  by @​sakamoto-wk in #​7758 (327ee)
• admin:
  • Change list type from never[] to UserWithRole[]  -  by @​LovelessCodes in #​7701 (3c0c5)
  • Apply listUsers filter when filterValue is defined  -  by @​coderrshyam, @​bytaesu and Taesu in #​7827 (5f611)
  • Optional chain user in hooks  -  by @​jslno in #​8026 (17407)
• api-key:
  • Error details not passed to response  -  by @​ping-maxwell and @​himself65 in #​7692 (8fd94)
• cli:
  • Add .env.local to dotenv  -  by @​himself65 in #​7831 (e804e)
• cookie:
  • Relax cookie retrieval for getSessionCookie  -  by @​jslno in #​8008 (81f50)
• custom-session:
  • Use getSetCookie() to preserve individual Set-Cookie headers  -  by @​thomaspeklak in #​7879 (0f035)
• db:
  • Infer default value for required attr properly  -  by @​jslno in #​7996 (c44a8)
• email-otp:
  • Typo in OpenAPI response metadata  -  by @​smsunarto and Claude Opus 4.5 in #​7737 (defcb)
• expo:
  • Construct the new Request to avoid immutable headers error on Cloudflare Workers  -  by @​bytaesu in #​7774 (5e83e)
  • Avoid a leading “; ” when constructing the first cookie  -  by @​Laurin-Notemann in #​7821 (3f5c1)
  • Support wildcard trusted origins in deep link cookie injection  -  by @​bytaesu in #​8013 (7153e)
• generic-oauth:
  • Emit duplicate id warning  -  by @​himself65 in #​7779 (c682a)
• microsoft:
  • Add verifyIdToken support for Microsoft Entra ID provider  -  by @​bytaesu in #​7795 (80120)
• oauth:
  • Support case-insensitive email matching for social account linking  -  by @​karuppusamy-d in #​7812 (987f4)
• oauth-provider:
  • Return url instead of uri in continue and consent endpoints  -  by @​bytaesu in #​7811 (fb56f)
  • Add missing oauthClient createdAt/updatedAt values  -  by @​dvanmali in #​7851 (16b11)
  • Return "invalid_client" on encrypted secret verification failure  -  by @​bytaesu in #​8030 (358a8)
• organization:
  • Prevent deletion of roles assigned to members  -  by @​bytaesu in #​7736 (8d98b)
  • Remove unreachable null check in acceptInvitation  -  by @​Saurav3004, Taesu and @​himself65 in #​7825 (3f254)
• passkey:
  • Compute expirationTime per-request instead of at init  -  by @​bytaesu in #​7731 (763fd)
  • Use deleteVerificationByIdentifier for secondary-storage cleanup  -  by @​bytaesu in #​7790 (6efdc)
• sso:
  • Add better-call peerDeps  -  by @​bytaesu in #​7676 (d323b)
  • Allow custom organization roles in provisioning types  -  by @​MuzzaiyyanHussain in #​7722 (2803e)
  • Resolve TXT record at verification subdomain instead of root domain  -  by @​Paola3stefania in #​7935 (87093)
  • Correct IdentityProvider configuration in signInSSO  -  by @​theNailz and Claude Opus 4.5 in #​7708 (69ea7)
  • Fix broken relay state redirect on SAML ACS route  -  by @​rbayliss in #​7781 (68b6b)
  • Validate aud claim in OpenID Connect ID tokens  -  by @​Paola3stefania in #​7816 (3cd15)
  • Harden SAML ACS error redirects and add regression test for #​7777  -  by @​Paola3stefania in #​7815 and #​7777 (a6d8d)
• stripe:
  • Restore better-call peerDeps  -  by @​bytaesu in #​7675 (f63bf)
  • Use correct stripeCustomerId on /subscription/cancel/callback endpoint  -  by @​bytaesu in #​8032 (15519)
  • Clarify error when authorizeReference is missing  -  by @​bytaesu in #​7741 (91130)

    View changes on GitHub

v1.4.18

Compare Source

   🚀 Features

• Add disableImplicitLinking to accountLinking  -  by @​Paola3stefania and @​himself65 in #​7270 (a7740)
• Mark /forget-password/email-otp as deprecation  -  by @​bytaesu in #​7645 (8f333)
• device-authorization:
  • Add user id checks  -  by @​himself65 in #​7632 (4d79c)
• one-tap:
  • Add button mode for Google sign-in  -  by @​himself65 and Alex Yang in #​7482 (aeb92)
• sso:
  • Support multi-domain providers  -  by @​Paola3stefania in #​7541 (5be34)
  • Add provider list and detail endpoints  -  by @​Paola3stefania and @​himself65 in #​6967 (d0ed1)

   🐞 Bug Fixes

• Correctly handle OAuth callback and Apple email field  -  by @​bytaesu in #​7181 (c918e)
• Centralize cookie parsing and handle Expires dates correctly  -  by @​bytaesu, @​cursoragent, taesu and @​himself65 in #​7556 (d598b)
• Refresh account_data cookie when session is refreshed  -  by @​bytaesu and @​himself65 in #​7576 (5d3f7)
• Remove duplicate secondary storage writes from setSessionCookie  -  by @​bytaesu in #​7592 (7a4bc)
• Set default logger level to "warn"  -  by @​bytaesu, @​cursoragent and taesu in #​7597 (5d0e7)
• Respect the explicitly set sendOnSignUp option  -  by @​bytaesu in #​7593 (33619)
• Handle serial and false cases in generateId  -  by @​bytaesu in #​7474 (949cd)
• Log error when misconfigured  -  by @​himself65 in #​7584 (16201)
• Update google oauth endpoints  -  by @​bytaesu in #​7442 (d401b)
• Consistent api version for facebook provider  -  by @​bytaesu in #​7445 (cf619)
• Check jsconfig.json in getPathAliases  -  by @​jycouet in #​7650 (9cb45)
• 2fa:
  • Server-side trust device expiration and configurable maxAge  -  by @​Paola3stefania and @​himself65 in #​7644 (5d15b)
• anonymous:
  • Export types  -  by [@​CalLavicka](https://redirect.github.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
job-prep	Ready	Preview, Comment	Mar 2, 2026 4:45am

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file