what stackpulse tracks
Better Auth releases from GitHub
StackPulse watches Better Auth release notes and keeps the original source link close to every summary.
#stacks/better-auth/auth
Better Auth release notes, breaking changes, and upgrade notes.
The most comprehensive authentication framework for TypeScript StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.
releases
20
breaking
6
security
9
deprecated
3
migrations
5
upgrade risk
Breaking changes and deprecations
Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.
migration notes
Source-backed next steps
Migration steps and recommended actions are only shown when the upstream release notes support them.
# latest_releases
source-backedv1.7.0-rc.0criticalbreakingdeprecationmigrationfeaturesecurityprereleaseJun 26, 2026
v1.7.0-rc.0
This release introduces significant breaking changes for CAPTCHA, MCP, OAuth provider, and two-factor authentication. Key updates include OIDC back-channel logout support, explicit modeling of protected resources, and PKCE enforcement.
affected
All users of MCP, OAuth provider, two-factor auth, and Electron integration are affected by breaking changes.
action
Review breaking changes carefully and follow migration steps before upgrading.
release_signals
-Renamed MCP route helper from `withMcpAuth` to `requireMcpAuth` and remote client from `createMcpAuthClient` to `createMcpResourceClient`
-Access tokens now invalidate immediately when user session ends via back-channel logout
-Removed `validAudiences` in favor of explicit `resources` configuration
-Revised `enableTwoFactor` response format and removed `skipVerificationOnEnable`
-Electron sign-in now enforces S256 PKCE and stricter origin checks
!OIDC back-channel logout adds immediate session termination capability
!Electron auth flow hardened with mandatory S256 PKCE
!SSRF host guard extended to cover JWKS URIs
!Proxy header trust disabled by default for security
!Refresh token revocation policy tightened
!`oauthApplication` model renamed to `oauthClient` with new associated tables
!`withMcpAuth` helper deprecated in favor of `requireMcpAuth`
!`createMcpAuthClient` deprecated in favor of `createMcpResourceClient`
+Wildcard endpoint matching for CAPTCHA
+MCP packaged as its own module with OAuth provider integration
+OIDC back-channel logout support
+Explicit modeling of OAuth protected resources
+Discriminated response for OTP/TOTP enablement
migration_steps5 steps
- 01Install @better-auth/mcp and add jwt() plugin
- 02Move oidcConfig options to flat mcp() options
- 03Run schema migrations for new oauthClient and resource tables
- 04Update Electron client/server components together
- 05Enable trustedProxyHeaders if using x-forwarded-host
v1.7.0-beta.10mediumfeatureprereleaseJun 26, 2026
v1.7.0-beta.10
This release focuses on bug fixes and minor improvements across multiple packages, including fixes for rate limiting, OAuth state validation, and TypeScript inference errors. It also introduces a new `refreshTokenReuseInterval` option for OAuth provider and MCP packages.
affected
Developers using `better-auth` and its associated packages may benefit from bug fixes and new features, particularly those working with OAuth and Drizzle integrations.
action
Update to the latest beta version to take advantage of bug fixes and new features.
release_signals
+Added support for Drizzle Relations v2 via a new `@better-auth/drizzle-adapter/relations-v2` entry point.
+Added a `refreshTokenReuseInterval` option, defaulting to 30 seconds, for native/public clients to retry refresh token requests.
+Added `refreshTokenReuseInterval` to the OAuth provider to replay refresh token responses for duplicate requests within a configurable time window.
v1.6.22mediumfeatureJun 26, 2026
v1.6.22
Bugfix release addressing credential revocation, OAuth redirect handling, SCIM operations, organization subscription actions, and 2FA lockout.
affected
Users relying on magic link/email OTP sign-in, OAuth redirects, SCIM operations, Stripe organization subscriptions, or 2FA verification may be affected by fixes in this release.
action
Update to benefit from critical bug fixes related to authentication flows and subscription management.
v1.6.21mediumsecurityJun 26, 2026
v1.6.21
This release focuses on bug fixes across multiple packages, including improvements to rate limits, session handling, OAuth validation, and security enhancements.
affected
Users relying on OAuth, SSO, or IP resolution features may be affected by these fixes.
action
Update to v1.6.21 to benefit from the latest bug fixes and security improvements.
release_signals
!Fixed client IP resolution to prevent `X-Forwarded-For` spoofing in multi-hop proxy chains
!Fixed SAML single logout to reject IdP SLO POST URLs that use non-http(s) schemes such as `javascript:` or `data:`
v1.6.20mediumfeatureJun 20, 2026
v1.6.20
This release focuses on bug fixes, including improvements to account-linking logs, TypeScript inference errors, refresh cookie `Max-Age` behavior, and i18n fallback logic.
affected
Developers using `better-auth` and `@better-auth/i18n` may benefit from the bug fixes and improved TypeScript support.
action
Update to v1.6.20 to benefit from the bug fixes and improvements.
v1.7.0-beta.9highbreakingmigrationfeatureprereleaseJun 20, 2026
v1.7.0-beta.9
Beta release with breaking auth claim restrictions, new DCR and UserInfo features, and numerous OIDC bug fixes.
affected
Applications overriding standard OIDC claims in customIdTokenClaims will need migrations.
action
Audit custom claim usage and migrate protected claims to namespaced alternatives.
release_signals
-Restricted customIdTokenClaims, extension ID-token claims, and per-issuance idTokenClaims from overriding protected OIDC/JWT protocol claims
+Added support for confidential DCR clients to complete authorization-code flows without PKCE when clientRegistrationRequirePKCE: false is set
+Added support for the claims.userinfo authorization request parameter to request specific standard claims from UserInfo
migration_steps1 steps
- 01Remove iss, sub, aud, exp, nonce, auth_time, acr, amr, or azp fields from customIdTokenClaims and use namespaced custom claims instead
v1.7.0-beta.8mediumfeatureprereleaseJun 18, 2026
v1.7.0-beta.8
This release focuses on bug fixes for OAuth flows, including account creation rollbacks, redirect URI derivation, and scope preservation. It also introduces a new feature for the Google provider to control scope accumulation.
affected
Users relying on OAuth flows or multi-host deployments are affected by these fixes.
action
Update to ensure proper handling of OAuth scope persistence and redirect URIs.
release_signals
+Added includeGrantedScopes option to the Google provider to control scope accumulation across OAuth flows
v1.7.0-beta.7mediumfeaturesecurityprereleaseJun 18, 2026
v1.7.0-beta.7
This beta release introduces new token refresh configuration options and improves security with SSRF protection and ID token nonce binding fixes.
affected
Users implementing OAuth flows or token refresh functionality are affected by these changes.
action
Review the security fixes and consider implementing the new refreshTokenParams configuration if needed.
release_signals
!Fixed SSRF protection for client_id host validation by routing checks through the shared host classifier
!Fixed ID token nonce binding in the generic OAuth redirect flow
+Added refreshTokenParams config to forward extra parameters to the token endpoint during token refresh
+Added sessionId to ID token claim contributors
v1.7.0-beta.6highbreakingdeprecationmigrationfeatureprereleaseJun 16, 2026
v1.7.0-beta.6
This release introduces breaking changes to auth endpoint matching, OAuth protected resource modeling, and client authentication. It also adds new features like popup-based OAuth sign-in and DPoP token support.
affected
Users relying on partial path matching in captcha plugin, OAuth audience validation, or dynamic baseURL resolution will need to update their configurations.
action
Follow the detailed migration steps provided in the release notes for each breaking change.
release_signals
-Added wildcard endpoint matching to the captcha plugin, requiring full auth path matches instead of partial prefix matching
-Moved the MCP plugin into its own package, @better-auth/mcp
-Introduced explicit OAuth protected resource modeling, replacing validAudiences with a resource-first configuration API
-Changed dynamic baseURL resolution to ignore x-forwarded-host by default
-Required a Google client ID to be configured for One Tap ID token audience validation
!Removed the deprecated oidcProvider plugin from better-auth/plugins
+Added support for pre-binding device codes to a specific user during the device authorization flow
+Added a popup-based OAuth sign-in flow as an alternative to full-page redirects
+Added DPoP (RFC 9449) sender-constrained access token support to the OAuth provider
+Enforced Cache-Control: no-store on all OAuth credential responses to prevent caching
+Added auth.api.consumePhoneNumberOTP for verifying and consuming phone OTP codes server-side
migration_steps5 steps
- 01Replace partial endpoint paths like /sign-in with explicit wildcards such as /sign-in/* or /sign-in/** in your captcha plugin configuration
- 02Install @better-auth/mcp, add the jwt() plugin, update imports from better-auth/plugins to @better-auth/mcp, rename withMcpAuth to requireMcpAuth and createMcpAuthClient to createMcpResourceClient
- 03Run npx auth migrate to apply schema changes (oauthApplication becomes oauthClient, with new oauthRefreshToken and oauthClientAssertion tables)
- 04Replace validAudiences with resources, link clients through oauthClientResource, then run npx @better-auth/cli generate and apply the migration to add oauthResource, oauthClientResource, and new jwks columns before deploying
- 05Configure oneTap({ clientId: 'your-google-client-id' }) or set socialProviders.google.clientId in your Better Auth config
v1.6.19mediumfeatureJun 16, 2026
v1.6.19
Maintenance release focusing on bug fixes across multiple packages including device authorization, session cookies, and database adapters.
affected
Users may need to update their cookie handling if they were relying on silent drops near size limits.
action
Review cookie handling changes if your implementation deals with large session cookies.
release_signals
+Added support for pre-binding device codes to a specific user in the device authorization plugin
v1.6.18highfeaturesecurityJun 12, 2026
v1.6.18
This release focuses on fixing numerous bugs related to concurrent requests, session management, and security vulnerabilities. Key improvements include stricter rate limiting, atomic counter updates, and enhanced replay protection for various authentication mechanisms.
affected
Users relying on concurrent authentication mechanisms, rate limiting, or replay protection are most affected.
action
Update to this version to benefit from improved security and stability fixes.
release_signals
!Fixed SAML assertion replay protection to prevent duplicate submissions
!Fixed SCIM bearer token comparison to use constant-time comparison
!Fixed MCP bearer token validation to reject expired access tokens
!Fixed OIDC `/oauth2/endsession` endpoint to reject cross-site logout requests without `id_token_hint`
!Fixed Google One Tap to require a configured client ID
+Added `internalAdapter.reserveVerificationValue` for atomic single-use markers
+Added `incrementOne` adapter method and `SecondaryStorage.increment` for atomic counter updates
v1.6.17highfeaturesecurityJun 12, 2026
v1.6.17
This release introduces an experimental OAuth popup plugin and addresses numerous race conditions and bugs related to session management, token handling, and security.
affected
Users relying on OAuth, session management, and token handling are affected by these changes.
action
Update to the latest version to benefit from improved security and bug fixes.
release_signals
!Fixed race conditions in token handling to prevent multiple uses of the same token.
!Improved replay protection across verification flows with atomic single-use markers.
!Fixed Google One Tap to reject ID tokens issued for a different application.
+Added an experimental `oauthPopup` plugin for popup-based OAuth sign-in, enabling sign-in inside cross-site iframes.
v1.7.0-beta.5highbreakingdeprecationmigrationfeaturesecurityprereleaseJun 10, 2026
v1.7.0-beta.5
This release introduces significant breaking changes, including consolidated `id_token` verification, OIDC Back-Channel Logout support, and hardened SSO provider validation. New features include `clientAssertion` support for Microsoft Entra ID, per-provider `requireEmailVerification`, and `id_token` verification for `genericOAuth` providers.
affected
Developers using custom providers, OAuth, SSO, or Electron integrations are affected by breaking changes and need to migrate.
action
Review breaking changes and migration steps, then update your implementation accordingly.
release_signals
-Consolidated `id_token` verification for social providers into a single shared verifier
-Added OIDC Back-Channel Logout support, notifying connected apps and revoking access tokens immediately on sign-out
-Enforced `max_age` parameter so users are now prompted to re-authenticate when their session exceeds the requested age
-Hardened the `validateUserInfo` source contract for SSO providers
-Changed OAuth account scopes from a single `scope` string to an accumulated `grantedScopes` array
!Fixed missing `Origin`/`Referer` validation on cookieless email sign-in and sign-up
!Enforced PKCE S256 and hardened custom-scheme origin matching in the Electron sign-in flow
!PayPal no longer supports client-submitted `id_token` sign-in (`signIn.social({ idToken })`)
!Custom providers must rename `OAuthProvider` to `UpstreamProvider` and remove `defaultScopes`
+Added `clientAssertion` support to the Microsoft Entra ID social provider
+Added per-provider `requireEmailVerification` option for social sign-in
+Added `id_token` verification and client-submitted `id_token` sign-in for `genericOAuth` providers configured with a `discoveryUrl`
+Added support for POST requests on the userinfo endpoint
+Added `user.validateUserInfo` provisioning gate to allow rejecting identities before user creation or account linking
migration_steps5 steps
- 01Custom providers implementing `UpstreamProvider` must replace the removed `verifyIdToken` method with an `idToken` config object containing `jwks`, `issuer`, and `audience`
- 02Run `migrate`/`generate` to add three new schema fields: `oauthClient.backchannelLogoutUri`, `oauthClient.backchannelLogoutSessionRequired`, and `oauthAccessToken.revoked`
- 03Update any callbacks that inspect provider data for SSO flows to read from `source.sso` when `source.method` is `'sso'`
- 04Upgrade both the `@better-auth/electron` client and server together, and ensure your app's custom scheme is listed in `trustedOrigins`
- 05Run `migrate`/`generate` to add the `grantedScopes` column, then backfill from `account.scope` by splitting on commas and whitespace, trimming and deduping tokens
v1.6.16criticalsecurityJun 10, 2026
v1.6.16
This release focuses on bug fixes across multiple modules, addressing issues in SIWE verification, PayPal ID token verification, Google hosted domain enforcement, and more. Security improvements include fixes for replay attacks, SSRF vulnerabilities, and token verification enhancements.
affected
Users relying on SIWE, PayPal, Google, Facebook, SAML, or OIDC integrations may need to verify their configurations due to security fixes and verification enhancements.
action
Review and update configurations for SIWE, PayPal, Google, Facebook, SAML, and OIDC integrations to ensure compatibility with the latest security fixes.
release_signals
!Fixed SAML `AuthnRequest` handling to prevent replay attacks on concurrent requests.
!Fixed OIDC endpoint validation to reject server-side requests resolving to non-publicly-routable addresses, protecting against SSRF.
!Fixed SIWE verification to bind the signed message to server state, preventing acceptance of signatures produced for a different message, earlier nonce, or unrelated domain.
!Fixed PayPal ID token verification to validate the signature, issuer, audience, expiration, and nonce against PayPal's JWKS or client secret.
!Fixed Facebook token verification to validate tokens against the configured app via the `debug_token` endpoint.
v1.6.15mediumfeatureJun 8, 2026
v1.6.15
This release focuses on bug fixes and minor improvements across multiple packages, including better session handling, OAuth endpoint enhancements, and passkey authenticator name resolution.
affected
Users relying on session management, OAuth flows, and passkey integrations may be affected by these changes.
action
Review the changelog and update your integrations if necessary.
release_signals
+Added `POST` support to the `/oauth2/userinfo` endpoint
+Added automatic resolution of authenticator names from AAGUID in passkey package
v1.6.14mediumfeatureJun 2, 2026
v1.6.14
This release focuses on bug fixes, including resolving issues with Google One Tap authentication, session cookie handling, redirect URI validation, and SAML Single Logout.
affected
Users experiencing issues with Google One Tap authentication, session cookies, redirect URIs, or SAML Single Logout will benefit from these fixes.
action
Update to the latest version to resolve the mentioned issues.
v1.7.0-beta.4highbreakingmigrationfeatureprereleaseMay 31, 2026
v1.7.0-beta.4
This release introduces server-side `accountInfo` calls without session headers and includes numerous bug fixes across authentication, OAuth, and SSO components. Breaking changes affect resource indicators in OAuth and SAML certificate handling.
affected
Developers using OAuth resource indicators or SAML SSO configurations are affected by breaking changes.
action
Run migration commands and update code to handle SAML certificates as arrays.
release_signals
-Bound RFC 8707 resource indicators to the authorization grant: `customAccessTokenClaims` callback now receives a `resources` array instead of a `resource` string
-Added support for multiple IdP signing certificates: `samlConfig.certificate` now returns an array unconditionally
+Added server-side `accountInfo` calls without requiring session headers
+Added token endpoint client authentication support
+Added support for multiple IdP signing certificates
migration_steps2 steps
- 01Run `npx @better-auth/cli migrate` (or `generate` if you manage the schema yourself) to add new resource columns for OAuth resource indicators
- 02Update consumers to read `samlConfig.certificate` as an array unconditionally
v1.6.13highfeaturesecurityMay 31, 2026
v1.6.13
This release introduces server-side `accountInfo` calls with an optional `userId` parameter and fixes several bugs, including a high-severity XML injection vulnerability in SAML assertions.
affected
Users relying on SAML Single Sign-On (SSO) or server-side `accountInfo` calls are most affected by this release.
action
Update to v1.6.13 to mitigate the SAML XML injection vulnerability and benefit from the new `accountInfo` feature.
release_signals
!Fixed a high-severity XML injection vulnerability in signed SAML assertions by updating `samlify` to 2.13.1 (GHSA-34r5-q4jw-r36m)
+Added support for server-side `accountInfo` calls with an optional `userId` parameter, allowing trusted callers to read provider profiles without constructing session headers
v1.6.12highfeaturesecurityMay 29, 2026
v1.6.12
This release focuses on bug fixes across multiple packages, including session cookie handling, OAuth state validation, and security improvements.
affected
Users relying on session cookies, OAuth flows, or passkey authentication may be affected by security fixes and improvements.
action
Update to version 1.6.12 to benefit from security fixes and bug improvements.
release_signals
!Fixed a session cookie leak that allowed `session_token` and `session_data` cookies to be captured and replayed to bypass 2FA when cookie caching is enabled.
!Updated XML parser dependency to a patched release to resolve security alerts.
!Fixed passkey challenges to be consumed atomically, preventing replay attacks.
+Added `accessTokenExpiresIn` config option to `genericOAuth` for providers that omit `expires_in` in their token response.
+Added `toCamelCase`, `toSnakeCase`, `toPascalCase`, and `toKebabCase` utilities to `@better-auth/core/utils/string`.
v1.6.11criticalbreakingfeatureMay 12, 2026
v1.6.11
This release focuses on security fixes and improvements, including hardening OAuth 2.1 compliance, fixing invitation takeover vulnerabilities, and addressing race conditions in token handling.
release_signals
-Hardened `oidc-provider` and `mcp` plugins to follow OAuth 2.1: removed `"none"` from advertised signing algorithms, defaulted plain PKCE off, and rejected incomplete PKCE parameters
-Enabled `requireEmailVerificationOnInvitation` by default and extended the verification gate to `getInvitation` and `listUserInvitations`
+Added an atomic `claimOne` adapter primitive for consuming database rows without race conditions