stack.pulse
#stacks/better-auth/auth

Better Auth release notes, breaking changes, and upgrade notes.

The most comprehensive authentication framework for TypeScript StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.

source repo$track this stackplan upgraderss
releases
20
breaking
6
security
9
deprecated
3
migrations
5

Get source-linked upgrade notes and occasional sponsor recommendations. No GitHub login required.

what stackpulse tracks

Better Auth releases from GitHub

StackPulse watches Better Auth release notes and keeps the original source link close to every summary.

upgrade risk

Breaking changes and deprecations

Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.

migration notes

Source-backed next steps

Migration steps and recommended actions are only shown when the upstream release notes support them.

# latest_releases

source-backed
allbreakingdeprecationmigrationsecurity
v1.7.0-rc.0criticalbreakingdeprecationmigrationfeaturesecurityprereleaseJun 26, 2026

v1.7.0-rc.0

This release introduces significant breaking changes for CAPTCHA, MCP, OAuth provider, and two-factor authentication. Key updates include OIDC back-channel logout support, explicit modeling of protected resources, and PKCE enforcement.

affected

All users of MCP, OAuth provider, two-factor auth, and Electron integration are affected by breaking changes.

action

Review breaking changes carefully and follow migration steps before upgrading.

release_signals
-Renamed MCP route helper from `withMcpAuth` to `requireMcpAuth` and remote client from `createMcpAuthClient` to `createMcpResourceClient`
-Access tokens now invalidate immediately when user session ends via back-channel logout
-Removed `validAudiences` in favor of explicit `resources` configuration
-Revised `enableTwoFactor` response format and removed `skipVerificationOnEnable`
-Electron sign-in now enforces S256 PKCE and stricter origin checks
!OIDC back-channel logout adds immediate session termination capability
!Electron auth flow hardened with mandatory S256 PKCE
!SSRF host guard extended to cover JWKS URIs
!Proxy header trust disabled by default for security
!Refresh token revocation policy tightened
!`oauthApplication` model renamed to `oauthClient` with new associated tables
!`withMcpAuth` helper deprecated in favor of `requireMcpAuth`
!`createMcpAuthClient` deprecated in favor of `createMcpResourceClient`
+Wildcard endpoint matching for CAPTCHA
+MCP packaged as its own module with OAuth provider integration
+OIDC back-channel logout support
+Explicit modeling of OAuth protected resources
+Discriminated response for OTP/TOTP enablement
migration_steps5 steps
  1. 01Install @better-auth/mcp and add jwt() plugin
  2. 02Move oidcConfig options to flat mcp() options
  3. 03Run schema migrations for new oauthClient and resource tables
  4. 04Update Electron client/server components together
  5. 05Enable trustedProxyHeaders if using x-forwarded-host
view source on github->
v1.7.0-beta.9highbreakingmigrationfeatureprereleaseJun 20, 2026

v1.7.0-beta.9

Beta release with breaking auth claim restrictions, new DCR and UserInfo features, and numerous OIDC bug fixes.

affected

Applications overriding standard OIDC claims in customIdTokenClaims will need migrations.

action

Audit custom claim usage and migrate protected claims to namespaced alternatives.

release_signals
-Restricted customIdTokenClaims, extension ID-token claims, and per-issuance idTokenClaims from overriding protected OIDC/JWT protocol claims
+Added support for confidential DCR clients to complete authorization-code flows without PKCE when clientRegistrationRequirePKCE: false is set
+Added support for the claims.userinfo authorization request parameter to request specific standard claims from UserInfo
migration_steps1 steps
  1. 01Remove iss, sub, aud, exp, nonce, auth_time, acr, amr, or azp fields from customIdTokenClaims and use namespaced custom claims instead
view source on github->
v1.7.0-beta.6highbreakingdeprecationmigrationfeatureprereleaseJun 16, 2026

v1.7.0-beta.6

This release introduces breaking changes to auth endpoint matching, OAuth protected resource modeling, and client authentication. It also adds new features like popup-based OAuth sign-in and DPoP token support.

affected

Users relying on partial path matching in captcha plugin, OAuth audience validation, or dynamic baseURL resolution will need to update their configurations.

action

Follow the detailed migration steps provided in the release notes for each breaking change.

release_signals
-Added wildcard endpoint matching to the captcha plugin, requiring full auth path matches instead of partial prefix matching
-Moved the MCP plugin into its own package, @better-auth/mcp
-Introduced explicit OAuth protected resource modeling, replacing validAudiences with a resource-first configuration API
-Changed dynamic baseURL resolution to ignore x-forwarded-host by default
-Required a Google client ID to be configured for One Tap ID token audience validation
!Removed the deprecated oidcProvider plugin from better-auth/plugins
+Added support for pre-binding device codes to a specific user during the device authorization flow
+Added a popup-based OAuth sign-in flow as an alternative to full-page redirects
+Added DPoP (RFC 9449) sender-constrained access token support to the OAuth provider
+Enforced Cache-Control: no-store on all OAuth credential responses to prevent caching
+Added auth.api.consumePhoneNumberOTP for verifying and consuming phone OTP codes server-side
migration_steps5 steps
  1. 01Replace partial endpoint paths like /sign-in with explicit wildcards such as /sign-in/* or /sign-in/** in your captcha plugin configuration
  2. 02Install @better-auth/mcp, add the jwt() plugin, update imports from better-auth/plugins to @better-auth/mcp, rename withMcpAuth to requireMcpAuth and createMcpAuthClient to createMcpResourceClient
  3. 03Run npx auth migrate to apply schema changes (oauthApplication becomes oauthClient, with new oauthRefreshToken and oauthClientAssertion tables)
  4. 04Replace validAudiences with resources, link clients through oauthClientResource, then run npx @better-auth/cli generate and apply the migration to add oauthResource, oauthClientResource, and new jwks columns before deploying
  5. 05Configure oneTap({ clientId: 'your-google-client-id' }) or set socialProviders.google.clientId in your Better Auth config
view source on github->
v1.7.0-beta.5highbreakingdeprecationmigrationfeaturesecurityprereleaseJun 10, 2026

v1.7.0-beta.5

This release introduces significant breaking changes, including consolidated `id_token` verification, OIDC Back-Channel Logout support, and hardened SSO provider validation. New features include `clientAssertion` support for Microsoft Entra ID, per-provider `requireEmailVerification`, and `id_token` verification for `genericOAuth` providers.

affected

Developers using custom providers, OAuth, SSO, or Electron integrations are affected by breaking changes and need to migrate.

action

Review breaking changes and migration steps, then update your implementation accordingly.

release_signals
-Consolidated `id_token` verification for social providers into a single shared verifier
-Added OIDC Back-Channel Logout support, notifying connected apps and revoking access tokens immediately on sign-out
-Enforced `max_age` parameter so users are now prompted to re-authenticate when their session exceeds the requested age
-Hardened the `validateUserInfo` source contract for SSO providers
-Changed OAuth account scopes from a single `scope` string to an accumulated `grantedScopes` array
!Fixed missing `Origin`/`Referer` validation on cookieless email sign-in and sign-up
!Enforced PKCE S256 and hardened custom-scheme origin matching in the Electron sign-in flow
!PayPal no longer supports client-submitted `id_token` sign-in (`signIn.social({ idToken })`)
!Custom providers must rename `OAuthProvider` to `UpstreamProvider` and remove `defaultScopes`
+Added `clientAssertion` support to the Microsoft Entra ID social provider
+Added per-provider `requireEmailVerification` option for social sign-in
+Added `id_token` verification and client-submitted `id_token` sign-in for `genericOAuth` providers configured with a `discoveryUrl`
+Added support for POST requests on the userinfo endpoint
+Added `user.validateUserInfo` provisioning gate to allow rejecting identities before user creation or account linking
migration_steps5 steps
  1. 01Custom providers implementing `UpstreamProvider` must replace the removed `verifyIdToken` method with an `idToken` config object containing `jwks`, `issuer`, and `audience`
  2. 02Run `migrate`/`generate` to add three new schema fields: `oauthClient.backchannelLogoutUri`, `oauthClient.backchannelLogoutSessionRequired`, and `oauthAccessToken.revoked`
  3. 03Update any callbacks that inspect provider data for SSO flows to read from `source.sso` when `source.method` is `'sso'`
  4. 04Upgrade both the `@better-auth/electron` client and server together, and ensure your app's custom scheme is listed in `trustedOrigins`
  5. 05Run `migrate`/`generate` to add the `grantedScopes` column, then backfill from `account.scope` by splitting on commas and whitespace, trimming and deduping tokens
view source on github->
v1.7.0-beta.4highbreakingmigrationfeatureprereleaseMay 31, 2026

v1.7.0-beta.4

This release introduces server-side `accountInfo` calls without session headers and includes numerous bug fixes across authentication, OAuth, and SSO components. Breaking changes affect resource indicators in OAuth and SAML certificate handling.

affected

Developers using OAuth resource indicators or SAML SSO configurations are affected by breaking changes.

action

Run migration commands and update code to handle SAML certificates as arrays.

release_signals
-Bound RFC 8707 resource indicators to the authorization grant: `customAccessTokenClaims` callback now receives a `resources` array instead of a `resource` string
-Added support for multiple IdP signing certificates: `samlConfig.certificate` now returns an array unconditionally
+Added server-side `accountInfo` calls without requiring session headers
+Added token endpoint client authentication support
+Added support for multiple IdP signing certificates
migration_steps2 steps
  1. 01Run `npx @better-auth/cli migrate` (or `generate` if you manage the schema yourself) to add new resource columns for OAuth resource indicators
  2. 02Update consumers to read `samlConfig.certificate` as an array unconditionally
view source on github->
v1.6.11criticalbreakingfeatureMay 12, 2026

v1.6.11

This release focuses on security fixes and improvements, including hardening OAuth 2.1 compliance, fixing invitation takeover vulnerabilities, and addressing race conditions in token handling.

release_signals
-Hardened `oidc-provider` and `mcp` plugins to follow OAuth 2.1: removed `"none"` from advertised signing algorithms, defaulted plain PKCE off, and rejected incomplete PKCE parameters
-Enabled `requireEmailVerificationOnInvitation` by default and extended the verification gate to `getInvitation` and `listUserInvitations`
+Added an atomic `claimOne` adapter primitive for consuming database rows without race conditions
view source on github->
Better Auth release notes, breaking changes, and upgrade notes · StackPulse