what stackpulse tracks
Better Auth releases from GitHub
StackPulse watches Better Auth release notes and keeps the original source link close to every summary.
#stacks/better-auth/auth
Better Auth release notes, breaking changes, and upgrade notes.
The most comprehensive authentication framework for TypeScript StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.
releases
20
breaking
6
security
9
deprecated
3
migrations
5
upgrade risk
Breaking changes and deprecations
Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.
migration notes
Source-backed next steps
Migration steps and recommended actions are only shown when the upstream release notes support them.
# latest_releases
source-backedv1.7.0-rc.0criticalbreakingdeprecationmigrationfeaturesecurityprereleaseJun 26, 2026
v1.7.0-rc.0
This release introduces significant breaking changes for CAPTCHA, MCP, OAuth provider, and two-factor authentication. Key updates include OIDC back-channel logout support, explicit modeling of protected resources, and PKCE enforcement.
affected
All users of MCP, OAuth provider, two-factor auth, and Electron integration are affected by breaking changes.
action
Review breaking changes carefully and follow migration steps before upgrading.
release_signals
-Renamed MCP route helper from `withMcpAuth` to `requireMcpAuth` and remote client from `createMcpAuthClient` to `createMcpResourceClient`
-Access tokens now invalidate immediately when user session ends via back-channel logout
-Removed `validAudiences` in favor of explicit `resources` configuration
-Revised `enableTwoFactor` response format and removed `skipVerificationOnEnable`
-Electron sign-in now enforces S256 PKCE and stricter origin checks
!OIDC back-channel logout adds immediate session termination capability
!Electron auth flow hardened with mandatory S256 PKCE
!SSRF host guard extended to cover JWKS URIs
!Proxy header trust disabled by default for security
!Refresh token revocation policy tightened
!`oauthApplication` model renamed to `oauthClient` with new associated tables
!`withMcpAuth` helper deprecated in favor of `requireMcpAuth`
!`createMcpAuthClient` deprecated in favor of `createMcpResourceClient`
+Wildcard endpoint matching for CAPTCHA
+MCP packaged as its own module with OAuth provider integration
+OIDC back-channel logout support
+Explicit modeling of OAuth protected resources
+Discriminated response for OTP/TOTP enablement
migration_steps5 steps
- 01Install @better-auth/mcp and add jwt() plugin
- 02Move oidcConfig options to flat mcp() options
- 03Run schema migrations for new oauthClient and resource tables
- 04Update Electron client/server components together
- 05Enable trustedProxyHeaders if using x-forwarded-host
v1.7.0-beta.6highbreakingdeprecationmigrationfeatureprereleaseJun 16, 2026
v1.7.0-beta.6
This release introduces breaking changes to auth endpoint matching, OAuth protected resource modeling, and client authentication. It also adds new features like popup-based OAuth sign-in and DPoP token support.
affected
Users relying on partial path matching in captcha plugin, OAuth audience validation, or dynamic baseURL resolution will need to update their configurations.
action
Follow the detailed migration steps provided in the release notes for each breaking change.
release_signals
-Added wildcard endpoint matching to the captcha plugin, requiring full auth path matches instead of partial prefix matching
-Moved the MCP plugin into its own package, @better-auth/mcp
-Introduced explicit OAuth protected resource modeling, replacing validAudiences with a resource-first configuration API
-Changed dynamic baseURL resolution to ignore x-forwarded-host by default
-Required a Google client ID to be configured for One Tap ID token audience validation
!Removed the deprecated oidcProvider plugin from better-auth/plugins
+Added support for pre-binding device codes to a specific user during the device authorization flow
+Added a popup-based OAuth sign-in flow as an alternative to full-page redirects
+Added DPoP (RFC 9449) sender-constrained access token support to the OAuth provider
+Enforced Cache-Control: no-store on all OAuth credential responses to prevent caching
+Added auth.api.consumePhoneNumberOTP for verifying and consuming phone OTP codes server-side
migration_steps5 steps
- 01Replace partial endpoint paths like /sign-in with explicit wildcards such as /sign-in/* or /sign-in/** in your captcha plugin configuration
- 02Install @better-auth/mcp, add the jwt() plugin, update imports from better-auth/plugins to @better-auth/mcp, rename withMcpAuth to requireMcpAuth and createMcpAuthClient to createMcpResourceClient
- 03Run npx auth migrate to apply schema changes (oauthApplication becomes oauthClient, with new oauthRefreshToken and oauthClientAssertion tables)
- 04Replace validAudiences with resources, link clients through oauthClientResource, then run npx @better-auth/cli generate and apply the migration to add oauthResource, oauthClientResource, and new jwks columns before deploying
- 05Configure oneTap({ clientId: 'your-google-client-id' }) or set socialProviders.google.clientId in your Better Auth config
v1.7.0-beta.5highbreakingdeprecationmigrationfeaturesecurityprereleaseJun 10, 2026
v1.7.0-beta.5
This release introduces significant breaking changes, including consolidated `id_token` verification, OIDC Back-Channel Logout support, and hardened SSO provider validation. New features include `clientAssertion` support for Microsoft Entra ID, per-provider `requireEmailVerification`, and `id_token` verification for `genericOAuth` providers.
affected
Developers using custom providers, OAuth, SSO, or Electron integrations are affected by breaking changes and need to migrate.
action
Review breaking changes and migration steps, then update your implementation accordingly.
release_signals
-Consolidated `id_token` verification for social providers into a single shared verifier
-Added OIDC Back-Channel Logout support, notifying connected apps and revoking access tokens immediately on sign-out
-Enforced `max_age` parameter so users are now prompted to re-authenticate when their session exceeds the requested age
-Hardened the `validateUserInfo` source contract for SSO providers
-Changed OAuth account scopes from a single `scope` string to an accumulated `grantedScopes` array
!Fixed missing `Origin`/`Referer` validation on cookieless email sign-in and sign-up
!Enforced PKCE S256 and hardened custom-scheme origin matching in the Electron sign-in flow
!PayPal no longer supports client-submitted `id_token` sign-in (`signIn.social({ idToken })`)
!Custom providers must rename `OAuthProvider` to `UpstreamProvider` and remove `defaultScopes`
+Added `clientAssertion` support to the Microsoft Entra ID social provider
+Added per-provider `requireEmailVerification` option for social sign-in
+Added `id_token` verification and client-submitted `id_token` sign-in for `genericOAuth` providers configured with a `discoveryUrl`
+Added support for POST requests on the userinfo endpoint
+Added `user.validateUserInfo` provisioning gate to allow rejecting identities before user creation or account linking
migration_steps5 steps
- 01Custom providers implementing `UpstreamProvider` must replace the removed `verifyIdToken` method with an `idToken` config object containing `jwks`, `issuer`, and `audience`
- 02Run `migrate`/`generate` to add three new schema fields: `oauthClient.backchannelLogoutUri`, `oauthClient.backchannelLogoutSessionRequired`, and `oauthAccessToken.revoked`
- 03Update any callbacks that inspect provider data for SSO flows to read from `source.sso` when `source.method` is `'sso'`
- 04Upgrade both the `@better-auth/electron` client and server together, and ensure your app's custom scheme is listed in `trustedOrigins`
- 05Run `migrate`/`generate` to add the `grantedScopes` column, then backfill from `account.scope` by splitting on commas and whitespace, trimming and deduping tokens