what stackpulse tracks
Better Auth releases from GitHub
StackPulse watches Better Auth release notes and keeps the original source link close to every summary.
#stacks/better-auth/auth
Better Auth release notes, breaking changes, and upgrade notes.
The most comprehensive authentication framework for TypeScript StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.
releases
20
breaking
6
security
9
deprecated
3
migrations
5
upgrade risk
Breaking changes and deprecations
Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.
migration notes
Source-backed next steps
Migration steps and recommended actions are only shown when the upstream release notes support them.
# latest_releases
source-backedv1.7.0-rc.0criticalbreakingdeprecationmigrationfeaturesecurityprereleaseJun 26, 2026
v1.7.0-rc.0
This release introduces significant breaking changes for CAPTCHA, MCP, OAuth provider, and two-factor authentication. Key updates include OIDC back-channel logout support, explicit modeling of protected resources, and PKCE enforcement.
affected
All users of MCP, OAuth provider, two-factor auth, and Electron integration are affected by breaking changes.
action
Review breaking changes carefully and follow migration steps before upgrading.
release_signals
-Renamed MCP route helper from `withMcpAuth` to `requireMcpAuth` and remote client from `createMcpAuthClient` to `createMcpResourceClient`
-Access tokens now invalidate immediately when user session ends via back-channel logout
-Removed `validAudiences` in favor of explicit `resources` configuration
-Revised `enableTwoFactor` response format and removed `skipVerificationOnEnable`
-Electron sign-in now enforces S256 PKCE and stricter origin checks
!OIDC back-channel logout adds immediate session termination capability
!Electron auth flow hardened with mandatory S256 PKCE
!SSRF host guard extended to cover JWKS URIs
!Proxy header trust disabled by default for security
!Refresh token revocation policy tightened
!`oauthApplication` model renamed to `oauthClient` with new associated tables
!`withMcpAuth` helper deprecated in favor of `requireMcpAuth`
!`createMcpAuthClient` deprecated in favor of `createMcpResourceClient`
+Wildcard endpoint matching for CAPTCHA
+MCP packaged as its own module with OAuth provider integration
+OIDC back-channel logout support
+Explicit modeling of OAuth protected resources
+Discriminated response for OTP/TOTP enablement
migration_steps5 steps
- 01Install @better-auth/mcp and add jwt() plugin
- 02Move oidcConfig options to flat mcp() options
- 03Run schema migrations for new oauthClient and resource tables
- 04Update Electron client/server components together
- 05Enable trustedProxyHeaders if using x-forwarded-host
v1.6.21mediumsecurityJun 26, 2026
v1.6.21
This release focuses on bug fixes across multiple packages, including improvements to rate limits, session handling, OAuth validation, and security enhancements.
affected
Users relying on OAuth, SSO, or IP resolution features may be affected by these fixes.
action
Update to v1.6.21 to benefit from the latest bug fixes and security improvements.
release_signals
!Fixed client IP resolution to prevent `X-Forwarded-For` spoofing in multi-hop proxy chains
!Fixed SAML single logout to reject IdP SLO POST URLs that use non-http(s) schemes such as `javascript:` or `data:`
v1.7.0-beta.7mediumfeaturesecurityprereleaseJun 18, 2026
v1.7.0-beta.7
This beta release introduces new token refresh configuration options and improves security with SSRF protection and ID token nonce binding fixes.
affected
Users implementing OAuth flows or token refresh functionality are affected by these changes.
action
Review the security fixes and consider implementing the new refreshTokenParams configuration if needed.
release_signals
!Fixed SSRF protection for client_id host validation by routing checks through the shared host classifier
!Fixed ID token nonce binding in the generic OAuth redirect flow
+Added refreshTokenParams config to forward extra parameters to the token endpoint during token refresh
+Added sessionId to ID token claim contributors
v1.6.18highfeaturesecurityJun 12, 2026
v1.6.18
This release focuses on fixing numerous bugs related to concurrent requests, session management, and security vulnerabilities. Key improvements include stricter rate limiting, atomic counter updates, and enhanced replay protection for various authentication mechanisms.
affected
Users relying on concurrent authentication mechanisms, rate limiting, or replay protection are most affected.
action
Update to this version to benefit from improved security and stability fixes.
release_signals
!Fixed SAML assertion replay protection to prevent duplicate submissions
!Fixed SCIM bearer token comparison to use constant-time comparison
!Fixed MCP bearer token validation to reject expired access tokens
!Fixed OIDC `/oauth2/endsession` endpoint to reject cross-site logout requests without `id_token_hint`
!Fixed Google One Tap to require a configured client ID
+Added `internalAdapter.reserveVerificationValue` for atomic single-use markers
+Added `incrementOne` adapter method and `SecondaryStorage.increment` for atomic counter updates
v1.6.17highfeaturesecurityJun 12, 2026
v1.6.17
This release introduces an experimental OAuth popup plugin and addresses numerous race conditions and bugs related to session management, token handling, and security.
affected
Users relying on OAuth, session management, and token handling are affected by these changes.
action
Update to the latest version to benefit from improved security and bug fixes.
release_signals
!Fixed race conditions in token handling to prevent multiple uses of the same token.
!Improved replay protection across verification flows with atomic single-use markers.
!Fixed Google One Tap to reject ID tokens issued for a different application.
+Added an experimental `oauthPopup` plugin for popup-based OAuth sign-in, enabling sign-in inside cross-site iframes.
v1.7.0-beta.5highbreakingdeprecationmigrationfeaturesecurityprereleaseJun 10, 2026
v1.7.0-beta.5
This release introduces significant breaking changes, including consolidated `id_token` verification, OIDC Back-Channel Logout support, and hardened SSO provider validation. New features include `clientAssertion` support for Microsoft Entra ID, per-provider `requireEmailVerification`, and `id_token` verification for `genericOAuth` providers.
affected
Developers using custom providers, OAuth, SSO, or Electron integrations are affected by breaking changes and need to migrate.
action
Review breaking changes and migration steps, then update your implementation accordingly.
release_signals
-Consolidated `id_token` verification for social providers into a single shared verifier
-Added OIDC Back-Channel Logout support, notifying connected apps and revoking access tokens immediately on sign-out
-Enforced `max_age` parameter so users are now prompted to re-authenticate when their session exceeds the requested age
-Hardened the `validateUserInfo` source contract for SSO providers
-Changed OAuth account scopes from a single `scope` string to an accumulated `grantedScopes` array
!Fixed missing `Origin`/`Referer` validation on cookieless email sign-in and sign-up
!Enforced PKCE S256 and hardened custom-scheme origin matching in the Electron sign-in flow
!PayPal no longer supports client-submitted `id_token` sign-in (`signIn.social({ idToken })`)
!Custom providers must rename `OAuthProvider` to `UpstreamProvider` and remove `defaultScopes`
+Added `clientAssertion` support to the Microsoft Entra ID social provider
+Added per-provider `requireEmailVerification` option for social sign-in
+Added `id_token` verification and client-submitted `id_token` sign-in for `genericOAuth` providers configured with a `discoveryUrl`
+Added support for POST requests on the userinfo endpoint
+Added `user.validateUserInfo` provisioning gate to allow rejecting identities before user creation or account linking
migration_steps5 steps
- 01Custom providers implementing `UpstreamProvider` must replace the removed `verifyIdToken` method with an `idToken` config object containing `jwks`, `issuer`, and `audience`
- 02Run `migrate`/`generate` to add three new schema fields: `oauthClient.backchannelLogoutUri`, `oauthClient.backchannelLogoutSessionRequired`, and `oauthAccessToken.revoked`
- 03Update any callbacks that inspect provider data for SSO flows to read from `source.sso` when `source.method` is `'sso'`
- 04Upgrade both the `@better-auth/electron` client and server together, and ensure your app's custom scheme is listed in `trustedOrigins`
- 05Run `migrate`/`generate` to add the `grantedScopes` column, then backfill from `account.scope` by splitting on commas and whitespace, trimming and deduping tokens
v1.6.16criticalsecurityJun 10, 2026
v1.6.16
This release focuses on bug fixes across multiple modules, addressing issues in SIWE verification, PayPal ID token verification, Google hosted domain enforcement, and more. Security improvements include fixes for replay attacks, SSRF vulnerabilities, and token verification enhancements.
affected
Users relying on SIWE, PayPal, Google, Facebook, SAML, or OIDC integrations may need to verify their configurations due to security fixes and verification enhancements.
action
Review and update configurations for SIWE, PayPal, Google, Facebook, SAML, and OIDC integrations to ensure compatibility with the latest security fixes.
release_signals
!Fixed SAML `AuthnRequest` handling to prevent replay attacks on concurrent requests.
!Fixed OIDC endpoint validation to reject server-side requests resolving to non-publicly-routable addresses, protecting against SSRF.
!Fixed SIWE verification to bind the signed message to server state, preventing acceptance of signatures produced for a different message, earlier nonce, or unrelated domain.
!Fixed PayPal ID token verification to validate the signature, issuer, audience, expiration, and nonce against PayPal's JWKS or client secret.
!Fixed Facebook token verification to validate tokens against the configured app via the `debug_token` endpoint.
v1.6.13highfeaturesecurityMay 31, 2026
v1.6.13
This release introduces server-side `accountInfo` calls with an optional `userId` parameter and fixes several bugs, including a high-severity XML injection vulnerability in SAML assertions.
affected
Users relying on SAML Single Sign-On (SSO) or server-side `accountInfo` calls are most affected by this release.
action
Update to v1.6.13 to mitigate the SAML XML injection vulnerability and benefit from the new `accountInfo` feature.
release_signals
!Fixed a high-severity XML injection vulnerability in signed SAML assertions by updating `samlify` to 2.13.1 (GHSA-34r5-q4jw-r36m)
+Added support for server-side `accountInfo` calls with an optional `userId` parameter, allowing trusted callers to read provider profiles without constructing session headers
v1.6.12highfeaturesecurityMay 29, 2026
v1.6.12
This release focuses on bug fixes across multiple packages, including session cookie handling, OAuth state validation, and security improvements.
affected
Users relying on session cookies, OAuth flows, or passkey authentication may be affected by security fixes and improvements.
action
Update to version 1.6.12 to benefit from security fixes and bug improvements.
release_signals
!Fixed a session cookie leak that allowed `session_token` and `session_data` cookies to be captured and replayed to bypass 2FA when cookie caching is enabled.
!Updated XML parser dependency to a patched release to resolve security alerts.
!Fixed passkey challenges to be consumed atomically, preventing replay attacks.
+Added `accessTokenExpiresIn` config option to `genericOAuth` for providers that omit `expires_in` in their token response.
+Added `toCamelCase`, `toSnakeCase`, `toPascalCase`, and `toKebabCase` utilities to `@better-auth/core/utils/string`.