Validate invalid token on reset password
If i sendResetPassword url and click it - token is validating and if is valid redirect to provided url if not returning query params with error. It's ok.
But what if i enter to to reset password page and I provide bad token manualy? I don't know if my token is valid or not? How can i check it?
I think checking in client.resetPassword({newPassword, token}) is too late....
Better auth does not work on NextJS
Hi guys, im trying to add Better Auth to my empty nextjs project but it does not work. I copied the demo project and it does work there, i copied every auth related file but i still cant get it to work in my project. im trying to check the session on a server component like this but the session is always null. I have not added a database as i dont need one, im logging in using my google account. I keep getting redirected to /sign-in and the console shows this error:
```bash
2025-04-20T19:46:49.619Z WARN [Better Auth]: No database configuration provided. Using memory adapter in development
[Error [APIError]: ] {...
Stripe plugin triggers multiple create customer events in Stripe
I have 2 different buttons to subscription.upgrade in my app. After user is registered customer is created in stripe according to createCustomerOnSignUp: true, in plugin config. But when I navigate to one of my 'Subscribe' buttons and click on it -> subscription.upgrade just creates new user in stripe instead of triggering checkout session:
```sh
2025-04-20 14:38:59 --> customer.created [evt_1RG3hf4FS9Rcg327BHPwlIez]
2025-04-20 14:38:59 <-- [200] POST http://localhost:3000/api/auth/stripe/webhook [evt_1RG3hf4FS9Rcg327BHPwlIez]...
Issue with Better-Auth Email Verification
Hey everyone,
I'm having an issue with email verification in better-auth. When a user changes their email:
The email address gets updated correctly in the database
BUT the verification email is not being sent...
Organizations: remove activeOrganization possible?
Hey there, is there a way to remove the activeOrganization so users could decide to be in a active Organization?
For my example i'm using the Organization Plugin to have personal and organization workspaces. But my problem is it sets a activeOrgId when I'm joined into a minimum of one organization so users aren't able to "escape" the organization workspace....
Solution:
you can set it null
Cookies not saved in production
I have a node/express backend and a vite react frontend. They are on different urls:
Backend: http://my-backend.vercel.app/
auth.ts looks like this:...
clearing 2FA cookie on logout
Hi guys, I’m using Better-Auth with TOTP-based 2FA and had a question about the better-auth.two_factor cookie behavior.
I’ve noticed that after a user successfully verifies their TOTP code, the better-auth.two_factor cookie remains present in the browser — even after a full session is created. Similarly, it doesn’t appear to be cleared when the user logs out.
This leads to a UX issue where, after logout, my middleware sees the cookie still present (but no session), and incorrectly redirects users back to /verify-2fa instead of letting them hit /....
See what provider made the session
Is there a way to see what provider triggered the session creation? I need to restrict some stuff based on which provider you used to log on due to business restrictions.
Or do you have any tips for a workaround....
Setting an `apiKey` additional field on users
I'm trying to add an
apiKey field to my users, like so:
```ts
import { betterAuth } from "better-auth";
export const auth = betterAuth({...Solution:
I'm going assume you're using the apiKey plugin.
But I'm not sure how to generate an unique key for each user on signup. How can I do this?Use database hooks: https://www.better-auth.com/docs/concepts/database#2-after-hook...
custom type in additionalFields
is it possible to use custom type in
additionalFields?Solution:
We provide set types and that's all the supported for our adapters.
Centralized auth
Is there any way to have multiple (NextJS + Hono) apps, and a centralized auth one? So every app redirects to auth.example.com and gets the auth form from there and authenticates in there? Thanks in advance
Solution:
so you will have one instance on server either of the server framework and client frameowrk to create a client instance separetly so that they can make a request to server with through better auth client abstraction
useSession weird behaviour
Hi, I have some problems with useSession, it keeps giving me date null even though I am logged in. I'm testing it with dev and turbopack.
This happens when I do a page refresh, so if I logout and log in the hook works, but if I do a page refresh it no longer works returning null.
auth-client.ts...
List of endpoints?
Can’t seem to find it, but just looking for a list of endpoints that better with exposes by default?
Can I use better auth as authentication layer between hono backed and next js frontend?
I'm building platform that has hono js as backend, next js for web app, expo for mobile, prisma for db within turborepo. I'm using nextjs server side data fetching so I have to check authorisation on server side of next js.
I know this case is too much complicated. Please if you have any near examples or suggestions, It would help a lot....
The table `main.verification` does not exist in the current database.
hey - trying to use better-auth with hono on cloudflare pages, currently just with a local database. Got hono and the database talking, tried to add better-auth with prisma, and I'm getting the following error:
```
<-- POST /start-sign-in
/start-sign-in sees email [email protected]...
Stripe + Organisations
Hey there,
first of all great job on better-auth. Love it!
Is there any plans in being able to use orgs as the holder of stripe_subscription id? We're using orgs as "tenants" and it would be weird to store the stripe subscription id on the user object, since everything else is related to orgs....
Legal terms compliance
I added a terms of service and privacy policy acceptance checkbox to my sign up form. User accounts cannot be created without checking this box, however the acceptance is not stored in the database at all (e.g. no timestamp, hash/version of the accepted terms documents, etc.). Does anyone know if this is sufficient, legally compliant with e.g. GDPR or do I need to store acceptance information in the database?
I did see some discussion about this in this discord server, but not much about legal compliance in the first place. If it's sufficient to not have to worry about storing this info i'd rather take the simpler path!
Relevant GDPR section: https://gdpr-info.eu/art-7-gdpr/...
Get user inside session hook
Is there a way to get the userinfo inside a before session databaseHook?
I can't call auth.api.getSession and then read the user object as its in the initialization of auth.
My goal is to automatically set the active org based on the email domain.
...
Unknown argument `stripeCustomerId` when creating customer on signup
Hey, I'm having a new issue where updating the user's
stripeCustomerId automatically on signup, gives me a prisma error. I found an other thread here where the issue was the schema not having stripeCustomerId set as optional, but my schema does. Has anyone else had this issue?Solution:
ok yea it was my fault. I got a warning from prisma to set an output path for the generated client
Warning: You did not specify an output path for your generator in schema.prisma. This behavior is deprecated and will no longer be supported in Prisma 7.0.0., but then forgot to change the PrismaClient import statement from the old default path.Handling better-auth.two_factor cookie after TOTP verification and logout
Hi there, I’m using Better-Auth with TOTP-based 2FA and had a question about the better-auth.two_factor cookie behavior.
I’ve noticed that after a user successfully verifies their TOTP code, the better-auth.two_factor cookie remains present in the browser — even after a full session is created. Similarly, it doesn’t appear to be cleared when the user logs out.
This leads to a UX issue where, after logout, my middleware sees the cookie still present (but no session), and incorrectly redirects users back to /verify-2fa instead of letting them hit /....