From 2a80e02ad40080ca5b210cb823517290270eef4b Mon Sep 17 00:00:00 2001
From: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Date: Thu, 8 Jan 2026 23:42:20 +1000
Subject: [PATCH] docs: document `disableOriginCheck` in options.mdx (#7199)

---
 docs/content/docs/reference/options.mdx                  | 2 ++
 packages/better-auth/src/api/middlewares/origin-check.ts | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/content/docs/reference/options.mdx b/docs/content/docs/reference/options.mdx
index 9422847776..42a107b718 100644
--- a/docs/content/docs/reference/options.mdx
+++ b/docs/content/docs/reference/options.mdx
@@ -491,6 +491,7 @@ export const auth = betterAuth({
 		},
 		useSecureCookies: true,
 		disableCSRFCheck: false,
+		disableOriginCheck: false,
 		crossSubDomainCookies: {
 			enabled: true,
 			additionalCookies: ["custom_cookie"],
@@ -532,6 +533,7 @@ export const auth = betterAuth({
 - `ipAddress`: IP address configuration for rate limiting and session tracking
 - `useSecureCookies`: Use secure cookies (default: `false`)
 - `disableCSRFCheck`: Disable trusted origins check (⚠️ security risk)
+- `disableOriginCheck`: Disable origin check (⚠️ security risk)
 - `crossSubDomainCookies`: Configure cookies to be shared across subdomains
 - `cookies`: Customize cookie names and attributes
 - `defaultCookieAttributes`: Default attributes for all cookies
diff --git a/packages/better-auth/src/api/middlewares/origin-check.ts b/packages/better-auth/src/api/middlewares/origin-check.ts
index 5a1422d921..326687db31 100644
--- a/packages/better-auth/src/api/middlewares/origin-check.ts
+++ b/packages/better-auth/src/api/middlewares/origin-check.ts
@@ -165,7 +165,7 @@ async function validateOrigin(
 	}
 
 	if (!originHeader || originHeader === "null") {
-		throw new APIError("FORBIDDEN", { message: "Missing or null Origin" });
+		throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.MISSING_OR_NULL_ORIGIN);
 	}
 
 	const trustedOrigins: string[] = Array.isArray(