chore: release v1.6.3 (#9081)

.changeset/dcr-graceful-override-confidential.md

@@ -1,25 +0,0 @@
----
-"@better-auth/oauth-provider": patch
----
-
-fix(oauth-provider): override confidential auth methods to public in unauthenticated DCR
-
-When `allowUnauthenticatedClientRegistration` is enabled, unauthenticated DCR
-requests that specify `client_secret_post`, `client_secret_basic`, or omit
-`token_endpoint_auth_method` (which defaults to `client_secret_basic` per
-[RFC 7591 §2](https://datatracker.ietf.org/doc/html/rfc7591#section-2)) are
-now silently overridden to `token_endpoint_auth_method: "none"` (public client)
-instead of being rejected with HTTP 401.
-
-This follows [RFC 7591 §3.2.1](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1),
-which allows the server to "reject or replace any of the client's requested
-metadata values submitted during the registration and substitute them with
-suitable values." The registration response communicates the actual method
-back to the client, allowing compliant clients to adjust.
-
-This fixes interoperability with real-world MCP clients (Claude, Codex, Factory
-Droid, and others) that send `token_endpoint_auth_method: "client_secret_post"`
-in their DCR payload because the server metadata advertises it in
-`token_endpoint_auth_methods_supported`.
-
-Closes #8588

.changeset/dynamic-baseurl-hardening.md

@@ -1,21 +0,0 @@
----
-"better-auth": patch
-"@better-auth/oauth-provider": patch
----
-
-harden dynamic `baseURL` handling for direct `auth.api.*` calls and plugin metadata helpers
-
-**Direct `auth.api.*` calls**
-
-- Throw `APIError` with a clear message when the baseURL can't be resolved (no source and no `fallback`), instead of leaving `ctx.context.baseURL = ""` for downstream plugins to crash on.
-- Convert `allowedHosts` mismatches on the direct-API path to `APIError`.
-- Honor `advanced.trustedProxyHeaders` on the dynamic path (default `true`, unchanged). Previously `x-forwarded-host` / `-proto` were unconditionally trusted with `allowedHosts`; they now go through the same gate as the static path. The default flip to `false` ships in a follow-up PR.
-- `resolveRequestContext` rehydrates `trustedProviders` and cookies per call (in addition to `trustedOrigins`). User-defined `trustedOrigins(req)` / `trustedProviders(req)` callbacks receive a `Request` synthesized from forwarded headers when no full `Request` is available.
-- Infer `http` for loopback hosts (`localhost`, `127.0.0.1`, `[::1]`, `0.0.0.0`) on the headers-only protocol fallback, so local-dev calls don't silently resolve to `https://localhost:3000`.
-- `hasRequest` uses `isRequestLike`, which now rejects objects that spoof `Symbol.toStringTag` without a real `url` / `headers.get` shape.
-
-**Plugin metadata helpers**
-
-- `oauthProviderAuthServerMetadata`, `oauthProviderOpenIdConfigMetadata`, `oAuthDiscoveryMetadata`, and `oAuthProtectedResourceMetadata` forward the incoming request to their chained `auth.api` calls, so `issuer` and discovery URLs reflect the request host on dynamic configs.
-- `withMcpAuth` forwards the incoming request to `getMcpSession`, threads `trustedProxyHeaders`, and emits a bare `Bearer` challenge when `baseURL` can't be resolved (instead of `Bearer resource_metadata="undefined/..."`).
-- `metadataResponse` in `@better-auth/oauth-provider` normalizes headers via `new Headers()` so callers can pass `Headers`, tuple arrays, or records without silently dropping entries.

.changeset/fix-2fa-bypass.md

@@ -1,7 +0,0 @@
----
-"better-auth": patch
----
-
-fix(two-factor): enforce 2FA on all sign-in paths
-
-The 2FA after-hook now triggers on any endpoint that creates a new session, covering magic-link, OAuth, passkey, email-OTP, SIWE, and all future sign-in methods. Authenticated requests (session refreshes, profile updates) are excluded.

.changeset/fix-backup-codes-storage.md

@@ -1,7 +0,0 @@
----
-"better-auth": patch
----
-
-fix(two-factor): preserve backup codes storage format after verification
-
-After using a backup code, remaining codes are now re-saved using the same `storeBackupCodes` strategy (plain, encrypted, or custom) configured by the user. Previously, codes were always re-encrypted with the built-in symmetric encryption, breaking subsequent verifications for plain or custom storage modes.

.changeset/fix-password-reset-callback-operation-id.md

@@ -1,5 +0,0 @@
----
-"better-auth": patch
----
-
-fix(api): align top-level `operationId` on `requestPasswordResetCallback` with the OpenAPI `resetPasswordCallback`

.changeset/fix-stripe-defu-prototype-pollution.md

@@ -1,7 +0,0 @@
----
-"@better-auth/stripe": patch
----
-
-fix(stripe): drop unsafe keys when merging user-supplied metadata
-
-The Stripe plugin previously merged `ctx.body.metadata` through `defu`, which was vulnerable to prototype pollution when attacker-controlled `__proto__` keys reached the second argument. Since Stripe metadata is a flat `Record<string, string>`, the deep-merge was never exercised on that path. The merge now ignores `__proto__`, `constructor`, and `prototype`, so the user-controlled surface no longer depends on `defu`. The remaining `defu` call sites (deep-merging developer-supplied `CustomerCreateParams`) also receive the patched range.

.changeset/honest-regions-jam.md

@@ -1,5 +0,0 @@
----
-"better-auth": patch
----
-
-fix(open-api): correct get-session nullable schema for OAS 3.1

.changeset/honest-symbols-stick.md

@@ -1,5 +0,0 @@
----
-"better-auth": patch
----
-
-fix(client): prevent isMounted race condition causing many rps

.changeset/lovely-toes-swim.md

@@ -1,5 +0,0 @@
----
-"better-auth": patch
----
-
-resolve dynamic `baseURL` from request headers on direct `auth.api` calls

.changeset/oauth-provider-token-refactor.md

@@ -1,9 +0,0 @@
----
-"@better-auth/oauth-provider": patch
----
-
-feat(oauth-provider): add `customTokenResponseFields` callback and Zod validation for authorization codes
-
-Add `customTokenResponseFields` callback to `OAuthOptions` for injecting custom fields into token endpoint responses across all grant types. Standard OAuth fields (`access_token`, `token_type`, etc.) cannot be overridden. Follows the same pattern as `customAccessTokenClaims` and `customIdTokenClaims`.
-
-Authorization code verification values are now validated with a Zod schema at deserialization, consistently returning `invalid_verification` errors for malformed or corrupted values instead of potential 500s.

.changeset/pr-8926.md

@@ -1,5 +0,0 @@
----
-"better-auth": patch
----
-
-omit quantity for metered prices in checkout and upgrades

.changeset/pr-9032.md

@@ -1,5 +0,0 @@
----
-"auth": patch
----
-
-fix tsconfig path alias resolution for extended configs and mid-path wildcards

.changeset/pr-9084.md

@@ -1,5 +0,0 @@
----
-"better-auth": patch
----
-
-support Stripe SDK v21 and v22

.changeset/sso-saml-hardening.md

@@ -1,25 +0,0 @@
----
-"@better-auth/sso": patch
----
-
-fix(sso): unify SAML response processing and fix provider/config bugs
-
-**Bug fixes:**
-
-- Fix SP metadata endpoint using internal row ID instead of `providerId` in ACS URL
-- Fix `acsEndpoint` skipping DB provider lookup when `defaultSSO` is configured
-- Fix `acsEndpoint` missing encryption fields (`isAssertionEncrypted`, `encPrivateKey`), which caused silent decryption failures
-- Fix `defaultSSO` config parsing in callback path (`safeJsonParse` on already-parsed objects)
-- Fix `createSP` missing `callbackUrl` fallback to auto-generated ACS URL
-- Complete `createSP`/`createIdP` helpers with all encryption and signing fields
-
-**Behavioral changes:**
-
-- ACS error redirect query parameters now use uppercase error codes (e.g. `error=SAML_MULTIPLE_ASSERTIONS` instead of `error=multiple_assertions`). If your application parses these error codes from the redirect URL, update the expected values.
-- SAML provider registration now rejects configs with no usable IdP entry point (no valid `entryPoint` URL, no `idpMetadata.metadata`, and no `idpMetadata.singleSignOnService`). Previously these would register successfully but fail at sign-in.
-- `entryPoint` validation tightened from `startsWith("http")` to `new URL()` parsing, rejecting malformed URLs like `http:evil` or `http//missing-colon`.
-
-**Refactoring (no API changes):**
-
-- Extract shared `processSAMLResponse` pipeline to eliminate ~500 lines of duplicated logic between `callbackSSOSAML` and `acsEndpoint`
-- Move `validateSAMLTimestamp` to `saml/timestamp.ts` (re-exported from original location for compatibility)

packages/api-key/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @better-auth/api-key
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]:
+  - better-auth@1.6.3
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/api-key/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/api-key",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "API Key plugin for Better Auth.",
   "type": "module",
   "license": "MIT",

packages/better-auth/CHANGELOG.md

@@ -1,5 +1,53 @@
 # better-auth
 
+## 1.6.3
+
+### Patch Changes
+
+- [#9131](https://github.com/better-auth/better-auth/pull/9131) [`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - harden dynamic `baseURL` handling for direct `auth.api.*` calls and plugin metadata helpers
+
+  **Direct `auth.api.*` calls**
+  - Throw `APIError` with a clear message when the baseURL can't be resolved (no source and no `fallback`), instead of leaving `ctx.context.baseURL = ""` for downstream plugins to crash on.
+  - Convert `allowedHosts` mismatches on the direct-API path to `APIError`.
+  - Honor `advanced.trustedProxyHeaders` on the dynamic path (default `true`, unchanged). Previously `x-forwarded-host` / `-proto` were unconditionally trusted with `allowedHosts`; they now go through the same gate as the static path. The default flip to `false` ships in a follow-up PR.
+  - `resolveRequestContext` rehydrates `trustedProviders` and cookies per call (in addition to `trustedOrigins`). User-defined `trustedOrigins(req)` / `trustedProviders(req)` callbacks receive a `Request` synthesized from forwarded headers when no full `Request` is available.
+  - Infer `http` for loopback hosts (`localhost`, `127.0.0.1`, `[::1]`, `0.0.0.0`) on the headers-only protocol fallback, so local-dev calls don't silently resolve to `https://localhost:3000`.
+  - `hasRequest` uses `isRequestLike`, which now rejects objects that spoof `Symbol.toStringTag` without a real `url` / `headers.get` shape.
+
+  **Plugin metadata helpers**
+  - `oauthProviderAuthServerMetadata`, `oauthProviderOpenIdConfigMetadata`, `oAuthDiscoveryMetadata`, and `oAuthProtectedResourceMetadata` forward the incoming request to their chained `auth.api` calls, so `issuer` and discovery URLs reflect the request host on dynamic configs.
+  - `withMcpAuth` forwards the incoming request to `getMcpSession`, threads `trustedProxyHeaders`, and emits a bare `Bearer` challenge when `baseURL` can't be resolved (instead of `Bearer resource_metadata="undefined/..."`).
+  - `metadataResponse` in `@better-auth/oauth-provider` normalizes headers via `new Headers()` so callers can pass `Headers`, tuple arrays, or records without silently dropping entries.
+
+- [#9122](https://github.com/better-auth/better-auth/pull/9122) [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(two-factor): enforce 2FA on all sign-in paths
+
+  The 2FA after-hook now triggers on any endpoint that creates a new session, covering magic-link, OAuth, passkey, email-OTP, SIWE, and all future sign-in methods. Authenticated requests (session refreshes, profile updates) are excluded.
+
+- [#7231](https://github.com/better-auth/better-auth/pull/7231) [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f) Thanks [@Byte-Biscuit](https://github.com/Byte-Biscuit)! - fix(two-factor): preserve backup codes storage format after verification
+
+  After using a backup code, remaining codes are now re-saved using the same `storeBackupCodes` strategy (plain, encrypted, or custom) configured by the user. Previously, codes were always re-encrypted with the built-in symmetric encryption, breaking subsequent verifications for plain or custom storage modes.
+
+- [#9072](https://github.com/better-auth/better-auth/pull/9072) [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d) Thanks [@ramonclaudio](https://github.com/ramonclaudio)! - fix(api): align top-level `operationId` on `requestPasswordResetCallback` with the OpenAPI `resetPasswordCallback`
+
+- [#8389](https://github.com/better-auth/better-auth/pull/8389) [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649) Thanks [@Oluwatobi-Mustapha](https://github.com/Oluwatobi-Mustapha)! - fix(open-api): correct get-session nullable schema for OAS 3.1
+
+- [#9078](https://github.com/better-auth/better-auth/pull/9078) [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7) Thanks [@ping-maxwell](https://github.com/ping-maxwell)! - fix(client): prevent isMounted race condition causing many rps
+
+- [#9113](https://github.com/better-auth/better-auth/pull/9113) [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af) Thanks [@bytaesu](https://github.com/bytaesu)! - resolve dynamic `baseURL` from request headers on direct `auth.api` calls
+
+- [#8926](https://github.com/better-auth/better-auth/pull/8926) [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463) Thanks [@bytaesu](https://github.com/bytaesu)! - omit quantity for metered prices in checkout and upgrades
+
+- [#9084](https://github.com/better-auth/better-auth/pull/9084) [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f) Thanks [@bytaesu](https://github.com/bytaesu)! - support Stripe SDK v21 and v22
+
+- Updated dependencies []:
+  - @better-auth/core@1.6.3
+  - @better-auth/drizzle-adapter@1.6.3
+  - @better-auth/kysely-adapter@1.6.3
+  - @better-auth/memory-adapter@1.6.3
+  - @better-auth/mongo-adapter@1.6.3
+  - @better-auth/prisma-adapter@1.6.3
+  - @better-auth/telemetry@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/better-auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",

packages/cli/CHANGELOG.md

@@ -1,5 +1,16 @@
 # auth
 
+## 1.6.3
+
+### Patch Changes
+
+- [#9032](https://github.com/better-auth/better-auth/pull/9032) [`4673c6d`](https://github.com/better-auth/better-auth/commit/4673c6d83ce0710e8875e81539b376ee408e28b3) Thanks [@bytaesu](https://github.com/bytaesu)! - fix tsconfig path alias resolution for extended configs and mid-path wildcards
+
+- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]:
+  - better-auth@1.6.3
+  - @better-auth/core@1.6.3
+  - @better-auth/telemetry@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auth",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "The CLI for Better Auth",
   "type": "module",
   "license": "MIT",

packages/core/CHANGELOG.md

@@ -1,5 +1,7 @@
 # @better-auth/core
 
+## 1.6.3
+
 ## 1.6.2
 
 ## 1.6.1

packages/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",

packages/drizzle-adapter/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @better-auth/drizzle-adapter
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies []:
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/drizzle-adapter/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/drizzle-adapter",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "Drizzle adapter for Better Auth",
   "type": "module",
   "license": "MIT",

packages/electron/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @better-auth/electron
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]:
+  - better-auth@1.6.3
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/electron/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/electron",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "Better Auth integration for Electron applications.",
   "type": "module",
   "license": "MIT",

packages/expo/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @better-auth/expo
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]:
+  - better-auth@1.6.3
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/expo/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/expo",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "Better Auth integration for Expo and React Native applications.",
   "type": "module",
   "license": "MIT",

packages/i18n/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @better-auth/i18n
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]:
+  - better-auth@1.6.3
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/i18n/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/i18n",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "i18n plugin for Better Auth - translate error messages",
   "type": "module",
   "license": "MIT",

packages/kysely-adapter/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @better-auth/kysely-adapter
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies []:
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/kysely-adapter/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/kysely-adapter",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "Kysely adapter for Better Auth",
   "type": "module",
   "license": "MIT",

packages/memory-adapter/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @better-auth/memory-adapter
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies []:
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/memory-adapter/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/memory-adapter",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "Memory adapter for Better Auth",
   "type": "module",
   "license": "MIT",

packages/mongo-adapter/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @better-auth/mongo-adapter
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies []:
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/mongo-adapter/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/mongo-adapter",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "Mongo adapter for Better Auth",
   "type": "module",
   "license": "MIT",

packages/oauth-provider/CHANGELOG.md

@@ -1,5 +1,56 @@
 # @better-auth/oauth-provider
 
+## 1.6.3
+
+### Patch Changes
+
+- [#9123](https://github.com/better-auth/better-auth/pull/9123) [`e2e25a4`](https://github.com/better-auth/better-auth/commit/e2e25a49545f3e386cfcc4e86b33c1796a1430b1) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(oauth-provider): override confidential auth methods to public in unauthenticated DCR
+
+  When `allowUnauthenticatedClientRegistration` is enabled, unauthenticated DCR
+  requests that specify `client_secret_post`, `client_secret_basic`, or omit
+  `token_endpoint_auth_method` (which defaults to `client_secret_basic` per
+  [RFC 7591 §2](https://datatracker.ietf.org/doc/html/rfc7591#section-2)) are
+  now silently overridden to `token_endpoint_auth_method: "none"` (public client)
+  instead of being rejected with HTTP 401.
+
+  This follows [RFC 7591 §3.2.1](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1),
+  which allows the server to "reject or replace any of the client's requested
+  metadata values submitted during the registration and substitute them with
+  suitable values." The registration response communicates the actual method
+  back to the client, allowing compliant clients to adjust.
+
+  This fixes interoperability with real-world MCP clients (Claude, Codex, Factory
+  Droid, and others) that send `token_endpoint_auth_method: "client_secret_post"`
+  in their DCR payload because the server metadata advertises it in
+  `token_endpoint_auth_methods_supported`.
+
+  Closes [#8588](https://github.com/better-auth/better-auth/issues/8588)
+
+- [#9131](https://github.com/better-auth/better-auth/pull/9131) [`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - harden dynamic `baseURL` handling for direct `auth.api.*` calls and plugin metadata helpers
+
+  **Direct `auth.api.*` calls**
+  - Throw `APIError` with a clear message when the baseURL can't be resolved (no source and no `fallback`), instead of leaving `ctx.context.baseURL = ""` for downstream plugins to crash on.
+  - Convert `allowedHosts` mismatches on the direct-API path to `APIError`.
+  - Honor `advanced.trustedProxyHeaders` on the dynamic path (default `true`, unchanged). Previously `x-forwarded-host` / `-proto` were unconditionally trusted with `allowedHosts`; they now go through the same gate as the static path. The default flip to `false` ships in a follow-up PR.
+  - `resolveRequestContext` rehydrates `trustedProviders` and cookies per call (in addition to `trustedOrigins`). User-defined `trustedOrigins(req)` / `trustedProviders(req)` callbacks receive a `Request` synthesized from forwarded headers when no full `Request` is available.
+  - Infer `http` for loopback hosts (`localhost`, `127.0.0.1`, `[::1]`, `0.0.0.0`) on the headers-only protocol fallback, so local-dev calls don't silently resolve to `https://localhost:3000`.
+  - `hasRequest` uses `isRequestLike`, which now rejects objects that spoof `Symbol.toStringTag` without a real `url` / `headers.get` shape.
+
+  **Plugin metadata helpers**
+  - `oauthProviderAuthServerMetadata`, `oauthProviderOpenIdConfigMetadata`, `oAuthDiscoveryMetadata`, and `oAuthProtectedResourceMetadata` forward the incoming request to their chained `auth.api` calls, so `issuer` and discovery URLs reflect the request host on dynamic configs.
+  - `withMcpAuth` forwards the incoming request to `getMcpSession`, threads `trustedProxyHeaders`, and emits a bare `Bearer` challenge when `baseURL` can't be resolved (instead of `Bearer resource_metadata="undefined/..."`).
+  - `metadataResponse` in `@better-auth/oauth-provider` normalizes headers via `new Headers()` so callers can pass `Headers`, tuple arrays, or records without silently dropping entries.
+
+- [#9118](https://github.com/better-auth/better-auth/pull/9118) [`314e06f`](https://github.com/better-auth/better-auth/commit/314e06f0fd84ac90b55b5430624a74c5a8d62bfd) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - feat(oauth-provider): add `customTokenResponseFields` callback and Zod validation for authorization codes
+
+  Add `customTokenResponseFields` callback to `OAuthOptions` for injecting custom fields into token endpoint responses across all grant types. Standard OAuth fields (`access_token`, `token_type`, etc.) cannot be overridden. Follows the same pattern as `customAccessTokenClaims` and `customIdTokenClaims`.
+
+  Authorization code verification values are now validated with a Zod schema at deserialization, consistently returning `invalid_verification` errors for malformed or corrupted values instead of potential 500s.
+
+- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]:
+  - better-auth@1.6.3
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/oauth-provider/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",

packages/passkey/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @better-auth/passkey
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]:
+  - better-auth@1.6.3
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/passkey/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/passkey",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "Passkey plugin for Better Auth",
   "type": "module",
   "license": "MIT",

packages/prisma-adapter/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @better-auth/prisma-adapter
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies []:
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/prisma-adapter/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/prisma-adapter",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "Prisma adapter for Better Auth",
   "type": "module",
   "license": "MIT",

packages/redis-storage/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @better-auth/redis-storage
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies []:
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/redis-storage/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/redis-storage",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "Redis storage for Better Auth secondary storage",
   "type": "module",
   "license": "MIT",

packages/scim/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @better-auth/scim
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]:
+  - better-auth@1.6.3
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/scim/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/scim",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "SCIM plugin for Better Auth",
   "type": "module",
   "license": "MIT",

packages/sso/CHANGELOG.md

@@ -1,5 +1,32 @@
 # @better-auth/sso
 
+## 1.6.3
+
+### Patch Changes
+
+- [#9097](https://github.com/better-auth/better-auth/pull/9097) [`52c4751`](https://github.com/better-auth/better-auth/commit/52c47517a21600d40a3e82c427409083b4a0a9ec) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(sso): unify SAML response processing and fix provider/config bugs
+
+  **Bug fixes:**
+  - Fix SP metadata endpoint using internal row ID instead of `providerId` in ACS URL
+  - Fix `acsEndpoint` skipping DB provider lookup when `defaultSSO` is configured
+  - Fix `acsEndpoint` missing encryption fields (`isAssertionEncrypted`, `encPrivateKey`), which caused silent decryption failures
+  - Fix `defaultSSO` config parsing in callback path (`safeJsonParse` on already-parsed objects)
+  - Fix `createSP` missing `callbackUrl` fallback to auto-generated ACS URL
+  - Complete `createSP`/`createIdP` helpers with all encryption and signing fields
+
+  **Behavioral changes:**
+  - ACS error redirect query parameters now use uppercase error codes (e.g. `error=SAML_MULTIPLE_ASSERTIONS` instead of `error=multiple_assertions`). If your application parses these error codes from the redirect URL, update the expected values.
+  - SAML provider registration now rejects configs with no usable IdP entry point (no valid `entryPoint` URL, no `idpMetadata.metadata`, and no `idpMetadata.singleSignOnService`). Previously these would register successfully but fail at sign-in.
+  - `entryPoint` validation tightened from `startsWith("http")` to `new URL()` parsing, rejecting malformed URLs like `http:evil` or `http//missing-colon`.
+
+  **Refactoring (no API changes):**
+  - Extract shared `processSAMLResponse` pipeline to eliminate ~500 lines of duplicated logic between `callbackSSOSAML` and `acsEndpoint`
+  - Move `validateSAMLTimestamp` to `saml/timestamp.ts` (re-exported from original location for compatibility)
+
+- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]:
+  - better-auth@1.6.3
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/sso/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/sso",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "SSO plugin for Better Auth",
   "type": "module",
   "license": "MIT",

packages/stripe/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @better-auth/stripe
 
+## 1.6.3
+
+### Patch Changes
+
+- [#9164](https://github.com/better-auth/better-auth/pull/9164) [`390a031`](https://github.com/better-auth/better-auth/commit/390a03190c988776e53c5e64cf6c2f60db1c5415) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(stripe): drop unsafe keys when merging user-supplied metadata
+
+  The Stripe plugin previously merged `ctx.body.metadata` through `defu`, which was vulnerable to prototype pollution when attacker-controlled `__proto__` keys reached the second argument. Since Stripe metadata is a flat `Record<string, string>`, the deep-merge was never exercised on that path. The merge now ignores `__proto__`, `constructor`, and `prototype`, so the user-controlled surface no longer depends on `defu`. The remaining `defu` call sites (deep-merging developer-supplied `CustomerCreateParams`) also receive the patched range.
+
+- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]:
+  - better-auth@1.6.3
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/stripe/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/stripe",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "Stripe plugin for Better Auth",
   "type": "module",
   "license": "MIT",

packages/telemetry/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @better-auth/telemetry
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies []:
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/telemetry/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/telemetry",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "Telemetry package for Better Auth",
   "type": "module",
   "license": "MIT",

packages/test-utils/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @better-auth/test-utils
 
+## 1.6.3
+
+### Patch Changes
+
+- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]:
+  - better-auth@1.6.3
+  - @better-auth/core@1.6.3
+
 ## 1.6.2
 
 ### Patch Changes

packages/test-utils/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/test-utils",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "Testing utilities for Better Auth adapter development",
   "type": "module",
   "license": "MIT",