From 76a414cebbd2854e584b7cb004fb12d71bc9075a Mon Sep 17 00:00:00 2001 From: Gautam Manchandani Date: Thu, 8 Jan 2026 11:49:30 +0530 Subject: [PATCH] fix(api-key): remove strict length pre-check in `verifyApiKey` (#6259) Signed-off-by: GautamBytes Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com> --- .../src/plugins/api-key/api-key.test.ts | 2 +- .../src/plugins/api-key/routes/verify-api-key.ts | 14 -------------- 2 files changed, 1 insertion(+), 15 deletions(-) diff --git a/packages/better-auth/src/plugins/api-key/api-key.test.ts b/packages/better-auth/src/plugins/api-key/api-key.test.ts index a7e56d4a7f..f5bbe84747 100644 --- a/packages/better-auth/src/plugins/api-key/api-key.test.ts +++ b/packages/better-auth/src/plugins/api-key/api-key.test.ts @@ -948,7 +948,7 @@ describe("api-key", async () => { }, }); expect(apiKey.valid).toBe(false); - expect(apiKey.error?.code).toBe("KEY_NOT_FOUND"); + expect(apiKey.error?.code).toBe("INVALID_API_KEY"); }); let rateLimitedApiKey: ApiKey; diff --git a/packages/better-auth/src/plugins/api-key/routes/verify-api-key.ts b/packages/better-auth/src/plugins/api-key/routes/verify-api-key.ts index 85bf619f3d..73e58a4202 100644 --- a/packages/better-auth/src/plugins/api-key/routes/verify-api-key.ts +++ b/packages/better-auth/src/plugins/api-key/routes/verify-api-key.ts @@ -246,20 +246,6 @@ export function verifyApiKey({ async (ctx) => { const { key } = ctx.body; - if (key.length < opts.defaultKeyLength) { - // if the key is shorter than the default key length, than we know the key is invalid. - // we can't check if the key is exactly equal to the default key length, because - // a prefix may be added to the key. - return ctx.json({ - valid: false, - error: { - message: ERROR_CODES.INVALID_API_KEY, - code: "KEY_NOT_FOUND" as const, - }, - key: null, - }); - } - if (opts.customAPIKeyValidator) { const isValid = await opts.customAPIKeyValidator({ ctx, key }); if (!isValid) {