From c6922dce8edaed9293ce8d8962fa6ec03dafb2ce Mon Sep 17 00:00:00 2001
From: Dylan Vanmali <dvanmali@users.noreply.github.com>
Date: Thu, 9 Apr 2026 04:56:29 -0700
Subject: [PATCH] refactor(oauth-provider): reject `skip_consent` at schema
 level in DCR (#8998)

---
 .changeset/gentle-trains-knock.md            | 5 +++++
 packages/oauth-provider/src/oauth.ts         | 7 ++++++-
 packages/oauth-provider/src/register.test.ts | 1 +
 packages/oauth-provider/src/register.ts      | 8 --------
 4 files changed, 12 insertions(+), 9 deletions(-)
 create mode 100644 .changeset/gentle-trains-knock.md

diff --git a/.changeset/gentle-trains-knock.md b/.changeset/gentle-trains-knock.md
new file mode 100644
index 0000000000..4ad17cbb1c
--- /dev/null
+++ b/.changeset/gentle-trains-knock.md
@@ -0,0 +1,5 @@
+---
+"@better-auth/oauth-provider": patch
+---
+
+Typescript specifies skip_consent type never and errors through zod
diff --git a/packages/oauth-provider/src/oauth.ts b/packages/oauth-provider/src/oauth.ts
index 4d2708b49a..44d55c3708 100644
--- a/packages/oauth-provider/src/oauth.ts
+++ b/packages/oauth-provider/src/oauth.ts
@@ -1177,7 +1177,12 @@ export const oauthProvider = <O extends OAuthOptions<Scope[]>>(options: O) => {
 							.optional(),
 						type: z.enum(["web", "native", "user-agent-based"]).optional(),
 						subject_type: z.enum(["public", "pairwise"]).optional(),
-						skip_consent: z.boolean().optional(),
+						skip_consent: z
+							.never({
+								error:
+									"skip_consent cannot be set during dynamic client registration",
+							})
+							.optional(),
 					}),
 					metadata: {
 						openapi: {
diff --git a/packages/oauth-provider/src/register.test.ts b/packages/oauth-provider/src/register.test.ts
index 0c5876d3dd..aa8226c8e7 100644
--- a/packages/oauth-provider/src/register.test.ts
+++ b/packages/oauth-provider/src/register.test.ts
@@ -391,6 +391,7 @@ describe("oauth register - skip_consent blocked", async () => {
 	it("should reject skip_consent during dynamic registration", async () => {
 		const res = await serverClient.oauth2.register({
 			redirect_uris: ["http://localhost:5000/callback"],
+			// @ts-expect-error testing skip consent mimicing client incorrectly sending parameter
 			skip_consent: true,
 		});
 		expect(res.error?.status).toBe(400);
diff --git a/packages/oauth-provider/src/register.ts b/packages/oauth-provider/src/register.ts
index 944fa0ddd7..f5e048657a 100644
--- a/packages/oauth-provider/src/register.ts
+++ b/packages/oauth-provider/src/register.ts
@@ -174,14 +174,6 @@ export async function checkOAuthClient(
 			error_description: `pkce is required for registered clients.`,
 		});
 	}
-
-	if (settings?.isRegister && client.skip_consent) {
-		throw new APIError("BAD_REQUEST", {
-			error: "invalid_client_metadata",
-			error_description:
-				"skip_consent cannot be set during dynamic client registration",
-		});
-	}
 }
 
 export async function createOAuthClientEndpoint(