github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 07:18:56 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

Invalid Origin error with BetterAuth on Vercel preview deployments #1019

New Issue
Closed
opened 2026-03-13 08:19:00 -05:00 by GiteaMirror · 10 comments
GiteaMirror commented 2026-03-13 08:19:00 -05:00
Owner
Copy Link

Originally created by @RicSala on GitHub (Apr 9, 2025).

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

Set up BetterAuth in a Next.js application
Create a pull request that triggers a Vercel preview deployment
Try to authenticate in the preview deployment
Receive "Invalid Origin" error when attempting to authenticat

Current vs. Expected behavior

When using BetterAuth with Vercel preview deployments, authentication attempts fail with an "Invalid Origin" error. This happens because Vercel generates random URLs for preview deployments, which aren't whitelisted in the BetterAuth CORS configuration.

Expected behavior: BetterAuth should work correctly on Vercel preview deployments, either by supporting dynamic origins or by providing a way to configure wildcard/pattern-based origins for preview environments.

What version of Better Auth are you using?

1.2.5

Provide environment information

OS: macOS
Browser: Chrome, Safari, Firefox (issue happens in all browsers)

Which area(s) are affected? (Select all that apply)

Backend, Client

Auth config (if applicable)

import { betterAuth } from 'better-auth';
import { nextCookies } from 'better-auth/next-js';
import { organization } from 'better-auth/plugins';
import { prismaAdapter } from 'better-auth/adapters/prisma';
import { db } from '@/db/prisma';

// First define our auth instance
export const auth = betterAuth({
  user: {
    modelName: 'User',
  },
  basePath: '/api/auth',
  emailAndPassword: {
    enabled: true,
  },
  hooks: {},
  advanced: {
    generateId: false,
  },
  emailVerification: {},
  database: prismaAdapter(db, {
    provider: 'postgresql',
  }),
  plugins: [nextCookies(), organization()],
  //...add more options here
});

export { toNextJsHandler } from 'better-auth/next-js';

Additional context

No response

Originally created by @RicSala on GitHub (Apr 9, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce Set up BetterAuth in a Next.js application Create a pull request that triggers a Vercel preview deployment Try to authenticate in the preview deployment Receive "Invalid Origin" error when attempting to authenticat ### Current vs. Expected behavior When using BetterAuth with Vercel preview deployments, authentication attempts fail with an "Invalid Origin" error. This happens because Vercel generates random URLs for preview deployments, which aren't whitelisted in the BetterAuth CORS configuration. Expected behavior: BetterAuth should work correctly on Vercel preview deployments, either by supporting dynamic origins or by providing a way to configure wildcard/pattern-based origins for preview environments. ### What version of Better Auth are you using? 1.2.5 ### Provide environment information ```bash OS: macOS Browser: Chrome, Safari, Firefox (issue happens in all browsers) ``` ### Which area(s) are affected? (Select all that apply) Backend, Client ### Auth config (if applicable) ```typescript import { betterAuth } from 'better-auth'; import { nextCookies } from 'better-auth/next-js'; import { organization } from 'better-auth/plugins'; import { prismaAdapter } from 'better-auth/adapters/prisma'; import { db } from '@/db/prisma'; // First define our auth instance export const auth = betterAuth({ user: { modelName: 'User', }, basePath: '/api/auth', emailAndPassword: { enabled: true, }, hooks: {}, advanced: { generateId: false, }, emailVerification: {}, database: prismaAdapter(db, { provider: 'postgresql', }), plugins: [nextCookies(), organization()], //...add more options here }); export { toNextJsHandler } from 'better-auth/next-js'; ``` ### Additional context _No response_
GiteaMirror commented 2026-03-13 08:19:01 -05:00
Author
Owner
Copy Link

@Kinfe123 commented on GitHub (Apr 10, 2025):

Why don't you try to not allow trustedOrigin on prod only I mean your prod origin only since it is not actually necessary to do guarding on the staging either on non prod envs

@Kinfe123 commented on GitHub (Apr 10, 2025): Why don't you try to not allow trustedOrigin on prod only I mean your prod origin only since it is not actually necessary to do guarding on the staging either on non prod envs
GiteaMirror commented 2026-03-13 08:19:01 -05:00
Author
Owner
Copy Link

@Bekacru commented on GitHub (Apr 10, 2025):

Try removing BETTER_AUTH_URL from env for preview deployments. By default, it only considers the base url as a trusted origin.

@Bekacru commented on GitHub (Apr 10, 2025): Try removing `BETTER_AUTH_URL` from env for preview deployments. By default, it only considers the base url as a trusted origin.
GiteaMirror commented 2026-03-13 08:19:02 -05:00
Author
Owner
Copy Link

@rena0157 commented on GitHub (Apr 10, 2025):

I am also getting the same error. I do not have the BETTER_AUTH_URL in my env for any environments, but locally.

import 'server-only'
import { betterAuth } from 'better-auth'
import { drizzleAdapter } from 'better-auth/adapters/drizzle'
import { admin, oAuthProxy } from 'better-auth/plugins'
import { headers } from 'next/headers'
import { redirect } from 'next/navigation'
import { env } from '~/env'
import { db } from '~/server/db'

export const auth = betterAuth({
  database: drizzleAdapter(db, {
    provider: 'pg',
  }),
  plugins: [oAuthProxy(), admin()],
  socialProviders: {
    microsoft: {
      clientId: env.BETTER_AUTH_MICROSOFT_ID,
      clientSecret: env.BETTER_AUTH_MICROSOFT_SECRET,
      tenantId: env.BETTER_AUTH_MICROSOFT_TENANT,
      redirectURI: env.BETTER_AUTH_MICROSOFT_REDIRECT_URI,
    },
  },
})
@rena0157 commented on GitHub (Apr 10, 2025): I am also getting the same error. I do not have the `BETTER_AUTH_URL` in my env for any environments, but locally. ```ts import 'server-only' import { betterAuth } from 'better-auth' import { drizzleAdapter } from 'better-auth/adapters/drizzle' import { admin, oAuthProxy } from 'better-auth/plugins' import { headers } from 'next/headers' import { redirect } from 'next/navigation' import { env } from '~/env' import { db } from '~/server/db' export const auth = betterAuth({ database: drizzleAdapter(db, { provider: 'pg', }), plugins: [oAuthProxy(), admin()], socialProviders: { microsoft: { clientId: env.BETTER_AUTH_MICROSOFT_ID, clientSecret: env.BETTER_AUTH_MICROSOFT_SECRET, tenantId: env.BETTER_AUTH_MICROSOFT_TENANT, redirectURI: env.BETTER_AUTH_MICROSOFT_REDIRECT_URI, }, }, }) ```
GiteaMirror commented 2026-03-13 08:19:02 -05:00
Author
Owner
Copy Link

@rena0157 commented on GitHub (Apr 10, 2025):

This might be a bit of a hack? But it fixed it:

export const auth = betterAuth({
  database: drizzleAdapter(db, {
    provider: 'pg',
  }),
  trustedOrigins: [process.env.VERCEL_URL!],
  plugins: [oAuthProxy(), admin()],
  socialProviders: {
    microsoft: {
      clientId: env.BETTER_AUTH_MICROSOFT_ID,
      clientSecret: env.BETTER_AUTH_MICROSOFT_SECRET,
      tenantId: env.BETTER_AUTH_MICROSOFT_TENANT,
      redirectURI: env.BETTER_AUTH_MICROSOFT_REDIRECT_URI,
    },
  },
})

I just added

  trustedOrigins: [process.env.VERCEL_URL!],
@rena0157 commented on GitHub (Apr 10, 2025): This might be a bit of a hack? But it fixed it: ```ts export const auth = betterAuth({ database: drizzleAdapter(db, { provider: 'pg', }), trustedOrigins: [process.env.VERCEL_URL!], plugins: [oAuthProxy(), admin()], socialProviders: { microsoft: { clientId: env.BETTER_AUTH_MICROSOFT_ID, clientSecret: env.BETTER_AUTH_MICROSOFT_SECRET, tenantId: env.BETTER_AUTH_MICROSOFT_TENANT, redirectURI: env.BETTER_AUTH_MICROSOFT_REDIRECT_URI, }, }, }) ``` I just added ```ts trustedOrigins: [process.env.VERCEL_URL!], ```
GiteaMirror commented 2026-03-13 08:19:02 -05:00
Author
Owner
Copy Link

@iamshadow-xyz commented on GitHub (May 8, 2025):

bro just remove the base url form the auth-client

@iamshadow-xyz commented on GitHub (May 8, 2025): bro just remove the base url form the auth-client
GiteaMirror commented 2026-03-13 08:19:02 -05:00
Author
Owner
Copy Link

@dizlee commented on GitHub (Jun 9, 2025):

bro just remove the base url form the auth-client

I accidentally had base url hard-coded in auth-client, thanks!

@dizlee commented on GitHub (Jun 9, 2025): > bro just remove the base url form the auth-client I accidentally had base url hard-coded in auth-client, thanks!
GiteaMirror commented 2026-03-13 08:19:03 -05:00
Author
Owner
Copy Link

@iatomic1 commented on GitHub (Jul 29, 2025):

This might be a bit of a hack? But it fixed it:

export const auth = betterAuth({
database: drizzleAdapter(db, {
provider: 'pg',
}),
trustedOrigins: [process.env.VERCEL_URL!],
plugins: [oAuthProxy(), admin()],
socialProviders: {
microsoft: {
clientId: env.BETTER_AUTH_MICROSOFT_ID,
clientSecret: env.BETTER_AUTH_MICROSOFT_SECRET,
tenantId: env.BETTER_AUTH_MICROSOFT_TENANT,
redirectURI: env.BETTER_AUTH_MICROSOFT_REDIRECT_URI,
},
},
})
I just added

trustedOrigins: [process.env.VERCEL_URL!],

Hey @rena0157 is vercel auto setting this in every deployment?

@iatomic1 commented on GitHub (Jul 29, 2025): > This might be a bit of a hack? But it fixed it: > > export const auth = betterAuth({ > database: drizzleAdapter(db, { > provider: 'pg', > }), > trustedOrigins: [process.env.VERCEL_URL!], > plugins: [oAuthProxy(), admin()], > socialProviders: { > microsoft: { > clientId: env.BETTER_AUTH_MICROSOFT_ID, > clientSecret: env.BETTER_AUTH_MICROSOFT_SECRET, > tenantId: env.BETTER_AUTH_MICROSOFT_TENANT, > redirectURI: env.BETTER_AUTH_MICROSOFT_REDIRECT_URI, > }, > }, > }) > I just added > > trustedOrigins: [process.env.VERCEL_URL!], Hey @rena0157 is vercel auto setting this in every deployment?
GiteaMirror commented 2026-03-13 08:19:03 -05:00
Author
Owner
Copy Link

@Metaphysics0 commented on GitHub (Aug 26, 2025):

VERCEL_URL

Yeah bro check
https://vercel.com/docs/environment-variables/system-environment-variables#VERCEL_URL.

the gotcha is that the env does not have the https:// prefix.

in the end this was what fixed it for me:

export const auth = betterAuth({
  trustedOrigins: [
    "http://localhost:5173", 
    ...(process.env.VERCEL_URL ? [`https://${process.env.VERCEL_URL}`] : [])
  ],
...

and in my auth-client:

import { createAuthClient } from "better-auth/svelte";
import { browser } from "$app/environment";

export const authClient = createAuthClient({
  baseURL: browser ? window.location.origin : undefined,
});

I am using sveltekit, but most JS frameworks should have something similar to this ^

@Metaphysics0 commented on GitHub (Aug 26, 2025): > VERCEL_URL Yeah bro check https://vercel.com/docs/environment-variables/system-environment-variables#VERCEL_URL. the gotcha is that the env does not have the `https://` prefix. in the end this was what fixed it for me: ``` export const auth = betterAuth({ trustedOrigins: [ "http://localhost:5173", ...(process.env.VERCEL_URL ? [`https://${process.env.VERCEL_URL}`] : []) ], ... ``` and in my auth-client: ``` import { createAuthClient } from "better-auth/svelte"; import { browser } from "$app/environment"; export const authClient = createAuthClient({ baseURL: browser ? window.location.origin : undefined, }); ``` I am using sveltekit, but most JS frameworks should have something similar to this ^
GiteaMirror commented 2026-03-13 08:19:03 -05:00
Author
Owner
Copy Link

@MatheusCanuto07 commented on GitHub (Sep 7, 2025):

Metaphysics0 thank you so much! I do what you say and everything went well

@MatheusCanuto07 commented on GitHub (Sep 7, 2025): Metaphysics0 thank you so much! I do what you say and everything went well
GiteaMirror commented 2026-03-13 08:19:03 -05:00
Author
Owner
Copy Link

@dakdevs commented on GitHub (Dec 19, 2025):

@Metaphysics0 how did you get around the OAuth provider needing to have the redirect uri on their end?

@dakdevs commented on GitHub (Dec 19, 2025): @Metaphysics0 how did you get around the OAuth provider needing to have the redirect uri on their end?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#1019
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?