[GH-ISSUE #6348] Documentation gap: Device Authorization plugin should mention using bearer plugin #10490

New Issue

GiteaMirror · 2026-04-13T06:40:17-05:00

GiteaMirror commented

2026-04-13 06:40:17 -05:00

Originally created by @bcheung on GitHub (Nov 27, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/6348

Originally assigned to: @bytaesu on GitHub.

Device Authorization plugin should mention to use the bearer plugin for authed requests but doesn't.
The device auth docs show:

  fetchOptions: {
    headers: {
      Authorization: `Bearer ${data.access_token}`,
    },
  },
});

But this doesn't work without the bearer() plugin and isn't mentioned anywhere in the device auth docs.

Suggested fix: Add a note to the device auth docs like:

"To use the access token for authenticated API calls (like getSession), add the bearer() plugin to your server config."

Originally created by @bcheung on GitHub (Nov 27, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/6348 Originally assigned to: @bytaesu on GitHub. Device Authorization plugin should mention to use the bearer plugin for authed requests but doesn't. The [device auth docs](https://www.better-auth.com/docs/plugins/device-authorization) show: ```const { data: session } = await authClient.getSession({ fetchOptions: { headers: { Authorization: `Bearer ${data.access_token}`, }, }, }); ``` But this doesn't work without the `bearer()` plugin and isn't mentioned anywhere in the device auth docs. Suggested fix: Add a note to the device auth docs like: > "To use the access token for authenticated API calls (like `getSession`), add the `bearer()` plugin to your server config."

GiteaMirror added the locked label 2026-04-13 06:40:17 -05:00

GiteaMirror closed this issue

2026-04-13 06:40:18 -05:00

GiteaMirror commented

2026-04-13 06:40:19 -05:00

@better-auth-agent[bot] commented on GitHub (Nov 27, 2025):

Thanks for the feedback on the Device Authorization documentation! It looks like the current example shows using the access token in the Authorization header with getSession without mentioning that the bearer() plugin must also be added in your server configuration. To address this, we suggest updating the documentation with a clear note like:

"To use the access token for authenticated API calls (such as getSession), please ensure that you add the bearer() plugin to your Better Auth server configuration."

This will help clarify that the bearer() plugin is required in order for the Authorization header to work as intended, ensuring a smoother developer experience. Have you encountered any specific issues when using the current setup, or is there any additional detail you think would help developers in this context? Tag @better-auth-agent if you would like an answer from the Agent.

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Nov 27, 2025): Thanks for the feedback on the Device Authorization documentation! It looks like the current example shows using the access token in the Authorization header with getSession without mentioning that the bearer() plugin must also be added in your server configuration. To address this, we suggest updating the documentation with a clear note like: "To use the access token for authenticated API calls (such as getSession), please ensure that you add the bearer() plugin to your Better Auth server configuration." This will help clarify that the bearer() plugin is required in order for the Authorization header to work as intended, ensuring a smoother developer experience. Have you encountered any specific issues when using the current setup, or is there any additional detail you think would help developers in this context? Tag @better-auth-agent if you would like an answer from the Agent.  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-04-13 06:40:20 -05:00

@GautamBytes commented on GitHub (Nov 27, 2025):

working on it, expect a pr soon!

@GautamBytes commented on GitHub (Nov 27, 2025): working on it, expect a pr soon!

GiteaMirror commented

2026-04-13 06:40:21 -05:00

@nightire commented on GitHub (Jan 3, 2026):

@better-auth-agent

I believe that even using the bearer plugin likely won't solve this issue. The bearer plugin simply places the signed cookie value in the header to return it to the client, meaning you still have to pass that signed cookie value in subsequent requests.

The problem with the Device Authorization plugin is that the access token it ultimately returns is the raw session token. Therefore, even if you pass the bearer token through the header, it cannot pass verification. I have already tried this approach.

@nightire commented on GitHub (Jan 3, 2026): @better-auth-agent I believe that even using the bearer plugin likely won't solve this issue. The bearer plugin simply places the signed cookie value in the header to return it to the client, meaning you still have to pass that signed cookie value in subsequent requests. The problem with the Device Authorization plugin is that the access token it ultimately returns is the raw session token. Therefore, even if you pass the bearer token through the header, it cannot pass verification. I have already tried this approach.

GiteaMirror commented

2026-04-13 06:40:22 -05:00

@better-auth-agent[bot] commented on GitHub (Jan 3, 2026):

It seems like you're encountering a complex issue with the Device Authorization plugin and its interaction with the bearer plugin. It sounds like the access token returned is not properly functioning as expected. There has indeed been a bug regarding session handling in the Device Authorization plugin that was resolved in past updates, which may be relevant to your situation [2].

Furthermore, there is currently an open issue suggesting that the documentation should clearly state the need for the bearer plugin when making authorized requests [3]. This suggests that additional clarifications in the documentation may help avoid these kinds of issues going forward.

For troubleshooting, I recommend confirming your implementation against the updated examples provided in the documentation or experimenting with the bearer plugin to verify whether your access token can successfully pass authentication. If problems persist, it may be useful to open a new GitHub issue or tag @bekacru or @ping__ for direct assistance from the Better Auth team.

What specific approach have you tried thus far to troubleshoot the token verification issue?

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Jan 3, 2026): It seems like you're encountering a complex issue with the Device Authorization plugin and its interaction with the bearer plugin. It sounds like the access token returned is not properly functioning as expected. There has indeed been a bug regarding session handling in the Device Authorization plugin that was resolved in past updates, which may be relevant to your situation [[2]](https://github.com/better-auth/better-auth/pull/4695). Furthermore, there is currently an open issue suggesting that the documentation should clearly state the need for the bearer plugin when making authorized requests [[3]](https://github.com/better-auth/better-auth/pull/6351). This suggests that additional clarifications in the documentation may help avoid these kinds of issues going forward. For troubleshooting, I recommend confirming your implementation against the updated examples provided in the documentation or experimenting with the bearer plugin to verify whether your access token can successfully pass authentication. If problems persist, it may be useful to open a new GitHub issue or tag @bekacru or @ping__ for direct assistance from the Better Auth team. What specific approach have you tried thus far to troubleshoot the token verification issue?  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) • [Discord](https://discord.gg/fG2XXEuQX3) • [GitHub](https://github.com/Skyvern-AI/Skyvern) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/fG2XXEuQX3) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/Skyvern-AI/Skyvern)

GiteaMirror commented

2026-04-13 06:40:23 -05:00

@nightire commented on GitHub (Jan 3, 2026):

@better-auth-agent This is what we got from the Device Authorization Plugin currently:

 {
  access_token: 'MFqMsTa6UMgRnDcYyesC4IYeACYvdTWm',	// <- this is a raw session token, not signed cookie value
  token_type: 'Bearer',
  expires_in: 604799,
  scope: ''
}

With this access_token (and bearer plugin enabled of course), if we send a request through bearer token, we can't pass the authentication:

curl --location --request GET 'http://localhost:5001/v1/auth/get-session' \
--header 'Authorization: Bearer MFqMsTa6UMgRnDcYyesC4IYeACYvdTWm'
null

@nightire commented on GitHub (Jan 3, 2026): @better-auth-agent This is what we got from the Device Authorization Plugin currently: ``` { access_token: 'MFqMsTa6UMgRnDcYyesC4IYeACYvdTWm', // <- this is a raw session token, not signed cookie value token_type: 'Bearer', expires_in: 604799, scope: '' } ``` With this `access_token` (and bearer plugin enabled of course), if we send a request through `bearer token`, we can't pass the authentication: ``` curl --location --request GET 'http://localhost:5001/v1/auth/get-session' \ --header 'Authorization: Bearer MFqMsTa6UMgRnDcYyesC4IYeACYvdTWm' null ```

GiteaMirror commented

2026-04-13 06:40:23 -05:00

@better-auth-agent[bot] commented on GitHub (Jan 3, 2026):

It looks like you're running into an issue where the Bearer token isn't being processed correctly when making requests with the Device Authorization plugin. Based on the current documentation, it's crucial to ensure that the bearer() plugin is enabled in your server configuration to handle the Authorization: Bearer ${data.access_token} header properly.

A suggested addition to the documentation is to clarify this requirement. The note states:

"To use the access token for authenticated API calls (like getSession), add the bearer() plugin to your server config" [2].

Since you’re getting a null response when trying to use the token, double-check that the bearer() plugin is indeed included in your configuration. Also, ensure that the access token has not expired and that you're using the correct endpoint.

Would you like to share any specific code snippets or configurations you're using? That way, I can help troubleshoot further!

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Jan 3, 2026): It looks like you're running into an issue where the `Bearer` token isn't being processed correctly when making requests with the Device Authorization plugin. Based on the current documentation, it's crucial to ensure that the `bearer()` plugin is enabled in your server configuration to handle the `Authorization: Bearer ${data.access_token}` header properly. A suggested addition to the documentation is to clarify this requirement. The note states: > "To use the access token for authenticated API calls (like `getSession`), add the `bearer()` plugin to your server config" [[2]](https://github.com/better-auth/better-auth/pull/6351). Since you’re getting a `null` response when trying to use the token, double-check that the `bearer()` plugin is indeed included in your configuration. Also, ensure that the access token has not expired and that you're using the correct endpoint. Would you like to share any specific code snippets or configurations you're using? That way, I can help troubleshoot further!  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) • [Discord](https://discord.gg/fG2XXEuQX3) • [GitHub](https://github.com/Skyvern-AI/Skyvern) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/fG2XXEuQX3) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/Skyvern-AI/Skyvern)

GiteaMirror commented

2026-04-13 06:40:24 -05:00

@nightire commented on GitHub (Jan 3, 2026):

@better-auth-agent You're not helping here, the issue is not about bearer plugin but the token returned from device authorization plugin is not properly signed.

Manually setting the cookie header with a raw session token will not work—Better Auth expects a signed and URL-encoded cookie value, not just the raw token.

@nightire commented on GitHub (Jan 3, 2026): @better-auth-agent You're not helping here, the issue is not about bearer plugin but the token returned from device authorization plugin is not properly signed. > Manually setting the cookie header with a raw session token will not work—Better Auth expects a signed and URL-encoded cookie value, not just the raw token.

GiteaMirror commented

2026-04-13 06:40:24 -05:00

@better-auth-agent[bot] commented on GitHub (Jan 3, 2026):

It sounds like you're facing issues with the token returned from the Device Authorization plugin. From what you've mentioned, it's crucial to ensure that the token is properly signed and URL-encoded when being used, especially for setting cookies in Better Auth.

If you're manually setting the cookie header with a raw session token, that won't work as Better Auth requires a specially formatted cookie value. Instead, ensure you follow the correct implementation for session handling, as the session logic needs to be properly set up for it to work in a cookieless environment [4].

Given that there's also a documentation gap regarding the need for the bearer plugin, which is essential for using the access token in authenticated API calls like getSession, it's recommended to add the bearer() plugin to your server config if you haven't already [1], [3].

If you're still encountering problems, it might be helpful to tag @bekacru or @ping__ for further assistance.

Would you like to explore more on session management or the bearer plugin implementation?

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Jan 3, 2026): It sounds like you're facing issues with the token returned from the Device Authorization plugin. From what you've mentioned, it's crucial to ensure that the token is properly signed and URL-encoded when being used, especially for setting cookies in Better Auth. If you're manually setting the cookie header with a raw session token, that won't work as Better Auth requires a specially formatted cookie value. Instead, ensure you follow the correct implementation for session handling, as the session logic needs to be properly set up for it to work in a cookieless environment [[4]](https://github.com/better-auth/better-auth/pull/4695). Given that there's also a documentation gap regarding the need for the bearer plugin, which is essential for using the access token in authenticated API calls like `getSession`, it's recommended to add the `bearer()` plugin to your server config if you haven't already [[1]](https://github.com/better-auth/better-auth/issues/6348), [[3]](https://github.com/better-auth/better-auth/pull/6351). If you're still encountering problems, it might be helpful to tag @bekacru or @ping__ for further assistance. Would you like to explore more on session management or the bearer plugin implementation?  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) • [Discord](https://discord.gg/fG2XXEuQX3) • [GitHub](https://github.com/Skyvern-AI/Skyvern) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/fG2XXEuQX3) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/Skyvern-AI/Skyvern)

GiteaMirror commented

2026-04-13 06:40:25 -05:00

@better-auth-agent[bot] commented on GitHub (Jan 3, 2026):

It appears that there's a concern about the Device Authorization plugin regarding how the token is signed and the expected cookie value. To clarify, Better Auth expects a signed and URL-encoded cookie value rather than just a raw token, which is important for it to work correctly in a cookieless environment.

For the issue you raised regarding the Device Authorization plugin, it's crucial to ensure that the session handling logic is correctly configured, especially if you're working in a scenario without cookies. If the session is not being established properly, investigate how you're implementing session management in conjunction with the plugin.

Also, regarding the mention of the bearer plugin, there is a known issue that suggests adding a note to the documentation about requiring the bearer plugin to process the bearer token correctly for authenticated requests like getSession [1]. This could lead to confusion if not properly addressed in documentation.

If you need further assistance or face additional issues, feel free to tag @bekacru or @ping__ for detailed help from the Better Auth team. What part of the session handling or token management would you like to explore further?

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Jan 3, 2026): It appears that there's a concern about the Device Authorization plugin regarding how the token is signed and the expected cookie value. To clarify, Better Auth expects a signed and URL-encoded cookie value rather than just a raw token, which is important for it to work correctly in a cookieless environment. For the issue you raised regarding the Device Authorization plugin, it's crucial to ensure that the session handling logic is correctly configured, especially if you're working in a scenario without cookies. If the session is not being established properly, investigate how you're implementing session management in conjunction with the plugin. Also, regarding the mention of the bearer plugin, there is a known issue that suggests adding a note to the documentation about requiring the bearer plugin to process the bearer token correctly for authenticated requests like `getSession` [[1]](https://github.com/better-auth/better-auth/issues/6348). This could lead to confusion if not properly addressed in documentation. If you need further assistance or face additional issues, feel free to tag @bekacru or @ping__ for detailed help from the Better Auth team. What part of the session handling or token management would you like to explore further?  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) • [Discord](https://discord.gg/fG2XXEuQX3) • [GitHub](https://github.com/Skyvern-AI/Skyvern) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/fG2XXEuQX3) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/Skyvern-AI/Skyvern)

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#10490