github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 22:32:01 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

TikTok Auth fails with code_challenge error #1394

New Issue
Closed
opened 2026-03-13 08:37:22 -05:00 by GiteaMirror · 6 comments
GiteaMirror commented 2026-03-13 08:37:22 -05:00
Owner
Copy Link

Originally created by @jcohenho on GitHub (Jun 21, 2025).

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

TikTok Auth fails with the following error message:

Something went wrong. 

We couldn't log in with TikTok. This may be due to specific app settings.

If you're a developer, correct the following and try again:

code_challenge
Refer to our [Developer Documentation](https://developers.tiktok.com/doc) for more information.

Screenshot for reference:

Image

Current vs. Expected behavior

I followed the steps documented here, and ran into this issue when trying to sign in.

  1. I used ngrok in order to provide an https domain in the sandbox app config.
  2. The docs mention configuring a TikTok client ID in the .env file, but I don't see a client ID in the TikTok Developer portal, is this the same as the app ID? The name should be updated for clarity/consistency if so.

What version of Better Auth are you using?

1.2.9

Provide environment information

- OS: 15.4.1 (24E263)
- browser: chrome

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

import { db } from "@/src/db/drizzle";
import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";

export const auth = betterAuth({
  database: drizzleAdapter(db, {
    provider: "pg",
  }),
  socialProviders: {
    tiktok: {
      clientId: process.env.TIKTOK_CLIENT_ID as string,
      clientSecret: process.env.TIKTOK_CLIENT_SECRET as string,
      clientKey: process.env.TIKTOK_CLIENT_KEY as string,
    },
  },
  user: {
    modelName: "users",
  },
  session: {
    modelName: "sessions",
  },
  account: {
    modelName: "accounts",
  },
  verification: {
    modelName: "verifications",
  },
  advanced: {
    database: {
      generateId: false,
    },
  },
});

Additional context

No response

Originally created by @jcohenho on GitHub (Jun 21, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce TikTok Auth fails with the following error message: ``` Something went wrong. We couldn't log in with TikTok. This may be due to specific app settings. If you're a developer, correct the following and try again: code_challenge Refer to our [Developer Documentation](https://developers.tiktok.com/doc) for more information. ``` Screenshot for reference: <img width="581" alt="Image" src="https://github.com/user-attachments/assets/65d9c610-0cca-47d8-98aa-7808d1c50db7" /> ### Current vs. Expected behavior I followed the steps documented [here](https://www.better-auth.com/docs/authentication/tiktok), and ran into this issue when trying to sign in. 1. I used ngrok in order to provide an https domain in the sandbox app config. 2. The docs mention configuring a TikTok client ID in the .env file, but I don't see a client ID in the TikTok Developer portal, is this the same as the app ID? The name should be updated for clarity/consistency if so. ### What version of Better Auth are you using? 1.2.9 ### Provide environment information ```bash - OS: 15.4.1 (24E263) - browser: chrome ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript import { db } from "@/src/db/drizzle"; import { betterAuth } from "better-auth"; import { drizzleAdapter } from "better-auth/adapters/drizzle"; export const auth = betterAuth({ database: drizzleAdapter(db, { provider: "pg", }), socialProviders: { tiktok: { clientId: process.env.TIKTOK_CLIENT_ID as string, clientSecret: process.env.TIKTOK_CLIENT_SECRET as string, clientKey: process.env.TIKTOK_CLIENT_KEY as string, }, }, user: { modelName: "users", }, session: { modelName: "sessions", }, account: { modelName: "accounts", }, verification: { modelName: "verifications", }, advanced: { database: { generateId: false, }, }, }); ``` ### Additional context _No response_
GiteaMirror added the bug label 2026-03-13 08:37:22 -05:00
GiteaMirror commented 2026-03-13 08:37:25 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jun 21, 2025):

The TikTok "client ID" in Better Auth is the same as the "App ID" shown in the TikTok Developer Portal—this naming mismatch is a common source of confusion and the docs could be clearer on this point. For TikTok auth to work, you need to set three environment variables: TIKTOK_CLIENT_ID (your TikTok App ID), TIKTOK_CLIENT_SECRET, and TIKTOK_CLIENT_KEY (docs).

Your config snippet only enables email/password auth. To use TikTok, you need to add it to the socialProviders section, like:

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  emailAndPassword: { enabled: true },
  socialProviders: {
    tiktok: {
      clientId: process.env.TIKTOK_CLIENT_ID as string,
      clientSecret: process.env.TIKTOK_CLIENT_SECRET as string,
      clientKey: process.env.TIKTOK_CLIENT_KEY as string,
    },
  },
});

Make sure your redirect URI in both TikTok and Better Auth matches exactly, uses HTTPS, and is accessible (ngrok is fine for local dev). TikTok requires PKCE (the code_challenge), and Better Auth handles this internally, but missing or incorrect provider config, environment variables, or a redirect URI mismatch can cause the error you’re seeing (code).

Double-check your environment variables, update your config, and restart your server. If you still get the error, try enabling debug logs or inspect the network requests to see if the code_challenge is being sent and matches expectations.

Written by @dosu, approved by Bekacru

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Join Discord Share on X

@dosubot[bot] commented on GitHub (Jun 21, 2025): <!-- Answer --> The TikTok "client ID" in Better Auth is the same as the "App ID" shown in the TikTok Developer Portal—this naming mismatch is a common source of confusion and the docs could be clearer on this point. For TikTok auth to work, you need to set three environment variables: `TIKTOK_CLIENT_ID` (your TikTok App ID), `TIKTOK_CLIENT_SECRET`, and `TIKTOK_CLIENT_KEY` [(docs)](https://github.com/better-auth/better-auth/blob/08d92952ab827d6201fe756f4c8d4d921471c0d9/docs/content/docs/authentication/tiktok.mdx). Your config snippet only enables email/password auth. To use TikTok, you need to add it to the `socialProviders` section, like: ```ts import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true }, socialProviders: { tiktok: { clientId: process.env.TIKTOK_CLIENT_ID as string, clientSecret: process.env.TIKTOK_CLIENT_SECRET as string, clientKey: process.env.TIKTOK_CLIENT_KEY as string, }, }, }); ``` Make sure your redirect URI in both TikTok and Better Auth matches exactly, uses HTTPS, and is accessible (ngrok is fine for local dev). TikTok requires PKCE (the `code_challenge`), and Better Auth handles this internally, but missing or incorrect provider config, environment variables, or a redirect URI mismatch can cause the error you’re seeing [(code)](https://github.com/better-auth/better-auth/blob/08d92952ab827d6201fe756f4c8d4d921471c0d9/packages/better-auth/src/social-providers/tiktok.ts). Double-check your environment variables, update your config, and restart your server. If you still get the error, try enabling debug logs or inspect the network requests to see if the `code_challenge` is being sent and matches expectations. _Written by @dosu, approved by Bekacru_ <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/7f97b4a3-fa0b-43a9-8e0b-5db4d40ac969?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/7f97b4a3-fa0b-43a9-8e0b-5db4d40ac969?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/7f97b4a3-fa0b-43a9-8e0b-5db4d40ac969?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/7f97b4a3-fa0b-43a9-8e0b-5db4d40ac969?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/7f97b4a3-fa0b-43a9-8e0b-5db4d40ac969?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/7f97b4a3-fa0b-43a9-8e0b-5db4d40ac969?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/7f97b4a3-fa0b-43a9-8e0b-5db4d40ac969?feedback_type=other)</sup>&nbsp;&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3114)
GiteaMirror commented 2026-03-13 08:37:27 -05:00
Author
Owner
Copy Link

@jcohenho commented on GitHub (Jun 24, 2025):

@dosu You're hallucinating about the code snippet I shared, I didn't enable email/password. What should I set the redirect url to for local dev? Note that I'm using ngrok with a static https URL for local dev.

@jcohenho commented on GitHub (Jun 24, 2025): @dosu You're hallucinating about the code snippet I shared, I didn't enable email/password. What should I set the redirect url to for local dev? Note that I'm using ngrok with a static https URL for local dev.
GiteaMirror commented 2026-03-13 08:37:28 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jun 24, 2025):

You're right, your config did not enable email/password—thanks for catching that.

For TikTok OAuth with Better Auth in local dev, your redirect URI should be your static ngrok HTTPS URL plus the callback path your app expects. For most setups (like Next.js API routes), that's usually something like:

https://your-ngrok-id.ngrok.io/api/auth/callback/tiktok

You need to register this exact URI (including the full path) in the TikTok developer portal, and make sure your Better Auth config uses the same value. The path can be different if your app uses a custom route, but whatever you use must match in both places and must be HTTPS—TikTok won't accept localhost or HTTP. See the docs for more details and examples here.

If you still hit the code_challenge error after confirming this, let me know and we can dig deeper.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Join Discord Share on X

@dosubot[bot] commented on GitHub (Jun 24, 2025): <!-- Answer --> You're right, your config did not enable email/password—thanks for catching that. For TikTok OAuth with Better Auth in local dev, your redirect URI should be your static ngrok HTTPS URL plus the callback path your app expects. For most setups (like Next.js API routes), that's usually something like: ``` https://your-ngrok-id.ngrok.io/api/auth/callback/tiktok ``` You need to register this exact URI (including the full path) in the TikTok developer portal, and make sure your Better Auth config uses the same value. The path can be different if your app uses a custom route, but whatever you use must match in both places and must be HTTPS—TikTok won't accept localhost or HTTP. See the docs for more details and examples [here](https://github.com/better-auth/better-auth/blob/9d4861fc4484a4487efb391a4c4bdc0ef1b24933/docs/content/docs/authentication/tiktok.mdx). If you still hit the code_challenge error after confirming this, let me know and we can dig deeper. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/d93dd857-7caf-4b71-84ac-1d762ad51615?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/d93dd857-7caf-4b71-84ac-1d762ad51615?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/d93dd857-7caf-4b71-84ac-1d762ad51615?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/d93dd857-7caf-4b71-84ac-1d762ad51615?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/d93dd857-7caf-4b71-84ac-1d762ad51615?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/d93dd857-7caf-4b71-84ac-1d762ad51615?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/d93dd857-7caf-4b71-84ac-1d762ad51615?feedback_type=other)</sup>&nbsp;&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3114)
GiteaMirror commented 2026-03-13 08:37:29 -05:00
Author
Owner
Copy Link

@RobiMez commented on GitHub (Jul 18, 2025):

Hi @jcohenho , i reproduced your code challenge bug during testing , but then after setting my redirect url like this
https://394b545ffa73.ngrok-free.app/api/auth/callback/tiktok
and adding my currently logged in tiktok account to the sandbox settings > target users , it seems to work properly

Image

Could you quickly check if you've set target users up in your setup ?
Sorry for the late response 🙏🏼

@RobiMez commented on GitHub (Jul 18, 2025): Hi @jcohenho , i reproduced your code challenge bug during testing , but then after setting my redirect url like this https://394b545ffa73.ngrok-free.app/api/auth/callback/tiktok and adding my currently logged in tiktok account to the sandbox settings > target users , it seems to work properly <img width="1190" height="672" alt="Image" src="https://github.com/user-attachments/assets/9aed115b-2c17-4716-bc79-b6f214c3c667" /> Could you quickly check if you've set target users up in your setup ? Sorry for the late response 🙏🏼
GiteaMirror commented 2026-03-13 08:37:30 -05:00
Author
Owner
Copy Link

@Kinfe123 commented on GitHub (Aug 1, 2025):

Closing this issue assuming this works fine. will reopen if this persists

@Kinfe123 commented on GitHub (Aug 1, 2025): Closing this issue assuming this works fine. will reopen if this persists
GiteaMirror commented 2026-03-13 08:37:31 -05:00
Author
Owner
Copy Link

@Kinfe123 commented on GitHub (Aug 1, 2025):

Closing this issue assuming this works fine. will reopen if this persists

@Kinfe123 commented on GitHub (Aug 1, 2025): Closing this issue assuming this works fine. will reopen if this persists
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#1394
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?