[GH-ISSUE #5573] Email & Password Sign Up/Logout throws 403 MISSING_OR_NULL_ORIGIN #18919

New Issue

GiteaMirror · 2026-04-15T17:38:17-05:00

GiteaMirror commented

2026-04-15 17:38:17 -05:00

Originally created by @royjosephargumido on GitHub (Oct 25, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/5573

Originally assigned to: @bytaesu on GitHub.

Is this suited for github?

Yes, this is suited for github

To Reproduce

Sign Out:

Upgrade to better-auth 1.3.31
Using Postman 11.68.5, clear all Cookies
Successfully sign in using Email and Password
After signing in, sign out.
Throws 403, MISSING_OR_NULL_ORIGIN.

After the above process, try signing in using Email and Password:

Throws 403, MISSING_OR_NULL_ORIGIN.

Current vs. Expected behavior

Current Behavior:
When attempting to sign in using Email and Password with better-auth version 1.3.31, the request fails with a 403 Forbidden error. The response returns:

{
	"code": "MISSING_OR_NULL_ORIGIN",
	"message": "Missing or null Origin"
}

To temporarily resolve, I cleared all Postman cookies and retries the sign in. However, after successful sign in, the sign out throws the same error. Further, after successful sign in, attempting to sign in again using Email and Password throws the same error.

Expected Behavior:
Signing in using a valid and correct Email and Password should return a successful response, indicating a complete sign in process. Likewise, users should be able to sign out successfully. Furthermore, signing in again even if already signed in, should also result in a successful email sign in.

What version of Better Auth are you using?

1.3.31

System info

{
  "system": {
    "platform": "win32",
    "arch": "x64",
    "version": "Windows 11 Home",
    "release": "10.0.26200",
    "cpuCount": 8,
    "cpuModel": "11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz",
    "totalMemory": "23.73 GB",
    "freeMemory": "12.15 GB"
  },
  "node": {
    "version": "v24.9.0",
    "env": "development"
  },
  "packageManager": {
    "name": "npm",
    "version": "11.6.0"
  },
  "frameworks": null,
  "databases": [
    {
      "name": "pg",
      "version": "^8.16.3"
    },
    {
      "name": "drizzle",
      "version": "^0.44.7"
    }
  ],
  "betterAuth": {
    "version": "^1.3.31",
    "config": {
      "appName": "redacted",
      "emailAndPassword": {
        "enabled": true,
        "requireEmailVerification": true
      },
      "plugins": [
        {
          "name": "open-api",
          "config": {
            "id": "open-api",
            "endpoints": {}
          }
        }
      ],
      "emailVerification": {
        "sendOnSignUp": true
      },
      "telemetry": {
        "enabled": false
      }
    }
  }
}

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  emailAndPassword: {  
    enabled: true
  },
});

Additional context

I am using the latest version of NestJS and its dependencies. I have never used it on a browser/frontend. I downgraded to better-auth version 1.3.28 and its working. I think https://github.com/better-auth/better-auth/issues/5536 may have caused this issue.

Originally created by @royjosephargumido on GitHub (Oct 25, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/5573 Originally assigned to: @bytaesu on GitHub. ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce Sign Out: 1. Upgrade to better-auth 1.3.31 3. Using Postman 11.68.5, clear all Cookies 4. Successfully sign in using Email and Password 5. After signing in, sign out. 6. Throws 403, `MISSING_OR_NULL_ORIGIN`. After the above process, try signing in using Email and Password: 1. Throws 403, `MISSING_OR_NULL_ORIGIN`. ### Current vs. Expected behavior **Current Behavior:** When attempting to sign in using Email and Password with better-auth version 1.3.31, the request fails with a `403 Forbidden` error. The response returns: ``` { "code": "MISSING_OR_NULL_ORIGIN", "message": "Missing or null Origin" } ``` To temporarily resolve, I cleared all Postman cookies and retries the sign in. However, after successful sign in, the sign out throws the same error. Further, after successful sign in, attempting to sign in again using Email and Password throws the same error. **Expected Behavior:** Signing in using a valid and correct Email and Password should return a successful response, indicating a complete sign in process. Likewise, users should be able to sign out successfully. Furthermore, signing in again even if already signed in, should also result in a successful email sign in. ### What version of Better Auth are you using? 1.3.31 ### System info ```bash { "system": { "platform": "win32", "arch": "x64", "version": "Windows 11 Home", "release": "10.0.26200", "cpuCount": 8, "cpuModel": "11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz", "totalMemory": "23.73 GB", "freeMemory": "12.15 GB" }, "node": { "version": "v24.9.0", "env": "development" }, "packageManager": { "name": "npm", "version": "11.6.0" }, "frameworks": null, "databases": [ { "name": "pg", "version": "^8.16.3" }, { "name": "drizzle", "version": "^0.44.7" } ], "betterAuth": { "version": "^1.3.31", "config": { "appName": "redacted", "emailAndPassword": { "enabled": true, "requireEmailVerification": true }, "plugins": [ { "name": "open-api", "config": { "id": "open-api", "endpoints": {} } } ], "emailVerification": { "sendOnSignUp": true }, "telemetry": { "enabled": false } } } } ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true }, }); ``` ### Additional context I am using the latest version of NestJS and its dependencies. I have never used it on a browser/frontend. I downgraded to better-auth version 1.3.28 and its working. I think https://github.com/better-auth/better-auth/issues/5536 may have caused this issue.

GiteaMirror added the credentials core bug labels 2026-04-15 17:38:18 -05:00

GiteaMirror commented

2026-04-15 17:38:20 -05:00

@dosubot[bot] commented on GitHub (Oct 25, 2025):

Hi @royjosephargumido! I'm Dosu and I’m helping the better-auth team.

This is a regression caused by stricter Origin header enforcement introduced in better-auth v1.3.29 and later. In these versions, any POST request using cookies (like sign in or sign out) must include a valid Origin or Referer header, or it will fail with a 403 MISSING_OR_NULL_ORIGIN error. This breaks flows in environments like Postman or backend-only setups where the Origin header is often missing by default [details].

To resolve this for backend/non-browser environments, add the following to your better-auth config:

export const auth = betterAuth({
  emailAndPassword: { enabled: true },
  advanced: { disableOriginCheck: true }
});

This disables the strict Origin check and allows requests without an Origin header to succeed [code reference]. Only use this in isolated development environments, as it reduces CSRF protection.

Issue #5536 is the canonical tracking ticket for this problem, and downgrading to v1.3.28 works because it did not enforce the Origin header as strictly. If you need strict CSRF protection in production, ensure your clients always send a valid Origin header and configure trustedOrigins accordingly [docs].

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Oct 25, 2025):  Hi @royjosephargumido! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team.  This is a regression caused by stricter Origin header enforcement introduced in better-auth v1.3.29 and later. In these versions, any POST request using cookies (like sign in or sign out) must include a valid Origin or Referer header, or it will fail with a 403 MISSING_OR_NULL_ORIGIN error. This breaks flows in environments like Postman or backend-only setups where the Origin header is often missing by default [[details](https://github.com/better-auth/better-auth/issues/5536)]. To resolve this for backend/non-browser environments, add the following to your better-auth config: ```typescript export const auth = betterAuth({ emailAndPassword: { enabled: true }, advanced: { disableOriginCheck: true } }); ``` This disables the strict Origin check and allows requests without an Origin header to succeed [[code reference](https://github.com/better-auth/better-auth/pull/5411)]. Only use this in isolated development environments, as it reduces CSRF protection. Issue #5536 is the canonical tracking ticket for this problem, and downgrading to v1.3.28 works because it did not enforce the Origin header as strictly. If you need strict CSRF protection in production, ensure your clients always send a valid Origin header and configure trustedOrigins accordingly [[docs](https://github.com/better-auth/better-auth/issues/3874)].  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/d46dfea3-62b1-4a62-b7a0-6f27a9c66926?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/d46dfea3-62b1-4a62-b7a0-6f27a9c66926?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/d46dfea3-62b1-4a62-b7a0-6f27a9c66926?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/d46dfea3-62b1-4a62-b7a0-6f27a9c66926?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/d46dfea3-62b1-4a62-b7a0-6f27a9c66926?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/d46dfea3-62b1-4a62-b7a0-6f27a9c66926?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/d46dfea3-62b1-4a62-b7a0-6f27a9c66926?feedback_type=other)</sup>  [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/5573)

GiteaMirror commented

2026-04-15 17:38:21 -05:00

@R5dan commented on GitHub (Oct 25, 2025):

@royjosephargumido Better Auth automatically ensures that authentication requests are from your application. If you require authentication from another server please consider the API Key or Device Authorization plugin for untrusted services. Alternativly, for trusted services you can create a new betterAuthClient and adding trustedOrigins option to the server betterAuth. Alternatively (like the bot said) you can disable origin check, however this is highly unadvised as it can cause security vulnerabilities. Due to these limitations, I would advice that to test your authentication you make a new client and call the functions from there and setup your server to allow your ip address. I am unfamiliar with postman and whether it allows you to set the origin of the request you are making which would allow you to not test via that and add its origin. But like I said, I would advice being careful with that

@R5dan commented on GitHub (Oct 25, 2025): @royjosephargumido Better Auth automatically ensures that authentication requests are from your application. If you require authentication from another server please consider the `API Key` or `Device Authorization` plugin for untrusted services. Alternativly, for trusted services you can create a new `betterAuthClient` and adding `trustedOrigins` option to the server `betterAuth`. Alternatively (like the bot said) you can disable origin check, however this is highly unadvised as it can cause security vulnerabilities. Due to these limitations, I would advice that to test your authentication you make a new client and call the functions from there and setup your server to allow your ip address. I am unfamiliar with postman and whether it allows you to set the origin of the request you are making which would allow you to not test via that and add its origin. But like I said, I would advice being careful with that

GiteaMirror commented

2026-04-15 17:38:21 -05:00

@royjosephargumido commented on GitHub (Oct 25, 2025):

@royjosephargumido Better Auth automatically ensures that authentication requests are from your application. If you require authentication from another server please consider the API Key or Device Authorization plugin for untrusted services. Alternativly, for trusted services you can create a new betterAuthClient and adding trustedOrigins option to the server betterAuth. Alternatively (like the bot said) you can disable origin check, however this is highly unadvised as it can cause security vulnerabilities. Due to these limitations, I would advice that to test your authentication you make a new client and call the functions from there and setup your server to allow your ip address. I am unfamiliar with postman and whether it allows you to set the origin of the request you are making which would allow you to not test via that and add its origin. But like I said, I would advice being careful with that

Yeah. I already implemented both advanced.disableOriginCheck, trustedOrigins, and updated my other implementations based from these info. I will consider your suggestions. Thanks.

@royjosephargumido commented on GitHub (Oct 25, 2025): > [@royjosephargumido](https://github.com/royjosephargumido) Better Auth automatically ensures that authentication requests are from your application. If you require authentication from another server please consider the `API Key` or `Device Authorization` plugin for untrusted services. Alternativly, for trusted services you can create a new `betterAuthClient` and adding `trustedOrigins` option to the server `betterAuth`. Alternatively (like the bot said) you can disable origin check, however this is highly unadvised as it can cause security vulnerabilities. Due to these limitations, I would advice that to test your authentication you make a new client and call the functions from there and setup your server to allow your ip address. I am unfamiliar with postman and whether it allows you to set the origin of the request you are making which would allow you to not test via that and add its origin. But like I said, I would advice being careful with that Yeah. I already implemented both `advanced.disableOriginCheck`, `trustedOrigins`, and updated my other implementations based from these info. I will consider your suggestions. Thanks.

GiteaMirror commented

2026-04-15 17:38:22 -05:00

@R5dan commented on GitHub (Oct 25, 2025):

@royjosephargumido I have just realized you are using the open api plugin, which will allow you to test it in your own site:

https://www.better-auth.com/docs/plugins/open-api#generated-schema
https://www.better-auth.com/docs/plugins/open-api#using-scalar-with-multiple-sources
https://guides.scalar.com/scalar/scalar-api-references/getting-started

@R5dan commented on GitHub (Oct 25, 2025): @royjosephargumido I have just realized you are using the open api plugin, which will allow you to test it in your own site: https://www.better-auth.com/docs/plugins/open-api#generated-schema https://www.better-auth.com/docs/plugins/open-api#using-scalar-with-multiple-sources https://guides.scalar.com/scalar/scalar-api-references/getting-started

GiteaMirror commented

2026-04-15 17:38:23 -05:00

@nicholsss commented on GitHub (Nov 4, 2025):

@royjosephargumido Better Auth automatically ensures that authentication requests are from your application. If you require authentication from another server please consider the API Key or Device Authorization plugin for untrusted services. Alternativly, for trusted services you can create a new betterAuthClient and adding trustedOrigins option to the server betterAuth. Alternatively (like the bot said) you can disable origin check, however this is highly unadvised as it can cause security vulnerabilities. Due to these limitations, I would advice that to test your authentication you make a new client and call the functions from there and setup your server to allow your ip address. I am unfamiliar with postman and whether it allows you to set the origin of the request you are making which would allow you to not test via that and add its origin. But like I said, I would advice being careful with that

Yeah. I already implemented both advanced.disableOriginCheck, trustedOrigins, and updated my other implementations based from these info. I will consider your suggestions. Thanks.

Were u able to fix this issue? Im facing the same problem

@nicholsss commented on GitHub (Nov 4, 2025): > > [@royjosephargumido](https://github.com/royjosephargumido) Better Auth automatically ensures that authentication requests are from your application. If you require authentication from another server please consider the `API Key` or `Device Authorization` plugin for untrusted services. Alternativly, for trusted services you can create a new `betterAuthClient` and adding `trustedOrigins` option to the server `betterAuth`. Alternatively (like the bot said) you can disable origin check, however this is highly unadvised as it can cause security vulnerabilities. Due to these limitations, I would advice that to test your authentication you make a new client and call the functions from there and setup your server to allow your ip address. I am unfamiliar with postman and whether it allows you to set the origin of the request you are making which would allow you to not test via that and add its origin. But like I said, I would advice being careful with that > > Yeah. I already implemented both `advanced.disableOriginCheck`, `trustedOrigins`, and updated my other implementations based from these info. I will consider your suggestions. Thanks. Were u able to fix this issue? Im facing the same problem

GiteaMirror commented

2026-04-15 17:38:24 -05:00

@better-auth-agent[bot] commented on GitHub (Nov 4, 2025):

Hey there! It looks like you’re running into the same “MISSING_OR_NULL_ORIGIN” error when signing out and then signing in with email and password. This error indicates that Better Auth’s security check isn’t receiving a valid Origin header with your request.

Here are a few next steps to troubleshoot and potentially resolve the issue:

• Ensure that your client (Postman in this case) is sending the appropriate Origin header with each request. Depending on your testing setup, Postman might not automatically include this header, so you may need to add it manually.

• Consider updating your server configuration by adding your testing environment’s URL to the trustedOrigins option. This way, Better Auth will recognize the request as coming from a trusted source—even when using Postman [1].

• As a temporary workaround, you could disable the origin check via advanced.disableOriginCheck, but remember that disabling this check can expose potential security vulnerabilities [1].

• Since you mentioned that downgrading to a previous version (1.3.28) resolves the issue, it suggests that recent changes in version 1.3.31 may have introduced stricter origin validation. If you’re testing on trusted networks, configuring a dedicated client with trustedOrigins might be the best long-term solution.

Does this help clarify the next steps for you? tag @better-auth-agent

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Nov 4, 2025): Hey there! It looks like you’re running into the same “MISSING_OR_NULL_ORIGIN” error when signing out and then signing in with email and password. This error indicates that Better Auth’s security check isn’t receiving a valid Origin header with your request. Here are a few next steps to troubleshoot and potentially resolve the issue: • Ensure that your client (Postman in this case) is sending the appropriate Origin header with each request. Depending on your testing setup, Postman might not automatically include this header, so you may need to add it manually. • Consider updating your server configuration by adding your testing environment’s URL to the trustedOrigins option. This way, Better Auth will recognize the request as coming from a trusted source—even when using Postman [[1]](https://github.com/better-auth/better-auth/issues/5573). • As a temporary workaround, you could disable the origin check via advanced.disableOriginCheck, but remember that disabling this check can expose potential security vulnerabilities [[1]](https://github.com/better-auth/better-auth/issues/5573). • Since you mentioned that downgrading to a previous version (1.3.28) resolves the issue, it suggests that recent changes in version 1.3.31 may have introduced stricter origin validation. If you’re testing on trusted networks, configuring a dedicated client with trustedOrigins might be the best long-term solution. Does this help clarify the next steps for you? tag @better-auth-agent  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-04-15 17:38:26 -05:00

@royjosephargumido commented on GitHub (Nov 16, 2025):

@royjosephargumido Better Auth automatically ensures that authentication requests are from your application. If you require authentication from another server please consider the API Key or Device Authorization plugin for untrusted services. Alternativly, for trusted services you can create a new betterAuthClient and adding trustedOrigins option to the server betterAuth. Alternatively (like the bot said) you can disable origin check, however this is highly unadvised as it can cause security vulnerabilities. Due to these limitations, I would advice that to test your authentication you make a new client and call the functions from there and setup your server to allow your ip address. I am unfamiliar with postman and whether it allows you to set the origin of the request you are making which would allow you to not test via that and add its origin. But like I said, I would advice being careful with that

Yeah. I already implemented both advanced.disableOriginCheck, trustedOrigins, and updated my other implementations based from these info. I will consider your suggestions. Thanks.

Were u able to fix this issue? Im facing the same problem

Yes. As mentioned above, I added the following to the BetterAuthOptions:

RESOLUTION:

I resolved the issue by adding the following to the BetterAuthOptions:

advanced: {
		disableOriginCheck: process.env.NODE_ENV !== 'production',
		useSecureCookies: process.env.NODE_ENV === 'production',
	},
	trustedOrigins: [
		// Your trusted origins. Example:
		'http://localhost:8080',
	],

Also, I added the same origins to the NestJS' CORS configuration.

@royjosephargumido commented on GitHub (Nov 16, 2025): > > > [@royjosephargumido](https://github.com/royjosephargumido) Better Auth automatically ensures that authentication requests are from your application. If you require authentication from another server please consider the `API Key` or `Device Authorization` plugin for untrusted services. Alternativly, for trusted services you can create a new `betterAuthClient` and adding `trustedOrigins` option to the server `betterAuth`. Alternatively (like the bot said) you can disable origin check, however this is highly unadvised as it can cause security vulnerabilities. Due to these limitations, I would advice that to test your authentication you make a new client and call the functions from there and setup your server to allow your ip address. I am unfamiliar with postman and whether it allows you to set the origin of the request you are making which would allow you to not test via that and add its origin. But like I said, I would advice being careful with that > > > > > > Yeah. I already implemented both `advanced.disableOriginCheck`, `trustedOrigins`, and updated my other implementations based from these info. I will consider your suggestions. Thanks. > > Were u able to fix this issue? Im facing the same problem Yes. As mentioned above, I added the following to the `BetterAuthOptions`: **RESOLUTION:** I resolved the issue by adding the following to the `BetterAuthOptions`: ``` advanced: { disableOriginCheck: process.env.NODE_ENV !== 'production', useSecureCookies: process.env.NODE_ENV === 'production', }, trustedOrigins: [ // Your trusted origins. Example: 'http://localhost:8080', ], ``` Also, I added the same origins to the NestJS' CORS configuration.

GiteaMirror commented

2026-04-15 17:38:27 -05:00

@buiducnhat commented on GitHub (Dec 9, 2025):

Same for me, only occuring with expo

@buiducnhat commented on GitHub (Dec 9, 2025): Same for me, only occuring with expo

GiteaMirror commented

2026-04-15 17:38:29 -05:00

@tsatsujnr139 commented on GitHub (Dec 16, 2025):

I'm facing this issue as well only on signOut route in expo.

@tsatsujnr139 commented on GitHub (Dec 16, 2025): I'm facing this issue as well only on signOut route in expo.

GiteaMirror commented

2026-04-15 17:38:30 -05:00

@gmr458 commented on GitHub (Dec 30, 2025):

I cannot login when using Bruno, when using curl it works.

@gmr458 commented on GitHub (Dec 30, 2025): I cannot login when using Bruno, when using curl it works. <img width="1099" height="303" alt="Image" src="https://github.com/user-attachments/assets/9ed376ff-6900-4da1-ad95-a2cfa9e38d2e" />

GiteaMirror commented

2026-04-15 17:38:33 -05:00

@RichardSPrins commented on GitHub (Jan 20, 2026):

I'm getting this in Bruno as well, it worked for a moment but then throws this error. I want to keep origin check in place but want to be able to allow my Bruno client to use the API

@RichardSPrins commented on GitHub (Jan 20, 2026): I'm getting this in Bruno as well, it worked for a moment but then throws this error. I want to keep origin check in place but want to be able to allow my Bruno client to use the API

GiteaMirror commented

2026-04-15 17:38:35 -05:00

@gmr458 commented on GitHub (Jan 21, 2026):

For now I've disabled origin check only in development with the option advanced.disableOriginCheck like this:

export const auth = betterAuth({
    advanced: {
        disableOriginCheck: env.NODE_ENV !== "production",
    },
});

@gmr458 commented on GitHub (Jan 21, 2026): For now I've disabled origin check only in development with the option `advanced.disableOriginCheck` like this: ```typescript export const auth = betterAuth({ advanced: { disableOriginCheck: env.NODE_ENV !== "production", }, }); ```

GiteaMirror commented

2026-04-15 17:38:37 -05:00

@samzmann commented on GitHub (Feb 5, 2026):

For me what seems to have solved it was to add the expo plugin to my server, which I had missed form the docs. It seems like every example config given in the comments above is missing it too 😅.

So correct would be:

import { betterAuth } from "better-auth";
import { expo } from "@better-auth/expo";

export const auth = betterAuth({
    plugins: [
      expo() // <-------------------- here
    ],
    trustedOrigins: [
      // fill with correct app scheme and metro bundler urls as per docs
    ]
})

@samzmann commented on GitHub (Feb 5, 2026): For me what seems to have solved it was to add the `expo` plugin to my server, which I had missed form the [docs](https://www.better-auth.com/docs/integrations/expo#add-the-expo-plugin-on-your-server). It seems like every example config given in the comments above is missing it too 😅. So correct would be: ```ts import { betterAuth } from "better-auth"; import { expo } from "@better-auth/expo"; export const auth = betterAuth({ plugins: [ expo() // <-------------------- here ], trustedOrigins: [ // fill with correct app scheme and metro bundler urls as per docs ] }) ```

GiteaMirror commented

2026-04-15 17:38:38 -05:00

@till commented on GitHub (Feb 23, 2026):

I am getting this error when I am part of an oauth2 flow.

Basically:

click "login with oauth" in another app
first redirect to better-auth
prompt=login triggers redirect to login form
firefox sends Origin: "null"
error

@till commented on GitHub (Feb 23, 2026): I am getting this error when I am part of an oauth2 flow. Basically: 1. click "login with oauth" in another app 2. first redirect to better-auth 3. `prompt=login` triggers redirect to login form 4. firefox sends `Origin: "null"` 5. error

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#18919