[GH-ISSUE #6944] Better-Auth 1.4.8 broken and unusable due to trusted origins #19311

New Issue

GiteaMirror · 2026-04-15T18:13:39-05:00

GiteaMirror commented

2026-04-15 18:13:39 -05:00

Originally created by @JE4GLE on GitHub (Dec 23, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/6944

To Reproduce

Create backend using Svelte and configure better-auth with trustedOrigins on localhost
Try to signup or do any action with better-auth

Current behavior

error Invalid origin: http://localhost:5173 []
info If it's a valid URL, please add http://localhost:5173 to trustedOrigins in your auth config
 [
  'Current list of trustedOrigins: http://localhost:5173,http://localhost:5173,http://localhost:5174,http://192.168.178.71:5173,http://192.168.178.71:5174'
]

Expected behavior

No error, the requests work.

What version of Better Auth are you using?

1.4.8

System info

The command npx @better-auth/cli info --json produces no output and results in exit code 1.

Which area(s) are affected? (Select all that apply)

Backend, every auth action

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  trustedOrigins: [
    'http://localhost:5173',
    'http://localhost:5174',
    'http://192.168.178.71:5173',
    'http://192.168.178.71:5174'
  ],
  emailAndPassword: {  
    enabled: true
  },
});

Additional context

It didn't work in 1.4.7 or 1.4.6 either.

Originally created by @JE4GLE on GitHub (Dec 23, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/6944 ### To Reproduce 1. Create backend using Svelte and configure better-auth with trustedOrigins on localhost 2. Try to signup or do any action with better-auth ### Current behavior ``` error Invalid origin: http://localhost:5173 [] info If it's a valid URL, please add http://localhost:5173 to trustedOrigins in your auth config [ 'Current list of trustedOrigins: http://localhost:5173,http://localhost:5173,http://localhost:5174,http://192.168.178.71:5173,http://192.168.178.71:5174' ] ``` ### Expected behavior No error, the requests work. ### What version of Better Auth are you using? 1.4.8 ### System info The command `npx @better-auth/cli info --json` produces no output and results in exit code 1. ### Which area(s) are affected? (Select all that apply) Backend, every auth action ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ trustedOrigins: [ 'http://localhost:5173', 'http://localhost:5174', 'http://192.168.178.71:5173', 'http://192.168.178.71:5174' ], emailAndPassword: { enabled: true }, }); ``` ### Additional context It didn't work in 1.4.7 or 1.4.6 either.

GiteaMirror added the locked bug labels 2026-04-15 18:13:40 -05:00

GiteaMirror closed this issue

2026-04-15 18:13:40 -05:00

GiteaMirror commented

2026-04-15 18:13:42 -05:00

@better-auth-agent[bot] commented on GitHub (Dec 23, 2025):

It seems you are facing an "Invalid origin" error while using Better Auth version 1.4.8. This issue usually arises when the origin from which you're making requests isn't included in the trustedOrigins array of your auth config.

To resolve this issue, please check the following steps:

Verify trustedOrigins Configuration: Ensure that you have correctly added http://localhost:5173 and any other origins you plan to access in the trustedOrigins array. Here’s an example:

export const auth = betterAuth({
  trustedOrigins: [
    'http://localhost:5173',
    'http://localhost:5174',
    'http://192.168.178.71:5173',
    'http://192.168.178.71:5174'
  ],
  emailAndPassword: {  
    enabled: true
  },
});

Check Base URL Configuration: Ensure you have defined the baseURL correctly. If baseURL is inferred from the first request, your origins should be evaluated accordingly [11].
Environment Variable: Make sure that if you are using an environment variable for trusted origins (e.g. BETTER_AUTH_TRUSTED_ORIGINS), it is set correctly in your environment [7].

If you follow these steps and the error persists, please consider tagging the Better Auth team members Beka and Max (@bekacru and @ping__) for further assistance.

What other questions do you have regarding Better Auth configurations?

If you need more help, tag @better-auth-agent in a comment so I can respond.

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Dec 23, 2025): It seems you are facing an "Invalid origin" error while using Better Auth version 1.4.8. This issue usually arises when the origin from which you're making requests isn't included in the `trustedOrigins` array of your auth config. To resolve this issue, please check the following steps: 1. **Verify `trustedOrigins` Configuration**: Ensure that you have correctly added `http://localhost:5173` and any other origins you plan to access in the `trustedOrigins` array. Here’s an example: ```typescript export const auth = betterAuth({ trustedOrigins: [ 'http://localhost:5173', 'http://localhost:5174', 'http://192.168.178.71:5173', 'http://192.168.178.71:5174' ], emailAndPassword: { enabled: true }, }); ``` 2. **Check Base URL Configuration**: Ensure you have defined the `baseURL` correctly. If `baseURL` is inferred from the first request, your origins should be evaluated accordingly [[11]](https://github.com/better-auth/better-auth/pull/6882). 3. **Environment Variable**: Make sure that if you are using an environment variable for trusted origins (e.g. `BETTER_AUTH_TRUSTED_ORIGINS`), it is set correctly in your environment [[7]](https://github.com/better-auth/better-auth/pull/6809). If you follow these steps and the error persists, please consider tagging the Better Auth team members Beka and Max (@bekacru and @ping__) for further assistance. What other questions do you have regarding Better Auth configurations? _If you need more help, tag @better-auth-agent in a comment so I can respond._  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) • [Discord](https://discord.gg/fG2XXEuQX3) • [GitHub](https://github.com/Skyvern-AI/Skyvern) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/fG2XXEuQX3) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/Skyvern-AI/Skyvern)

GiteaMirror commented

2026-04-15 18:13:45 -05:00

@JE4GLE commented on GitHub (Dec 23, 2025):

@better-auth-agent @Bekacru @ping-maxwell The suggested solution by the agent is not helping. You can see in the error message by Better-Auth that the correct URL is configured. I would say, the validation logic is incorrect.

info If it's a valid URL, please add http://localhost:5173 to trustedOrigins in your auth config
 [
  'Current list of trustedOrigins: http://localhost:5173,http://localhost:5173,http://localhost:5174,http://192.168.178.71:5173,http://192.168.178.71:5174'
]

@JE4GLE commented on GitHub (Dec 23, 2025): @better-auth-agent @Bekacru @ping-maxwell The suggested solution by the agent is not helping. You can see in the error message by Better-Auth that the correct URL is configured. I would say, the validation logic is incorrect. ``` info If it's a valid URL, please add http://localhost:5173 to trustedOrigins in your auth config [ 'Current list of trustedOrigins: http://localhost:5173,http://localhost:5173,http://localhost:5174,http://192.168.178.71:5173,http://192.168.178.71:5174' ] ```

GiteaMirror commented

2026-04-15 18:13:46 -05:00

@better-auth-agent[bot] commented on GitHub (Dec 23, 2025):

It seems that the error you're encountering, indicating an "Invalid origin" for http://localhost:5173, may stem from a few possible issues with your trustedOrigins configuration.

Here are steps you can follow to troubleshoot this problem:

Check for Duplicates: Ensure that http://localhost:5173 is not somehow duplicated in your configuration. The error message suggests it appears twice in the list of trustedOrigins.
Wildcard Support: Verify that you’re using a proper format. The trustedOrigins list can support wildcards. If you're still facing issues, consider using more flexible patterns that might cover the origins you need, such as http://localhost:* which would allow all ports on localhost.
Base URL Inference: There's a fix in place that addresses issues related to base URL inference and trusted origins, which might have affected your setup. If you have any specific configurations that infer base URLs, make sure they are correctly set up to match your trusted origins [6].
Version Check: Since you’re using version 1.4.8, ensure there aren’t any outstanding issues or updates from the repository that could resolve related errors.

If these steps don’t resolve your issue, it might be helpful to tag Beka and Max at @bekacru and @ping__ for further assistance.

What specific configurations are you using with trustedOrigins, and have you considered implementing wildcard patterns to simplify your setup?

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Dec 23, 2025): It seems that the error you're encountering, indicating an "Invalid origin" for `http://localhost:5173`, may stem from a few possible issues with your trustedOrigins configuration. Here are steps you can follow to troubleshoot this problem: 1. **Check for Duplicates:** Ensure that `http://localhost:5173` is not somehow duplicated in your configuration. The error message suggests it appears twice in the list of trustedOrigins. 2. **Wildcard Support:** Verify that you’re using a proper format. The trustedOrigins list can support wildcards. If you're still facing issues, consider using more flexible patterns that might cover the origins you need, such as `http://localhost:*` which would allow all ports on localhost. 3. **Base URL Inference:** There's a fix in place that addresses issues related to base URL inference and trusted origins, which might have affected your setup. If you have any specific configurations that infer base URLs, make sure they are correctly set up to match your trusted origins [[6]](https://github.com/better-auth/better-auth/pull/6904). 4. **Version Check:** Since you’re using version 1.4.8, ensure there aren’t any outstanding issues or updates from the repository that could resolve related errors. If these steps don’t resolve your issue, it might be helpful to tag Beka and Max at @bekacru and @ping__ for further assistance. What specific configurations are you using with trustedOrigins, and have you considered implementing wildcard patterns to simplify your setup?  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) • [Discord](https://discord.gg/fG2XXEuQX3) • [GitHub](https://github.com/Skyvern-AI/Skyvern) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/fG2XXEuQX3) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/Skyvern-AI/Skyvern)

GiteaMirror commented

2026-04-15 18:13:46 -05:00

@Bekacru commented on GitHub (Dec 23, 2025):

I can't repoduce this issue on my end.

can you make a minimal repro?

@Bekacru commented on GitHub (Dec 23, 2025): I can't repoduce this issue on my end. can you make a minimal repro?

GiteaMirror commented

2026-04-15 18:13:47 -05:00

@bytaesu commented on GitHub (Dec 23, 2025):

Hi @JE4GLE,

I couldn't reproduce the issue with this setup. Could you share reproducible code or a repo?

import { getRequestEvent } from "$app/server";
import { betterAuth } from "better-auth";
import { sveltekitCookies } from "better-auth/svelte-kit";
import { Pool } from "pg";
import { DATABASE_URL } from "$env/static/private";

export const auth = betterAuth({
  database: new Pool({
    connectionString: DATABASE_URL,
  }),
    trustedOrigins: [
    'http://localhost:5173',
    'http://localhost:5174',
    'http://192.168.178.71:5173',
    'http://192.168.178.71:5174'
  ],
  emailAndPassword: { 
    enabled: true, 
  }, 
  plugins: [sveltekitCookies(getRequestEvent)],
});

https://github.com/user-attachments/assets/651f2c81-dcec-4a8f-950a-c8d3c9468229

@bytaesu commented on GitHub (Dec 23, 2025): Hi @JE4GLE, I couldn't reproduce the issue with this setup. Could you share reproducible code or a repo? ```ts import { getRequestEvent } from "$app/server"; import { betterAuth } from "better-auth"; import { sveltekitCookies } from "better-auth/svelte-kit"; import { Pool } from "pg"; import { DATABASE_URL } from "$env/static/private"; export const auth = betterAuth({ database: new Pool({ connectionString: DATABASE_URL, }), trustedOrigins: [ 'http://localhost:5173', 'http://localhost:5174', 'http://192.168.178.71:5173', 'http://192.168.178.71:5174' ], emailAndPassword: { enabled: true, }, plugins: [sveltekitCookies(getRequestEvent)], }); ``` https://github.com/user-attachments/assets/651f2c81-dcec-4a8f-950a-c8d3c9468229

GiteaMirror commented

2026-04-15 18:13:48 -05:00

@bytaesu commented on GitHub (Dec 23, 2025):

@JE4GLE

SvelteKit is indeed a full-stack framework, but it's unclear what you mean by “backend using Svelte” Could you explain how you've set it up? That would help me investigate and resolve your issue 😁

@bytaesu commented on GitHub (Dec 23, 2025): @JE4GLE SvelteKit is indeed a full-stack framework, but it's unclear what you mean by “backend using Svelte” Could you explain how you've set it up? That would help me investigate and resolve your issue 😁

GiteaMirror commented

2026-04-15 18:13:49 -05:00

@JE4GLE commented on GitHub (Dec 23, 2025):

@Bekacru @bytaesu I did some further research and found the error was due to the function getTrustedOrigins(options). It returned an empty array []. The mjs file compiled to the following:

function getTrustedOrigins(options) {
	const baseURL = getBaseURL(options.baseURL, options.basePath);
	if (!baseURL) return [];
	const trustedOrigins = [new URL(baseURL).origin];
	if (options.trustedOrigins && Array.isArray(options.trustedOrigins)) trustedOrigins.push(...options.trustedOrigins);
	const envTrustedOrigins = env.BETTER_AUTH_TRUSTED_ORIGINS;
	if (envTrustedOrigins) trustedOrigins.push(...envTrustedOrigins.split(","));
	if (trustedOrigins.filter((x) => !x).length) throw new BetterAuthError("A provided trusted origin is invalid, make sure your trusted origins list is properly defined.");
	return trustedOrigins;
}

After setting the baseURL, it worked again, but the issue seems to have been introduced in the last few updates as this issue never occurred before.

@JE4GLE commented on GitHub (Dec 23, 2025): @Bekacru @bytaesu I did some further research and found the error was due to the function `getTrustedOrigins(options)`. It returned an empty array `[]`. The `mjs` file compiled to the following: ```typescript function getTrustedOrigins(options) { const baseURL = getBaseURL(options.baseURL, options.basePath); if (!baseURL) return []; const trustedOrigins = [new URL(baseURL).origin]; if (options.trustedOrigins && Array.isArray(options.trustedOrigins)) trustedOrigins.push(...options.trustedOrigins); const envTrustedOrigins = env.BETTER_AUTH_TRUSTED_ORIGINS; if (envTrustedOrigins) trustedOrigins.push(...envTrustedOrigins.split(",")); if (trustedOrigins.filter((x) => !x).length) throw new BetterAuthError("A provided trusted origin is invalid, make sure your trusted origins list is properly defined."); return trustedOrigins; } ``` After setting the baseURL, it worked again, but the issue seems to have been introduced in the last few updates as this issue never occurred before.

GiteaMirror commented

2026-04-15 18:13:49 -05:00

@himself65 commented on GitHub (Dec 23, 2025):

Fixed in 1.4.9. It's a release issue. We're gonna improve the release process to avoid such dumb issue

@himself65 commented on GitHub (Dec 23, 2025): Fixed in 1.4.9. It's a release issue. We're gonna improve the release process to avoid such dumb issue

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#19311