[GH-ISSUE #2434] nextCookies() do not set Cookies with auth.api #26514

New Issue

GiteaMirror · 2026-04-17T17:07:48-05:00

GiteaMirror commented

2026-04-17 17:07:48 -05:00

Originally created by @drago1520 on GitHub (Apr 25, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/2434

Originally assigned to: @ping-maxwell on GitHub.

Is this suited for github?

Yes, this is suited for github

To Reproduce

I cannot log in with server methods like auth.api because they do not set the cookie headers in my Chrome browser on Next.js. Retrieving the session always returns null. I am using nextCookie(), but the server methods do not work. I can see Better-auth creating new sessions and users in the DB, but no cookies are returned to my browser.

Goal: Create a user on the server.

I am using Next.js
I followed the installation instructions for better-auth
I have the nextCookie() plugin enabled
Here is my call in an isolated RSC page:

import { auth } from '@/lib/auth';
import { headers } from 'next/headers';

export default async function BlogLayout({ children }: { children: React.ReactNode }) {
  const session = await auth.api.getSession({ headers: await headers() });
  console.log('session :', session);
  if (!session) {
    const data = await auth.api.signUpEmail({
        body: {
            email: `${crypto.randomUUID()}@example.com`,
            password: crypto.randomUUID(),
            name: crypto.randomUUID(),
        },
        headers: await headers(),
    });
    console.log('data :', data); //Creates users successfully; I see in the log & db.
    const session = await auth.api.getSession({ headers: await headers() });
    console.log('session :', session); //!Reads null even when I refresh the page
  }

  return (
    <>
      {children}
    </>
  );
}

I expect the second console.log('session :', session); //!Reads null even when I refresh the page to read the session, but it returnsnull` even when I refresh the page, and a new user is being created.
Instead, no cookies are being sent to my Chrome browser

Current vs. Expected behavior

I expect Chrome to sync with the newly created user using auth.api. Instead, no cookies are being set.

What version of Better Auth are you using?

1.2.7

Provide environment information

- OS: [Windows 10]
- Browser: [Chrome]

Which area(s) are affected? (Select all that apply)

Client

Auth config (if applicable)

import { db, schema } from "@/models";
import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
import { anonymous, openAPI } from "better-auth/plugins";
import { nextCookies } from "better-auth/next-js";

export const auth = betterAuth({
  database: drizzleAdapter(db, {
    provider: "pg",
    usePlural: true,
    schema,
  }),
  emailAndPassword: {
    enabled: true,
  },
  // socialProviders: {
  //   google: {
  //     clientId: process.env.AUTH_GOOGLE_ID as string,
  //     clientSecret: process.env.AUTH_GOOGLE_SECRET as string,
  //   },
  // },
  plugins: [
    openAPI(),
    anonymous(),
    nextCookies(),
  ],
  session: {
    expiresIn: 60 * 60 * 24 * 365, // 1 year
    cookieCache: {
      enabled: true,
      maxAge: 60 * 60 * 24 * 7 // 1 week session in cookie
    }
  }
});

Additional context

#2055 might have something to do with this.

Originally created by @drago1520 on GitHub (Apr 25, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/2434 Originally assigned to: @ping-maxwell on GitHub. ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce I cannot log in with server methods like `auth.api` because they do not set the cookie headers in my Chrome browser on Next.js. Retrieving the session always returns `null`. I am using nextCookie(), but the server methods do not work. I can see Better-auth creating new sessions and users in the DB, but no cookies are returned to my browser. **Goal:** Create a user on the server. 1. I am using Next.js 2. I followed the installation instructions for `better-auth` 3. I have the nextCookie() plugin enabled 4. Here is my call in an isolated RSC page: ```js import { auth } from '@/lib/auth'; import { headers } from 'next/headers'; export default async function BlogLayout({ children }: { children: React.ReactNode }) { const session = await auth.api.getSession({ headers: await headers() }); console.log('session :', session); if (!session) { const data = await auth.api.signUpEmail({ body: { email: `${crypto.randomUUID()}@example.com`, password: crypto.randomUUID(), name: crypto.randomUUID(), }, headers: await headers(), }); console.log('data :', data); //Creates users successfully; I see in the log & db. const session = await auth.api.getSession({ headers: await headers() }); console.log('session :', session); //!Reads null even when I refresh the page } return ( <> {children} </> ); } ``` 5. I expect the second ` console.log('session :', session); //!Reads null even when I refresh the page to read the session, but it returns `null` even when I refresh the page, and a new user is being created. 6. Instead, no cookies are being sent to my Chrome browser ### Current vs. Expected behavior I expect Chrome to sync with the newly created user using auth.api. Instead, no cookies are being set. ### What version of Better Auth are you using? 1.2.7 ### Provide environment information ```bash - OS: [Windows 10] - Browser: [Chrome] ``` ### Which area(s) are affected? (Select all that apply) Client ### Auth config (if applicable) ```typescript import { db, schema } from "@/models"; import { betterAuth } from "better-auth"; import { drizzleAdapter } from "better-auth/adapters/drizzle"; import { anonymous, openAPI } from "better-auth/plugins"; import { nextCookies } from "better-auth/next-js"; export const auth = betterAuth({ database: drizzleAdapter(db, { provider: "pg", usePlural: true, schema, }), emailAndPassword: { enabled: true, }, // socialProviders: { // google: { // clientId: process.env.AUTH_GOOGLE_ID as string, // clientSecret: process.env.AUTH_GOOGLE_SECRET as string, // }, // }, plugins: [ openAPI(), anonymous(), nextCookies(), ], session: { expiresIn: 60 * 60 * 24 * 365, // 1 year cookieCache: { enabled: true, maxAge: 60 * 60 * 24 * 7 // 1 week session in cookie } } }); ``` ### Additional context #2055 might have something to do with this.

GiteaMirror added the locked label 2026-04-17 17:07:48 -05:00

GiteaMirror closed this issue

2026-04-17 17:07:49 -05:00

GiteaMirror commented

2026-04-17 17:07:50 -05:00

@ping-maxwell commented on GitHub (Apr 25, 2025):

We can't set cookies in a server-component.

The nextCookies plugin is to support server-actions.

@ping-maxwell commented on GitHub (Apr 25, 2025): We can't set cookies in a server-component. The `nextCookies` plugin is to support server-actions.

GiteaMirror commented

2026-04-17 17:07:51 -05:00

@drago1520 commented on GitHub (Apr 25, 2025):

Is it possible to do the following? :
Only server components
layout.tsx

Check for session
if there is no session, start a new by creating a anonymous user
Get the session on the page.tsx (or some component that needs it)

This ensures that everything about auth is handles on the server at once.

@drago1520 commented on GitHub (Apr 25, 2025): Is it possible to do the following? : **Only server components** *layout.tsx* 1. Check for session 2. if there is no session, start a new by creating a anonymous user 3. Get the session on the page.tsx (or some component that needs it) This ensures that everything about auth is handles on the server at once.

GiteaMirror commented

2026-04-17 17:07:51 -05:00

@ping-maxwell commented on GitHub (Apr 25, 2025):

I don't think you can do that in a server component.
Better Auth is designed with consideration of auth being called from the client, so you shouldn't need to worry about auth methods on the client by using authClient.

If you still want to use server only for auth related calls, you will need to use a server action for things like signup or other methods which may require the cookie to be sent back to the client.

@ping-maxwell commented on GitHub (Apr 25, 2025): I don't think you can do that in a server component. Better Auth is designed with consideration of auth being called from the client, so you shouldn't need to worry about auth methods on the client by using authClient. If you still want to use server only for auth related calls, you will need to use a server action for things like signup or other methods which may require the cookie to be sent back to the client.

GiteaMirror commented

2026-04-17 17:07:52 -05:00

@drago1520 commented on GitHub (Apr 25, 2025):

It is strange for me not being able to manage auth from the server, but I am not super in-depth on Next.js capabilities.

The real issue stems from the error handling on nextCookies() because there is none implemented for setting cookies on the server. I will do a pull request if you agree with me.

@drago1520 commented on GitHub (Apr 25, 2025): It is strange for me not being able to manage auth from the server, but I am not super in-depth on Next.js capabilities. The real issue stems from the error handling on nextCookies() because there is none implemented for setting cookies on the server. I will do a pull request if you agree with me. ![Image](https://github.com/user-attachments/assets/02561d28-82d2-43a9-bce6-d9948ea689d4)

GiteaMirror commented

2026-04-17 17:07:52 -05:00

@ping-maxwell commented on GitHub (Apr 26, 2025):

In Nextjs, you can't send cookies from a server component.

From the Nextjs docs, emphasis on "server actions or route handlers":

@ping-maxwell commented on GitHub (Apr 26, 2025): In Nextjs, you can't send cookies from a server component. From the Nextjs docs, emphasis on "server actions or route handlers": <img width="672" alt="Image" src="https://github.com/user-attachments/assets/dc7e4614-4b96-40f8-914c-1697f6091632" />

GiteaMirror commented

2026-04-17 17:07:53 -05:00

@drago1520 commented on GitHub (Apr 26, 2025):

Understood. Better auth cannot send cookies from RSC, so the browser is out of sync with the newly created session in the database. I will open a pull request to improve error handling.

@drago1520 commented on GitHub (Apr 26, 2025): Understood. Better auth cannot send cookies from RSC, so the browser is out of sync with the newly created session in the database. I will open a pull request to improve error handling.

GiteaMirror commented

2026-04-17 17:07:53 -05:00

@soyricardodev commented on GitHub (Apr 26, 2025):

Understood. Better auth cannot send cookies from RSC, so the browser is out of sync with the newly created session in the database. I will open a pull request to improve error handling.

but the way this is working is through server actions, even with RSC

The auth.api.. is using the API route handler

@soyricardodev commented on GitHub (Apr 26, 2025): > Understood. Better auth cannot send cookies from RSC, so the browser is out of sync with the newly created session in the database. I will open a pull request to improve error handling. but the way this is working is through server actions, even with RSC The auth.api.. is using the API route handler

GiteaMirror commented

2026-04-17 17:07:54 -05:00

@soyricardodev commented on GitHub (Apr 26, 2025):

If you want sn anon sign up for that use a client component, get the session and create the anon if user don't have nothing

Or pass the server action to a client component

Your problem is docs reading issues I think, but what's solution has you found

@soyricardodev commented on GitHub (Apr 26, 2025): If you want sn anon sign up for that use a client component, get the session and create the anon if user don't have nothing Or pass the server action to a client component Your problem is docs reading issues I think, but what's solution has you found

GiteaMirror commented

2026-04-17 17:07:55 -05:00

@pricetula commented on GitHub (May 16, 2025):

As @ping-maxwell mentioned issue is setting cookies in server actions does not persist them in the browser.
So one has to create an api route handler like:-

app/api/signin/route.ts

import { auth } from "@/lib/auth"
import { NextResponse } from 'next/server'

export async function POST(req: Request) {
    const body = await req.json()

    const resp = await auth.api.signInEmail({
        body,
        asResponse: true,
        headers: req.headers,
    })

    const setCookie = resp.headers.get('set-cookie')

    const response = NextResponse.json(await resp.json(), {
        status: resp.status,
    })

    if (setCookie) {
        response.headers.set('set-cookie', setCookie)
    }

    return response
}

and make request with required details email + passowrd

const resp = await fetch('/api/signin', {
          method: 'POST',
          headers: {
              'Content-Type': 'application/json',
          },
          body: JSON.stringify(values),
 })

@pricetula commented on GitHub (May 16, 2025): As @ping-maxwell mentioned issue is setting cookies in server actions does not persist them in the browser. So one has to create an api route handler like:- app/api/signin/route.ts ``` import { auth } from "@/lib/auth" import { NextResponse } from 'next/server' export async function POST(req: Request) { const body = await req.json() const resp = await auth.api.signInEmail({ body, asResponse: true, headers: req.headers, }) const setCookie = resp.headers.get('set-cookie') const response = NextResponse.json(await resp.json(), { status: resp.status, }) if (setCookie) { response.headers.set('set-cookie', setCookie) } return response } ``` and make request with required details email + passowrd ``` const resp = await fetch('/api/signin', { method: 'POST', headers: { 'Content-Type': 'application/json', }, body: JSON.stringify(values), }) ```

GiteaMirror commented

2026-04-17 17:07:55 -05:00

@Aiurvie commented on GitHub (May 17, 2025):

@pricetula

I don't know whether you have solved the issuer's problem.

I know you have solved my problem.😆

Thank you very much.❤

Good morning, good afternoon and good night.🌞

@Aiurvie commented on GitHub (May 17, 2025): @pricetula I don't know whether you have solved the issuer's problem. I know you have solved my problem.😆 Thank you very much.❤ Good morning, good afternoon and good night.🌞

GiteaMirror commented

2026-04-17 17:07:56 -05:00

@pricetula commented on GitHub (May 18, 2025):

@Aiurvie You're welcomed, I think @drago1520 logic to create a user should be moved to api route handler and not on server component

@pricetula commented on GitHub (May 18, 2025): @Aiurvie You're welcomed, I think @drago1520 logic to create a user should be moved to api route handler and not on server component

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#26514