github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 23:52:05 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

Apple signin state_not_found #2777

New Issue
Closed
opened 2026-03-13 10:19:27 -05:00 by GiteaMirror · 24 comments
GiteaMirror commented 2026-03-13 10:19:27 -05:00
Owner
Copy Link

Originally created by @iamibadd on GitHub (Jan 27, 2026).

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

I’m using better-auth v1.4.17 with social sign-in enabled.

Google OAuth works as expected, but Apple sign-in consistently fails with state_not_found.

For context, in Apple Developer settings:

Frontend domain: merge-shield-basin-members.trycloudflare.com

Backend callback URL:
https://nation-crucial-possession-fast.trycloudflare.com/v1/bauth/callback/apple

Both are added under Website URLs for the Apple Service ID.

backend

  basePath: `/${betterAuthBasePath}/bauth`,
  socialProviders: {
    google: {
      prompt: 'select_account',
      clientId: googleClientId,
      clientSecret: googleClientSecret,
    },
    apple: {
      clientId: appleClientId,
      clientSecret: appleClientSecret,
    },

 trustedOrigins: ["https://merge-shield-basin-members.trycloudflare.com", "https://appleid.apple.com",  "https://nation-crucial-possession-fast.trycloudflare.com"]
  cookies: {
    state: {
      attributes: {
        sameSite: 'none',
        secure: true,
        httpOnly: true,
      },
    },
  },
  trustedOrigins: corsAllowedOrigins,
  advanced: {
    disableOriginCheck: true,
    useSecureCookies: true,
    defaultCookieAttributes: {
      sameSite: 'none',
      secure: true,
      httpOnly: true,
    },
  },

fronted

import { createAuthClient } from 'better-auth/react';
const backendBaseUrl = 'https://nation-crucial-possession-fast.trycloudflare.com';
const backendApiVersion = 'v1';
const authClient = createAuthClient({
  baseURL: backendBaseUrl,
  basePath: `/${backendApiVersion}/bauth`,
});

   await authClient.signIn.social({
      provider: 'google',
    });

   await authClient.signIn.social({
      provider: 'apple',
    });

Backend logs

[01:07:30.997] INFO (35079):
    method: "POST"
    url: "/v1/bauth/sign-in/social"
    statusCode: 200
    duration: "112ms"
    body: {
      "provider": "apple"
    }
2026-01-27T20:07:45.117Z ERROR [Better Auth]: State not found undefined
[01:07:45.035] INFO (35079):
    method: "POST"
    url: "/v1/bauth/callback/apple"
    statusCode: 302
    duration: "15ms"
    body: {
      "state": "y9gAalJL9dDqZHhP7fszmEoubhMJoEWJ",
      "code": "cb42678ed0ff543f5af5a7bd243a2c56d.0.stuy.SVhcq1fK7zMK0_I1slU2kQ",
      "id_token": "eyJraWQiOiJiRnd6bGVSOHRmIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLmJyYWdtYW50LmFwaTEuc2kiLCJleHAiOjE3Njk2MzA4NjQsImlhdCI6MTc2OTU0NDQ2NCwic3ViIjoiMDAwMzQ4LjkzYzQxYzJjZjY3MzQ0YmM5Y2EwMTdjMWUzOGE1YTczLjE4NDAiLCJjX2hhc2giOiJya2VUZ0NnSURVbW9NS3d4M0J1eDVnIiwiZW1haWwiOiJpYW1pYmFkZEBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXV0aF90aW1lIjoxNzY5NTQ0NDY0LCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.OTVJCINhSJZqpaLfBXPkk4esAsFvokSgf_HimC0_f7Mv2DWU9etuqb3Nm87ntGq8heDnQbK4nV-j8RIzO51lKRDKMFs1Gv4t_2Xl-dIlxMlBxKMmgn-s2ppeRJTElT74qbRKVTpkXnaICHfSedraFk9Ihs0RxrCnltV23_LbMRzRNRrgORbQ6RQkiwO1CAoVYiwvrTJqyaPaFeefb20CyxykXwRE98Z4odb6WEM50UhBJdi9ybJmwoadAZz8Cd-JASnRb5z0LbvyuvvjuFlpTcYgWUumG1L1VE-BWn3DdALFwb86ezRfgU4HMruleq3AQx2Ea6ALWGD4Z_lj5c-ZzA"
    }
[01:07:45.118] INFO (35079):
    method: "GET"
    url: "/v1/bauth/callback/apple?"
    statusCode: 302
    duration: "3ms"
[01:07:45.436] INFO (35079):
    method: "GET"
    url: "/v1/bauth/error?state=state_not_found"
    statusCode: 200
    duration: "9ms"

Client Secret is generated using https://www.better-auth.com/docs/authentication/apple

JWT Decode

{
  "alg": "ES256",
  "kid": "Key ID from the Apple Developer portal", // correct
  "typ": "JWT"
}

{
  "iss": "Apple Team ID", // correct
  "aud": "https://appleid.apple.com",
  "sub": "Apple Service ID (clientId)", // correct
  "iat": 1769547905,
  "exp": 1785099905
}

Current vs. Expected behavior

Apple signin should work but fails with state_not_found

What version of Better Auth are you using?

1.14.17

System info

N/A

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

basePath: `/${betterAuthBasePath}/bauth`,
  socialProviders: {
    google: {
      prompt: 'select_account',
      clientId: googleClientId,
      clientSecret: googleClientSecret,
    },
    apple: {
      clientId: appleClientId,
      clientSecret: appleClientSecret,
    },

 trustedOrigins: ["https://merge-shield-basin-members.trycloudflare.com", "https://appleid.apple.com",  "https://nation-crucial-possession-fast.trycloudflare.com"]
  cookies: {
    state: {
      attributes: {
        sameSite: 'none',
        secure: true,
        httpOnly: true,
      },
    },
  },
  trustedOrigins: corsAllowedOrigins,
  advanced: {
    disableOriginCheck: true,
    useSecureCookies: true,
    defaultCookieAttributes: {
      sameSite: 'none',
      secure: true,
      httpOnly: true,
    },
  },

Additional context

No response

Originally created by @iamibadd on GitHub (Jan 27, 2026). ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce I’m using better-auth v1.4.17 with social sign-in enabled. Google OAuth works as expected, but Apple sign-in consistently fails with `state_not_found`. For context, in Apple Developer settings: Frontend domain: merge-shield-basin-members.trycloudflare.com Backend callback URL: https://nation-crucial-possession-fast.trycloudflare.com/v1/bauth/callback/apple Both are added under Website URLs for the Apple Service ID. backend ```JS basePath: `/${betterAuthBasePath}/bauth`, socialProviders: { google: { prompt: 'select_account', clientId: googleClientId, clientSecret: googleClientSecret, }, apple: { clientId: appleClientId, clientSecret: appleClientSecret, }, trustedOrigins: ["https://merge-shield-basin-members.trycloudflare.com", "https://appleid.apple.com", "https://nation-crucial-possession-fast.trycloudflare.com"] cookies: { state: { attributes: { sameSite: 'none', secure: true, httpOnly: true, }, }, }, trustedOrigins: corsAllowedOrigins, advanced: { disableOriginCheck: true, useSecureCookies: true, defaultCookieAttributes: { sameSite: 'none', secure: true, httpOnly: true, }, }, ``` fronted ```JS import { createAuthClient } from 'better-auth/react'; const backendBaseUrl = 'https://nation-crucial-possession-fast.trycloudflare.com'; const backendApiVersion = 'v1'; const authClient = createAuthClient({ baseURL: backendBaseUrl, basePath: `/${backendApiVersion}/bauth`, }); await authClient.signIn.social({ provider: 'google', }); await authClient.signIn.social({ provider: 'apple', }); ``` Backend logs ``` [01:07:30.997] INFO (35079): method: "POST" url: "/v1/bauth/sign-in/social" statusCode: 200 duration: "112ms" body: { "provider": "apple" } 2026-01-27T20:07:45.117Z ERROR [Better Auth]: State not found undefined [01:07:45.035] INFO (35079): method: "POST" url: "/v1/bauth/callback/apple" statusCode: 302 duration: "15ms" body: { "state": "y9gAalJL9dDqZHhP7fszmEoubhMJoEWJ", "code": "cb42678ed0ff543f5af5a7bd243a2c56d.0.stuy.SVhcq1fK7zMK0_I1slU2kQ", "id_token": "eyJraWQiOiJiRnd6bGVSOHRmIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLmJyYWdtYW50LmFwaTEuc2kiLCJleHAiOjE3Njk2MzA4NjQsImlhdCI6MTc2OTU0NDQ2NCwic3ViIjoiMDAwMzQ4LjkzYzQxYzJjZjY3MzQ0YmM5Y2EwMTdjMWUzOGE1YTczLjE4NDAiLCJjX2hhc2giOiJya2VUZ0NnSURVbW9NS3d4M0J1eDVnIiwiZW1haWwiOiJpYW1pYmFkZEBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXV0aF90aW1lIjoxNzY5NTQ0NDY0LCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.OTVJCINhSJZqpaLfBXPkk4esAsFvokSgf_HimC0_f7Mv2DWU9etuqb3Nm87ntGq8heDnQbK4nV-j8RIzO51lKRDKMFs1Gv4t_2Xl-dIlxMlBxKMmgn-s2ppeRJTElT74qbRKVTpkXnaICHfSedraFk9Ihs0RxrCnltV23_LbMRzRNRrgORbQ6RQkiwO1CAoVYiwvrTJqyaPaFeefb20CyxykXwRE98Z4odb6WEM50UhBJdi9ybJmwoadAZz8Cd-JASnRb5z0LbvyuvvjuFlpTcYgWUumG1L1VE-BWn3DdALFwb86ezRfgU4HMruleq3AQx2Ea6ALWGD4Z_lj5c-ZzA" } [01:07:45.118] INFO (35079): method: "GET" url: "/v1/bauth/callback/apple?" statusCode: 302 duration: "3ms" [01:07:45.436] INFO (35079): method: "GET" url: "/v1/bauth/error?state=state_not_found" statusCode: 200 duration: "9ms" ``` Client Secret is generated using https://www.better-auth.com/docs/authentication/apple JWT Decode ```json { "alg": "ES256", "kid": "Key ID from the Apple Developer portal", // correct "typ": "JWT" } { "iss": "Apple Team ID", // correct "aud": "https://appleid.apple.com", "sub": "Apple Service ID (clientId)", // correct "iat": 1769547905, "exp": 1785099905 } ``` ### Current vs. Expected behavior Apple signin should work but fails with state_not_found ### What version of Better Auth are you using? 1.14.17 ### System info ```bash N/A ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript basePath: `/${betterAuthBasePath}/bauth`, socialProviders: { google: { prompt: 'select_account', clientId: googleClientId, clientSecret: googleClientSecret, }, apple: { clientId: appleClientId, clientSecret: appleClientSecret, }, trustedOrigins: ["https://merge-shield-basin-members.trycloudflare.com", "https://appleid.apple.com", "https://nation-crucial-possession-fast.trycloudflare.com"] cookies: { state: { attributes: { sameSite: 'none', secure: true, httpOnly: true, }, }, }, trustedOrigins: corsAllowedOrigins, advanced: { disableOriginCheck: true, useSecureCookies: true, defaultCookieAttributes: { sameSite: 'none', secure: true, httpOnly: true, }, }, ``` ### Additional context _No response_
GiteaMirror added the social-provider label 2026-03-13 10:19:27 -05:00
GiteaMirror commented 2026-03-13 10:19:28 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Jan 27, 2026):

It looks like you're experiencing a state_not_found error with Apple sign-in while using Better Auth. This issue often occurs due to cookie configurations or state management during the OAuth process. Here are some steps to troubleshoot this issue:

  1. Cookie Configuration: Ensure that your cookies are configured correctly. You have set SameSite=None and secure=true, which are correct for cross-site cookies. Make sure this is applied uniformly across your system.

    For example, ensure your auth configuration includes:

    cookies: {
    state: {
        attributes: {
            sameSite: 'none',
            secure: true,
            httpOnly: true,
        },
    },
}

    In addition, you might want to check if the cookies are being sent and received properly during the Apple sign-in flow.

  2. Frontend and Backend URL Mismatch: Verify that the frontend and backend URLs specified in both your Apple Developer settings and application configuration match perfectly. These include the frontend domain and the backend callback URL.

  3. Trusted Origins: You have set a trusted origins list, ensure that the origins defined allow the necessary CORS requests for both the frontend and Apple's services:

    trustedOrigins: ["https://merge-shield-basin-members.trycloudflare.com", "https://appleid.apple.com",  "https://nation-crucial-possession-fast.trycloudflare.com"]

  4. State Parameter: The state parameter is crucial for preventing CSRF attacks. Make sure that the state parameter is being generated and passed correctly in the requests, and that it's stored and retrieved correctly in your backend.

If you're still encountering issues, consider checking the logs for more detailed errors or warnings. If you continue to experience problems, I would recommend tagging @bekacru or @ping__ from the Better Auth team for specific guidance.

How are you planning to address the cookie configurations and testing those for the Apple sign-in?

If you need more help, tag @better-auth-agent in a comment so I can respond.

DiagramDiscordGitHub

Diagram Join Star

@better-auth-agent[bot] commented on GitHub (Jan 27, 2026): It looks like you're experiencing a `state_not_found` error with Apple sign-in while using Better Auth. This issue often occurs due to cookie configurations or state management during the OAuth process. Here are some steps to troubleshoot this issue: 1. **Cookie Configuration**: Ensure that your cookies are configured correctly. You have set `SameSite=None` and `secure=true`, which are correct for cross-site cookies. Make sure this is applied uniformly across your system. For example, ensure your auth configuration includes: ```typescript cookies: { state: { attributes: { sameSite: 'none', secure: true, httpOnly: true, }, }, } ``` In addition, you might want to check if the cookies are being sent and received properly during the Apple sign-in flow. 2. **Frontend and Backend URL Mismatch**: Verify that the frontend and backend URLs specified in both your Apple Developer settings and application configuration match perfectly. These include the frontend domain and the backend callback URL. 3. **Trusted Origins**: You have set a trusted origins list, ensure that the origins defined allow the necessary CORS requests for both the frontend and Apple's services: ```typescript trustedOrigins: ["https://merge-shield-basin-members.trycloudflare.com", "https://appleid.apple.com", "https://nation-crucial-possession-fast.trycloudflare.com"] ``` 4. **State Parameter**: The state parameter is crucial for preventing CSRF attacks. Make sure that the state parameter is being generated and passed correctly in the requests, and that it's stored and retrieved correctly in your backend. If you're still encountering issues, consider checking the logs for more detailed errors or warnings. If you continue to experience problems, I would recommend tagging @bekacru or @ping__ from the Better Auth team for specific guidance. How are you planning to address the cookie configurations and testing those for the Apple sign-in? _If you need more help, tag @better-auth-agent in a comment so I can respond._ <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-03-13 10:19:31 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jan 27, 2026):

The root cause is that Apple’s OAuth callback uses a POST request with responseMode=form_post, which triggers stricter browser cookie rules than Google’s GET-based callback. If the state cookie isn’t set with SameSite=None and Secure=true, browsers won’t send it on the POST callback, leading to state_not_found—even if Google sign-in works fine. This is a known issue in Better Auth and other OAuth frameworks [1] [2].

You already have advanced.cookies.state.attributes set to SameSite=None and Secure=true, which is correct. Here’s a focused checklist to resolve or debug further:

  1. Double-check that BETTER_AUTH_URL is set to your production domain (not localhost) everywhere, including your deployment environment [1].
  2. Make sure all URLs (frontend, backend, Apple Developer settings) use the same HTTPS domain and match exactly—including protocol (https), subdomain, and path.
  3. In the browser, inspect the network tab during the Apple callback. Confirm that the state cookie is present and sent with the POST request to /v1/bauth/callback/apple. If it’s missing, the browser is blocking it due to a domain, path, or SameSite mismatch.
  4. If you’re using proxies (like Cloudflare), ensure they aren’t stripping cookies or altering headers.
  5. If you have custom CORS or middleware logic, verify it doesn’t interfere with cookies on the callback route.
  6. If you’re still stuck, try using the same domain for both frontend and backend as a minimal test case to rule out cross-domain issues.

If you want to debug deeper, enable verbose logging and check for any errors about missing or mismatched state cookies in your backend logs. You can also temporarily set skipStateCookieCheck: true to confirm if the state check is the blocker (not recommended for production).

References:

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

@dosubot[bot] commented on GitHub (Jan 27, 2026): <!-- Answer --> The root cause is that Apple’s OAuth callback uses a POST request with responseMode=form_post, which triggers stricter browser cookie rules than Google’s GET-based callback. If the state cookie isn’t set with SameSite=None and Secure=true, browsers won’t send it on the POST callback, leading to state_not_found—even if Google sign-in works fine. This is a known issue in Better Auth and other OAuth frameworks [[1]](https://github.com/better-auth/better-auth/issues/5243) [[2]](https://github.com/better-auth/better-auth/issues/5227). You already have advanced.cookies.state.attributes set to SameSite=None and Secure=true, which is correct. Here’s a focused checklist to resolve or debug further: 1. Double-check that BETTER_AUTH_URL is set to your production domain (not localhost) everywhere, including your deployment environment [[1]](https://github.com/better-auth/better-auth/issues/5243). 2. Make sure all URLs (frontend, backend, Apple Developer settings) use the same HTTPS domain and match exactly—including protocol (https), subdomain, and path. 3. In the browser, inspect the network tab during the Apple callback. Confirm that the state cookie is present and sent with the POST request to /v1/bauth/callback/apple. If it’s missing, the browser is blocking it due to a domain, path, or SameSite mismatch. 4. If you’re using proxies (like Cloudflare), ensure they aren’t stripping cookies or altering headers. 5. If you have custom CORS or middleware logic, verify it doesn’t interfere with cookies on the callback route. 6. If you’re still stuck, try using the same domain for both frontend and backend as a minimal test case to rule out cross-domain issues. If you want to debug deeper, enable verbose logging and check for any errors about missing or mismatched state cookies in your backend logs. You can also temporarily set skipStateCookieCheck: true to confirm if the state check is the blocker (not recommended for production). References: - [Known issue and workaround](https://github.com/better-auth/better-auth/issues/5243) - [Checklist and troubleshooting steps](https://github.com/better-auth/better-auth/issues/5227) <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/c59d5150-ef2d-48b6-83b4-374fa697a201?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/c59d5150-ef2d-48b6-83b4-374fa697a201?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/c59d5150-ef2d-48b6-83b4-374fa697a201?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/c59d5150-ef2d-48b6-83b4-374fa697a201?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/c59d5150-ef2d-48b6-83b4-374fa697a201?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/c59d5150-ef2d-48b6-83b4-374fa697a201?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/c59d5150-ef2d-48b6-83b4-374fa697a201?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=The%20root%20cause%20is%20that%20Apple%E2%80%99s%20OAuth%20callback%20uses%20a%20POST%20request%20with%20responseMode%3Dform_post%2C%20which%20triggers%20stricter%20browser%20cookie%20rules%20than%20Google%E2%80%99s%20GET-based%20callback.%20If%20the%20state%20cookie%20isn%E2%80%99t%20set%20with%20SameSite%3DNone%20and%20Secure%3Dtrue%2C%20browsers%20won%E2%80%99t%20send%20it%20on%20the%20POST%20callback%2C%20leading%20to%20state_not_found%E2%80%94even%20if%20Google%20sign-in%20works%20fine.%20This%20is%20a%20known%20issue%20in%20Better%20Auth%20and%20other%20OAuth%20frameworks%20%5B%5B1%5D%5D%28https%3A//github.com/better-auth/better-auth/issues/5243%29%20%5B%5B2%5D%5D%28https%3A//github.com/better-auth/better-auth/issues/5227%29.%0A%0AYou%20already%20have%20advanced.cookies.state.attributes%20set%20to%20SameSite%3DNone%20and%20Secure%3Dtrue%2C%20which%20is%20correct.%20Here%E2%80%99s%20a%20focused%20checklist%20to%20resolve%20or%20debug%20further%3A%0A%0A1.%20Double-check%20that%20BETTER_AUTH_URL%20is%20set%20to%20your%20production%20domain%20%28not%20localhost%29%20everywhere%2C%20including%20your%20deployment%20environment%20%5B%5B1%5D%5D%28https%3A//github.com/better-auth/better-auth/issues/5243%29.%0A2.%20Make%20sure%20all%20URLs%20%28frontend%2C%20backend%2C%20Apple%20Developer%20settings%29%20use%20the%20same%20HTTPS%20domain%20and%20match%20exactly%E2%80%94including%20protocol%20%28https%29%2C%20subdomain%2C%20and%20path.%0A3.%20In%20the%20browser%2C%20inspect%20the%20network%20tab%20during%20the%20Apple%20callback.%20Confirm%20that%20the%20state%20cookie%20is%20present%20and%20sent%20with%20the%20POST%20request%20to%20/v1/bauth/callback/apple.%20If%20it%E2%80%99s%20missing%2C%20the%20browser%20is%20blocking%20it%20due%20to%20a%20domain%2C%20path%2C%20or%20SameSite%20mismatch.%0A4.%20If%20you%E2%80%99re%20using%20proxies%20%28like%20Cloudflare%29%2C%20ensure%20they%20aren%E2%80%99t%20stripping%20cookies%20or%20altering%20headers.%0A5.%20If%20you%20have%20custom%20CORS%20or%20middleware%20logic%2C%20verify%20it%20doesn%E2%80%99t%20interfere%20with%20cookies%20on%20the%20callback%20route.%0A6.%20If%20you%E2%80%99re%20still%20stuck%2C%20try%20using%20the%20same%20domain%20for%20both%20frontend%20and%20backend%20as%20a%20minimal%20test%20case%20to%20rule%20out%20cross-domain%20issues.%0A%0AIf%20you%20want%20to%20debug%20deeper%2C%20enable%20verbose%20logging%20and%20check%20for%20any%20errors%20about%20missing%20or%20mismatched%20state%20cookies%20in%20your%20backend%20logs.%20You%20can%20also%20temporarily%20set%20skipStateCookieCheck%3A%20true%20to%20confirm%20if%20the%20state%20check%20is%20the%20blocker%20%28not%20recommended%20for%20production%29.%0A%0AReferences%3A%20%20%0A-%20%5BKnown%20issue%20and%20workaround%5D%28https%3A//github.com/better-auth/better-auth/issues/5243%29%20%20%0A-%20%5BChecklist%20and%20troubleshooting%20steps%5D%28https%3A//github.com/better-auth/better-auth/issues/5227%29)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/7642)
GiteaMirror commented 2026-03-13 10:19:33 -05:00
Author
Owner
Copy Link

@iamibadd commented on GitHub (Jan 27, 2026):

@better-auth-agent @dosu

While debugging the /callback/apple endpoint using the browser’s DevTools, I noticed that no Set-Cookie headers are present in the response. I compared this with the Google OAuth callback, where the cookies are correctly set using the same configuration.

Since the Google flow works as expected but the Apple flow does not, what could cause Set-Cookie headers to be missing specifically in the Apple callback despite using identical cookie and session settings?

Sharing the inspect data

Request URL
https://nation-crucial-possession-fast.trycloudflare.com/v1/bauth/callback/apple
Request Method
POST
Status Code
302 Found
Remote Address
104.16.231.132:443
Referrer Policy
strict-origin-when-cross-origin
access-control-allow-credentials
true
access-control-allow-origin
https://appleid.apple.com
cf-cache-status
DYNAMIC
cf-ray
9c4b71dab8abb7f7-KHI
content-length
0
content-security-policy
default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
content-type
application/json
cross-origin-opener-policy
same-origin
cross-origin-resource-policy
same-origin
date
Tue, 27 Jan 2026 21:46:46 GMT
location
https://nation-crucial-possession-fast.trycloudflare.com/v1/bauth/callback/apple?
origin-agent-cluster
?1
referrer-policy
no-referrer
server
cloudflare
strict-transport-security
max-age=31536000; includeSubDomains
vary
Origin, Accept-Encoding
x-content-type-options
nosniff
x-dns-prefetch-control
off
x-download-options
noopen
x-frame-options
SAMEORIGIN
x-permitted-cross-domain-policies
none
x-xss-protection
0
:authority
nation-crucial-possession-fast.trycloudflare.com
:method
POST
:path
/v1/bauth/callback/apple
:scheme
https
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
accept-encoding
gzip, deflate, br, zstd
accept-language
en-US,en;q=0.9
cache-control
max-age=0
content-length
883
content-type
application/x-www-form-urlencoded
cookie
__Secure-better-auth.session_token=0p4Ha8UhVbEtFfmkuz0y6fxLoMWvhyvF.qQnhzo5bLnnQAwms6lKnDblgL1l7NUWT3%2F7jDAOtysg%3D; better-auth.last_used_login_method=google; __Secure-better-auth.state=ExZmVSE5PqQyS7BAeKfcn4M4ya-lUqfM.e4w%2BI6vHOskdWLh6ayhs7vRZlhQK%2BHh6UM4nNrECSXI%3D
origin
https://appleid.apple.com
priority
u=0, i
referer
https://appleid.apple.com/
sec-ch-ua
"Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"
sec-ch-ua-mobile
?0
sec-ch-ua-platform
"macOS"
sec-fetch-dest
document
sec-fetch-mode
navigate
sec-fetch-site
cross-site
sec-fetch-user
?1
upgrade-insecure-requests
1
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
@iamibadd commented on GitHub (Jan 27, 2026): @better-auth-agent @dosu While debugging the /callback/apple endpoint using the browser’s DevTools, I noticed that no Set-Cookie headers are present in the response. I compared this with the Google OAuth callback, where the cookies are correctly set using the same configuration. Since the Google flow works as expected but the Apple flow does not, what could cause Set-Cookie headers to be missing specifically in the Apple callback despite using identical cookie and session settings? Sharing the inspect data ``` Request URL https://nation-crucial-possession-fast.trycloudflare.com/v1/bauth/callback/apple Request Method POST Status Code 302 Found Remote Address 104.16.231.132:443 Referrer Policy strict-origin-when-cross-origin access-control-allow-credentials true access-control-allow-origin https://appleid.apple.com cf-cache-status DYNAMIC cf-ray 9c4b71dab8abb7f7-KHI content-length 0 content-security-policy default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests content-type application/json cross-origin-opener-policy same-origin cross-origin-resource-policy same-origin date Tue, 27 Jan 2026 21:46:46 GMT location https://nation-crucial-possession-fast.trycloudflare.com/v1/bauth/callback/apple? origin-agent-cluster ?1 referrer-policy no-referrer server cloudflare strict-transport-security max-age=31536000; includeSubDomains vary Origin, Accept-Encoding x-content-type-options nosniff x-dns-prefetch-control off x-download-options noopen x-frame-options SAMEORIGIN x-permitted-cross-domain-policies none x-xss-protection 0 :authority nation-crucial-possession-fast.trycloudflare.com :method POST :path /v1/bauth/callback/apple :scheme https accept text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding gzip, deflate, br, zstd accept-language en-US,en;q=0.9 cache-control max-age=0 content-length 883 content-type application/x-www-form-urlencoded cookie __Secure-better-auth.session_token=0p4Ha8UhVbEtFfmkuz0y6fxLoMWvhyvF.qQnhzo5bLnnQAwms6lKnDblgL1l7NUWT3%2F7jDAOtysg%3D; better-auth.last_used_login_method=google; __Secure-better-auth.state=ExZmVSE5PqQyS7BAeKfcn4M4ya-lUqfM.e4w%2BI6vHOskdWLh6ayhs7vRZlhQK%2BHh6UM4nNrECSXI%3D origin https://appleid.apple.com priority u=0, i referer https://appleid.apple.com/ sec-ch-ua "Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144" sec-ch-ua-mobile ?0 sec-ch-ua-platform "macOS" sec-fetch-dest document sec-fetch-mode navigate sec-fetch-site cross-site sec-fetch-user ?1 upgrade-insecure-requests 1 user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 ```
GiteaMirror commented 2026-03-13 10:19:34 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Jan 27, 2026):

It seems that you're encountering the "state_not_found" error when trying to use Apple Sign-In with Better Auth. This error typically arises when the authentication state isn't preserved correctly, which can be due to several factors, particularly related to cookies and the configuration of trusted origins.

Here are some steps you can take to troubleshoot this issue:

  1. Check Cookies: Since you're noticing that Set-Cookie headers are missing during the Apple callback, ensure that the cookies are being handled correctly. The httpOnly and secure properties in your cookie configuration should be set correctly, and make sure that the client makes requests over HTTPS.

  2. Trusted Origins: Verify that the list of trustedOrigins includes all necessary URLs. Sometimes, Origin mismatches can lead to this issue. Double-check that both front-end and back-end domains are configured and match exactly with what's allowed in the Apple Developer settings.

  3. State Parameter: Ensure that you are correctly managing the state parameter during the authentication flow. The state value that is passed in the initial request needs to match what is expected in the callback. Issues with cookie storage can cause mismatches.

  4. CORS Settings: Since the workflow involves cross-origin requests (from Apple back to your server), make sure your backend is correctly handling CORS headers, specifically allowing credentials.

  5. Debugging Logs: Add more logging around the state management on both the client and backend sides to ensure that the state is being set and retrieved correctly.

Since the Google OAuth works with the same setup, using the Apple OAuth flow might require a few tweaks, particularly in how cookies and state are managed.

If these suggestions don't resolve your issue, please consider tagging the Better Auth team members, Beka (@bekacru) or Max (@ping__), for further assistance.

What additional details could help troubleshoot this issue further?

DiagramDiscordGitHub

Diagram Join Star

@better-auth-agent[bot] commented on GitHub (Jan 27, 2026): It seems that you're encountering the "state_not_found" error when trying to use Apple Sign-In with Better Auth. This error typically arises when the authentication state isn't preserved correctly, which can be due to several factors, particularly related to cookies and the configuration of trusted origins. Here are some steps you can take to troubleshoot this issue: 1. **Check Cookies**: Since you're noticing that Set-Cookie headers are missing during the Apple callback, ensure that the cookies are being handled correctly. The `httpOnly` and `secure` properties in your cookie configuration should be set correctly, and make sure that the client makes requests over HTTPS. 2. **Trusted Origins**: Verify that the list of `trustedOrigins` includes all necessary URLs. Sometimes, Origin mismatches can lead to this issue. Double-check that both front-end and back-end domains are configured and match exactly with what's allowed in the Apple Developer settings. 3. **State Parameter**: Ensure that you are correctly managing the `state` parameter during the authentication flow. The `state` value that is passed in the initial request needs to match what is expected in the callback. Issues with cookie storage can cause mismatches. 4. **CORS Settings**: Since the workflow involves cross-origin requests (from Apple back to your server), make sure your backend is correctly handling CORS headers, specifically allowing credentials. 5. **Debugging Logs**: Add more logging around the state management on both the client and backend sides to ensure that the state is being set and retrieved correctly. Since the Google OAuth works with the same setup, using the Apple OAuth flow might require a few tweaks, particularly in how cookies and state are managed. If these suggestions don't resolve your issue, please consider tagging the Better Auth team members, Beka (@bekacru) or Max (@ping__), for further assistance. What additional details could help troubleshoot this issue further? <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-03-13 10:19:35 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jan 27, 2026):

This is expected behavior: Apple’s OAuth callback uses a POST request, and Better Auth immediately redirects it to a GET on the same endpoint before setting any cookies. The POST response (302 Found) never includes Set-Cookie headers—cookies are only set in the GET response that follows the redirect. This pattern avoids browser restrictions on cookies for cross-site POSTs and is standard for OAuth flows with providers like Apple. Google’s callback uses GET directly, so the Set-Cookie header appears in the initial response, which is why you see cookies for Google but not Apple in the POST response.

To confirm cookies are set correctly, inspect the GET request after the POST redirect. If cookies are still missing there, check for proxy/middleware interference (like Cloudflare) and review your cookie config and domain alignment. More details: callback endpoint logic.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

@dosubot[bot] commented on GitHub (Jan 27, 2026): <!-- Answer --> This is expected behavior: Apple’s OAuth callback uses a POST request, and Better Auth immediately redirects it to a GET on the same endpoint before setting any cookies. The POST response (302 Found) never includes Set-Cookie headers—cookies are only set in the GET response that follows the redirect. This pattern avoids browser restrictions on cookies for cross-site POSTs and is standard for OAuth flows with providers like Apple. Google’s callback uses GET directly, so the Set-Cookie header appears in the initial response, which is why you see cookies for Google but not Apple in the POST response. To confirm cookies are set correctly, inspect the GET request after the POST redirect. If cookies are still missing there, check for proxy/middleware interference (like Cloudflare) and review your cookie config and domain alignment. More details: [callback endpoint logic](https://github.com/better-auth/better-auth/blob/d1602ef0ae9822e462a5a42497072a0a1756e804/packages/better-auth/src/api/routes/callback.ts#L20-L283). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/b25e0c9b-a1e8-41b5-b237-5b56a10436f1?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/b25e0c9b-a1e8-41b5-b237-5b56a10436f1?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/b25e0c9b-a1e8-41b5-b237-5b56a10436f1?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/b25e0c9b-a1e8-41b5-b237-5b56a10436f1?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/b25e0c9b-a1e8-41b5-b237-5b56a10436f1?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/b25e0c9b-a1e8-41b5-b237-5b56a10436f1?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/b25e0c9b-a1e8-41b5-b237-5b56a10436f1?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=This%20is%20expected%20behavior%3A%20Apple%E2%80%99s%20OAuth%20callback%20uses%20a%20POST%20request%2C%20and%20Better%20Auth%20immediately%20redirects%20it%20to%20a%20GET%20on%20the%20same%20endpoint%20before%20setting%20any%20cookies.%20The%20POST%20response%20%28302%20Found%29%20never%20includes%20Set-Cookie%20headers%E2%80%94cookies%20are%20only%20set%20in%20the%20GET%20response%20that%20follows%20the%20redirect.%20This%20pattern%20avoids%20browser%20restrictions%20on%20cookies%20for%20cross-site%20POSTs%20and%20is%20standard%20for%20OAuth%20flows%20with%20providers%20like%20Apple.%20Google%E2%80%99s%20callback%20uses%20GET%20directly%2C%20so%20the%20Set-Cookie%20header%20appears%20in%20the%20initial%20response%2C%20which%20is%20why%20you%20see%20cookies%20for%20Google%20but%20not%20Apple%20in%20the%20POST%20response.%20%0A%0ATo%20confirm%20cookies%20are%20set%20correctly%2C%20inspect%20the%20GET%20request%20after%20the%20POST%20redirect.%20If%20cookies%20are%20still%20missing%20there%2C%20check%20for%20proxy/middleware%20interference%20%28like%20Cloudflare%29%20and%20review%20your%20cookie%20config%20and%20domain%20alignment.%20More%20details%3A%20%5Bcallback%20endpoint%20logic%5D%28https%3A//github.com/better-auth/better-auth/blob/d1602ef0ae9822e462a5a42497072a0a1756e804/packages/better-auth/src/api/routes/callback.ts%23L20-L283%29.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/7642)
GiteaMirror commented 2026-03-13 10:19:36 -05:00
Author
Owner
Copy Link

@iamibadd commented on GitHub (Jan 27, 2026):

@dosu

There are no Set-Cookies headers either in the GET call

Request URL
https://nation-crucial-possession-fast.trycloudflare.com/v1/bauth/callback/apple?
Request Method
GET
Status Code
302 Found
Remote Address
104.16.230.132:443
Referrer Policy
strict-origin-when-cross-origin
access-control-allow-credentials
true
cf-cache-status
DYNAMIC
cf-ray
9c4b859d194e5b2e-KHI
content-length
0
content-security-policy
default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
content-type
application/json
cross-origin-opener-policy
same-origin
cross-origin-resource-policy
same-origin
date
Tue, 27 Jan 2026 22:00:16 GMT
location
https://nation-crucial-possession-fast.trycloudflare.com/v1/bauth/error?state=state_not_found
origin-agent-cluster
?1
referrer-policy
no-referrer
server
cloudflare
strict-transport-security
max-age=31536000; includeSubDomains
vary
Origin, Accept-Encoding
x-content-type-options
nosniff
x-dns-prefetch-control
off
x-download-options
noopen
x-frame-options
SAMEORIGIN
x-permitted-cross-domain-policies
none
x-xss-protection
0
:authority
nation-crucial-possession-fast.trycloudflare.com
:method
GET
:path
/v1/bauth/callback/apple?
:scheme
https
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
accept-encoding
gzip, deflate, br, zstd
accept-language
en-US,en;q=0.9
cache-control
max-age=0
cookie
better-auth.last_used_login_method=google; __Secure-better-auth.session_token=yjJUX7FYT0eOV6MIod1wtoXIUyTR1Fbq.Siu8h5zGjswUfaSCFj2zal9qrKEbz6eaoj3Vmshi%2FDs%3D; __Secure-better-auth.state=kjUPkJM12lualHVYD6_ySKWDMceb5pOP.B1CmyOzfSaIuT%2ByyxhNqG0%2BmAaf3v5iKJvzFlB5MjKE%3D
priority
u=0, i
sec-ch-ua
"Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"
sec-ch-ua-mobile
?0
sec-ch-ua-platform
"macOS"
sec-fetch-dest
document
sec-fetch-mode
navigate
sec-fetch-site
cross-site
sec-fetch-user
?1
upgrade-insecure-requests
1
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
@iamibadd commented on GitHub (Jan 27, 2026): @dosu There are no Set-Cookies headers either in the GET call ``` Request URL https://nation-crucial-possession-fast.trycloudflare.com/v1/bauth/callback/apple? Request Method GET Status Code 302 Found Remote Address 104.16.230.132:443 Referrer Policy strict-origin-when-cross-origin access-control-allow-credentials true cf-cache-status DYNAMIC cf-ray 9c4b859d194e5b2e-KHI content-length 0 content-security-policy default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests content-type application/json cross-origin-opener-policy same-origin cross-origin-resource-policy same-origin date Tue, 27 Jan 2026 22:00:16 GMT location https://nation-crucial-possession-fast.trycloudflare.com/v1/bauth/error?state=state_not_found origin-agent-cluster ?1 referrer-policy no-referrer server cloudflare strict-transport-security max-age=31536000; includeSubDomains vary Origin, Accept-Encoding x-content-type-options nosniff x-dns-prefetch-control off x-download-options noopen x-frame-options SAMEORIGIN x-permitted-cross-domain-policies none x-xss-protection 0 :authority nation-crucial-possession-fast.trycloudflare.com :method GET :path /v1/bauth/callback/apple? :scheme https accept text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding gzip, deflate, br, zstd accept-language en-US,en;q=0.9 cache-control max-age=0 cookie better-auth.last_used_login_method=google; __Secure-better-auth.session_token=yjJUX7FYT0eOV6MIod1wtoXIUyTR1Fbq.Siu8h5zGjswUfaSCFj2zal9qrKEbz6eaoj3Vmshi%2FDs%3D; __Secure-better-auth.state=kjUPkJM12lualHVYD6_ySKWDMceb5pOP.B1CmyOzfSaIuT%2ByyxhNqG0%2BmAaf3v5iKJvzFlB5MjKE%3D priority u=0, i sec-ch-ua "Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144" sec-ch-ua-mobile ?0 sec-ch-ua-platform "macOS" sec-fetch-dest document sec-fetch-mode navigate sec-fetch-site cross-site sec-fetch-user ?1 upgrade-insecure-requests 1 user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 ```
GiteaMirror commented 2026-03-13 10:19:37 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jan 27, 2026):

No Set-Cookie headers appear in the GET callback because Better Auth only sets cookies after successful state validation and session creation. If state validation fails (like state_not_found), the handler immediately redirects to an error URL without setting any cookies—so the GET response never includes Set-Cookie headers in this case. This isn’t a provider-specific bug; it’s the expected flow when the state is missing or invalid in the callback logic (source).

The root cause is almost always that the state cookie wasn’t set or sent correctly during the initial OAuth flow. For Apple, this is especially sensitive to SameSite and Secure cookie attributes, domain mismatches, and cross-site POST restrictions (source). Google works because its callback is a GET, which is less restrictive.

To debug: check that the state cookie is present in the browser before the callback, and that it’s sent with the POST to /callback/apple. If it’s missing, review your cookie config, domain alignment, and proxy settings (Cloudflare can sometimes interfere). Enable verbose backend logging to confirm whether the state cookie is present and valid at callback time. If everything looks correct, try a minimal test case (same domain for frontend/backend, no proxy) to rule out environmental issues.

If you want to diagnose further, you can temporarily set skipStateCookieCheck: true in your config to see if the flow works without strict state validation (not recommended for production).

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

@dosubot[bot] commented on GitHub (Jan 27, 2026): <!-- Answer --> No Set-Cookie headers appear in the GET callback because Better Auth only sets cookies after successful state validation and session creation. If state validation fails (like `state_not_found`), the handler immediately redirects to an error URL without setting any cookies—so the GET response never includes Set-Cookie headers in this case. This isn’t a provider-specific bug; it’s the expected flow when the state is missing or invalid in the callback logic ([source](https://github.com/better-auth/better-auth/blob/d1602ef0ae9822e462a5a42497072a0a1756e804/packages/better-auth/src/api/routes/callback.ts#L40-L271)). The root cause is almost always that the state cookie wasn’t set or sent correctly during the initial OAuth flow. For Apple, this is especially sensitive to SameSite and Secure cookie attributes, domain mismatches, and cross-site POST restrictions ([source](https://github.com/better-auth/better-auth/issues/5243)). Google works because its callback is a GET, which is less restrictive. To debug: check that the state cookie is present in the browser before the callback, and that it’s sent with the POST to `/callback/apple`. If it’s missing, review your cookie config, domain alignment, and proxy settings (Cloudflare can sometimes interfere). Enable verbose backend logging to confirm whether the state cookie is present and valid at callback time. If everything looks correct, try a minimal test case (same domain for frontend/backend, no proxy) to rule out environmental issues. If you want to diagnose further, you can temporarily set `skipStateCookieCheck: true` in your config to see if the flow works without strict state validation (not recommended for production). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/f7a4618e-0754-4538-872e-38b0fd457da8?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/f7a4618e-0754-4538-872e-38b0fd457da8?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/f7a4618e-0754-4538-872e-38b0fd457da8?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/f7a4618e-0754-4538-872e-38b0fd457da8?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/f7a4618e-0754-4538-872e-38b0fd457da8?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/f7a4618e-0754-4538-872e-38b0fd457da8?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/f7a4618e-0754-4538-872e-38b0fd457da8?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=No%20Set-Cookie%20headers%20appear%20in%20the%20GET%20callback%20because%20Better%20Auth%20only%20sets%20cookies%20after%20successful%20state%20validation%20and%20session%20creation.%20If%20state%20validation%20fails%20%28like%20%60state_not_found%60%29%2C%20the%20handler%20immediately%20redirects%20to%20an%20error%20URL%20without%20setting%20any%20cookies%E2%80%94so%20the%20GET%20response%20never%20includes%20Set-Cookie%20headers%20in%20this%20case.%20This%20isn%E2%80%99t%20a%20provider-specific%20bug%3B%20it%E2%80%99s%20the%20expected%20flow%20when%20the%20state%20is%20missing%20or%20invalid%20in%20the%20callback%20logic%C2%A0%28%5Bsource%5D%28https%3A//github.com/better-auth/better-auth/blob/d1602ef0ae9822e462a5a42497072a0a1756e804/packages/better-auth/src/api/routes/callback.ts%23L40-L271%29%29.%0A%0AThe%20root%20cause%20is%20almost%20always%20that%20the%20state%20cookie%20wasn%E2%80%99t%20set%20or%20sent%20correctly%20during%20the%20initial%20OAuth%20flow.%20For%20Apple%2C%20this%20is%20especially%20sensitive%20to%20SameSite%20and%20Secure%20cookie%20attributes%2C%20domain%20mismatches%2C%20and%20cross-site%20POST%20restrictions%C2%A0%28%5Bsource%5D%28https%3A//github.com/better-auth/better-auth/issues/5243%29%29.%20Google%20works%20because%20its%20callback%20is%20a%20GET%2C%20which%20is%20less%20restrictive.%0A%0ATo%20debug%3A%20check%20that%20the%20state%20cookie%20is%20present%20in%20the%20browser%20before%20the%20callback%2C%20and%20that%20it%E2%80%99s%20sent%20with%20the%20POST%20to%20%60/callback/apple%60.%20If%20it%E2%80%99s%20missing%2C%20review%20your%20cookie%20config%2C%20domain%20alignment%2C%20and%20proxy%20settings%20%28Cloudflare%20can%20sometimes%20interfere%29.%20Enable%20verbose%20backend%20logging%20to%20confirm%20whether%20the%20state%20cookie%20is%20present%20and%20valid%20at%20callback%20time.%20If%20everything%20looks%20correct%2C%20try%20a%20minimal%20test%20case%20%28same%20domain%20for%20frontend/backend%2C%20no%20proxy%29%20to%20rule%20out%20environmental%20issues.%0A%0AIf%20you%20want%20to%20diagnose%20further%2C%20you%20can%20temporarily%20set%20%60skipStateCookieCheck%3A%20true%60%20in%20your%20config%20to%20see%20if%20the%20flow%20works%20without%20strict%20state%20validation%20%28not%20recommended%20for%20production%29.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/7642)
GiteaMirror commented 2026-03-13 10:19:37 -05:00
Author
Owner
Copy Link

@iamibadd commented on GitHub (Jan 27, 2026):

@himself65

Could you please take a look? I've tried all the above solutions but nothing works.

@iamibadd commented on GitHub (Jan 27, 2026): @himself65 Could you please take a look? I've tried all the above solutions but nothing works.
GiteaMirror commented 2026-03-13 10:19:37 -05:00
Author
Owner
Copy Link

@iamibadd commented on GitHub (Jan 27, 2026):

@dosu

To debug: check that the state cookie is present in the browser before the callback, and that it’s sent with the POST to /callback/apple.

Which endpoint do I need to check?

Enable verbose backend logging to confirm whether the state cookie is present and valid at callback time.

How to enable verbose backend logging?

@iamibadd commented on GitHub (Jan 27, 2026): @dosu > To debug: check that the state cookie is present in the browser before the callback, and that it’s sent with the POST to /callback/apple. Which endpoint do I need to check? > Enable verbose backend logging to confirm whether the state cookie is present and valid at callback time. How to enable verbose backend logging?
GiteaMirror commented 2026-03-13 10:19:38 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jan 27, 2026):

You should inspect the /v1/bauth/callback/apple endpoint—specifically, check that the __Secure-better-auth.state cookie is present in your browser before the POST request to this endpoint, and confirm that it’s sent with the POST itself. This is the critical moment for state validation in the Apple OAuth flow callback endpoint logic.

For backend logging: Better Auth logs errors (like missing state) by default using its internal logger (c.context.logger). These logs should show up in your backend’s standard output or log files—look for messages like "State not found" during the callback flow. There isn’t a built-in config or environment variable to enable extra verbose logging; if you need more detail, you’ll have to add custom log statements in your handler code or use external request tracing tools.

If the state cookie is present and you still get errors, double-check domain alignment and proxy settings, or (for diagnosis only) try setting skipStateCookieCheck: true to see if strict state validation is the blocker.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

@dosubot[bot] commented on GitHub (Jan 27, 2026): <!-- Answer --> You should inspect the /v1/bauth/callback/apple endpoint—specifically, check that the __Secure-better-auth.state cookie is present in your browser before the POST request to this endpoint, and confirm that it’s sent with the POST itself. This is the critical moment for state validation in the Apple OAuth flow [callback endpoint logic](https://github.com/better-auth/better-auth/blob/d1602ef0ae9822e462a5a42497072a0a1756e804/packages/better-auth/src/api/routes/callback.ts#L20-L284). For backend logging: Better Auth logs errors (like missing state) by default using its internal logger (c.context.logger). These logs should show up in your backend’s standard output or log files—look for messages like "State not found" during the callback flow. There isn’t a built-in config or environment variable to enable extra verbose logging; if you need more detail, you’ll have to add custom log statements in your handler code or use external request tracing tools. If the state cookie is present and you still get errors, double-check domain alignment and proxy settings, or (for diagnosis only) try setting skipStateCookieCheck: true to see if strict state validation is the blocker. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/3508e92d-5686-42c4-8af4-391fe52013bc?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/3508e92d-5686-42c4-8af4-391fe52013bc?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/3508e92d-5686-42c4-8af4-391fe52013bc?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/3508e92d-5686-42c4-8af4-391fe52013bc?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/3508e92d-5686-42c4-8af4-391fe52013bc?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/3508e92d-5686-42c4-8af4-391fe52013bc?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/3508e92d-5686-42c4-8af4-391fe52013bc?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=You%20should%20inspect%20the%20/v1/bauth/callback/apple%20endpoint%E2%80%94specifically%2C%20check%20that%20the%20__Secure-better-auth.state%20cookie%20is%20present%20in%20your%20browser%20before%20the%20POST%20request%20to%20this%20endpoint%2C%20and%20confirm%20that%20it%E2%80%99s%20sent%20with%20the%20POST%20itself.%20This%20is%20the%20critical%20moment%20for%20state%20validation%20in%20the%20Apple%20OAuth%20flow%C2%A0%5Bcallback%20endpoint%20logic%5D%28https%3A//github.com/better-auth/better-auth/blob/d1602ef0ae9822e462a5a42497072a0a1756e804/packages/better-auth/src/api/routes/callback.ts%23L20-L284%29.%0A%0AFor%20backend%20logging%3A%20Better%20Auth%20logs%20errors%20%28like%20missing%20state%29%20by%20default%20using%20its%20internal%20logger%20%28c.context.logger%29.%20These%20logs%20should%20show%20up%20in%20your%20backend%E2%80%99s%20standard%20output%20or%20log%20files%E2%80%94look%20for%20messages%20like%20%22State%20not%20found%22%20during%20the%20callback%20flow.%20There%20isn%E2%80%99t%20a%20built-in%20config%20or%20environment%20variable%20to%20enable%20extra%20verbose%20logging%3B%20if%20you%20need%20more%20detail%2C%20you%E2%80%99ll%20have%20to%20add%20custom%20log%20statements%20in%20your%20handler%20code%20or%20use%20external%20request%20tracing%20tools.%20%0A%0AIf%20the%20state%20cookie%20is%20present%20and%20you%20still%20get%20errors%2C%20double-check%20domain%20alignment%20and%20proxy%20settings%2C%20or%20%28for%20diagnosis%20only%29%20try%20setting%20skipStateCookieCheck%3A%20true%20to%20see%20if%20strict%20state%20validation%20is%20the%20blocker.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/7642)
GiteaMirror commented 2026-03-13 10:19:39 -05:00
Author
Owner
Copy Link

@iamibadd commented on GitHub (Jan 27, 2026):

@dosu

I see this in my logs

2026-01-27T23:41:04.980Z ERROR [Better Auth]: State not found undefined
[04:41:04.899] INFO (18121):
    method: "POST"
    url: "/v1/bauth/callback/apple"
    statusCode: 302
    duration: "16ms"
    body: {
      "state": "6243o04OFfEdfR0LkEK1N-IiTqQp2ZYR",
      "code": "cf528e1c76a194fba948cb7bd3e650ccc.0.rtuy.Dedo11kbC55ChIDyMaPOyA",
      "id_token": "eyJraWQiOiJZUXJxZE1ENGJxIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnRyeWNsb3VkZmxhcmUubWVyZ2Utc2hpZWxkLWJhc2luLW1lbWJlcnMuc2kiLCJleHAiOjE3Njk2NDM2NjQsImlhdCI6MTc2OTU1NzI2NCwic3ViIjoiMDAwMzQ4LjkzYzQxYzJjZjY3MzQ0YmM5Y2EwMTdjMWUzOGE1YTczLjE4NDAiLCJjX2hhc2giOiI4UGN4VzJrRkdWeW1yWjcxM3NuNGV3IiwiZW1haWwiOiJpYW1pYmFkZEBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXV0aF90aW1lIjoxNzY5NTU3MjY0LCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.2K3T7KkZ_HpQS4uRgiFWalxy7CeHV7fgAI3wWtDMIc4nMmHySrLaKZHXcn2DQ3hkih2cOoN7m9eyEYFr4JTrUGNnJF_IFp1JQhS9reUpC3oSUPwX4PagtPGR72AE50UU3qOYe3iBsPnhQjmM0ku-zYRTmQf8PcTxgRVjw8OhKm4hqAQJZZVwQ9kkX9xqh1jgfsCuYnS65HPfASUWqpK3izWfHPAgGzC_ZKVFh6p5_--R1p5CrwaDyrWk-67wbsHYsLp2HQbRyCBOpz78qb8C4nL-vDiZL8wFmaEZ4bBAjhq38vWS2Qv-TJcwYTdeuqwlVWlJIqgpchODAYNpeBTUvQ"
    }
@iamibadd commented on GitHub (Jan 27, 2026): @dosu I see this in my logs ``` 2026-01-27T23:41:04.980Z ERROR [Better Auth]: State not found undefined [04:41:04.899] INFO (18121): method: "POST" url: "/v1/bauth/callback/apple" statusCode: 302 duration: "16ms" body: { "state": "6243o04OFfEdfR0LkEK1N-IiTqQp2ZYR", "code": "cf528e1c76a194fba948cb7bd3e650ccc.0.rtuy.Dedo11kbC55ChIDyMaPOyA", "id_token": "eyJraWQiOiJZUXJxZE1ENGJxIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnRyeWNsb3VkZmxhcmUubWVyZ2Utc2hpZWxkLWJhc2luLW1lbWJlcnMuc2kiLCJleHAiOjE3Njk2NDM2NjQsImlhdCI6MTc2OTU1NzI2NCwic3ViIjoiMDAwMzQ4LjkzYzQxYzJjZjY3MzQ0YmM5Y2EwMTdjMWUzOGE1YTczLjE4NDAiLCJjX2hhc2giOiI4UGN4VzJrRkdWeW1yWjcxM3NuNGV3IiwiZW1haWwiOiJpYW1pYmFkZEBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXV0aF90aW1lIjoxNzY5NTU3MjY0LCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.2K3T7KkZ_HpQS4uRgiFWalxy7CeHV7fgAI3wWtDMIc4nMmHySrLaKZHXcn2DQ3hkih2cOoN7m9eyEYFr4JTrUGNnJF_IFp1JQhS9reUpC3oSUPwX4PagtPGR72AE50UU3qOYe3iBsPnhQjmM0ku-zYRTmQf8PcTxgRVjw8OhKm4hqAQJZZVwQ9kkX9xqh1jgfsCuYnS65HPfASUWqpK3izWfHPAgGzC_ZKVFh6p5_--R1p5CrwaDyrWk-67wbsHYsLp2HQbRyCBOpz78qb8C4nL-vDiZL8wFmaEZ4bBAjhq38vWS2Qv-TJcwYTdeuqwlVWlJIqgpchODAYNpeBTUvQ" } ```
GiteaMirror commented 2026-03-13 10:19:40 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jan 27, 2026):

The "State not found" error means the backend couldn't find or validate the state cookie during the Apple OAuth callback, even though the state parameter is present in the POST body. This almost always happens because the state cookie wasn't sent with the POST request—often due to browser restrictions on cross-site POSTs, cookie SameSite settings, or domain mismatches. Google works because its callback is a GET, which is less restrictive for cookies.

To debug: in your browser's dev tools, check that the __Secure-better-auth.state cookie is present before the Apple callback and is actually sent with the POST to /v1/bauth/callback/apple. If it's missing, double-check your cookie config (SameSite=None, Secure=true), domain alignment, and try disabling Cloudflare or any proxy to rule out interference. If the cookie is present but you still get the error, you can temporarily set skipStateCookieCheck: true in your config to see if strict state validation is the blocker (not for production use) details callback logic.

If you want to dig deeper, capture a HAR file of the full OAuth flow and check for the presence and attributes of the state cookie at each step.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

@dosubot[bot] commented on GitHub (Jan 27, 2026): <!-- Answer --> The "State not found" error means the backend couldn't find or validate the state cookie during the Apple OAuth callback, even though the state parameter is present in the POST body. This almost always happens because the state cookie wasn't sent with the POST request—often due to browser restrictions on cross-site POSTs, cookie SameSite settings, or domain mismatches. Google works because its callback is a GET, which is less restrictive for cookies. To debug: in your browser's dev tools, check that the __Secure-better-auth.state cookie is present before the Apple callback and is actually sent with the POST to /v1/bauth/callback/apple. If it's missing, double-check your cookie config (SameSite=None, Secure=true), domain alignment, and try disabling Cloudflare or any proxy to rule out interference. If the cookie is present but you still get the error, you can temporarily set skipStateCookieCheck: true in your config to see if strict state validation is the blocker (not for production use) [details](https://github.com/better-auth/better-auth/issues/5243) [callback logic](https://github.com/better-auth/better-auth/blob/d1602ef0ae9822e462a5a42497072a0a1756e804/packages/better-auth/src/api/routes/callback.ts#L40-L282). If you want to dig deeper, capture a HAR file of the full OAuth flow and check for the presence and attributes of the state cookie at each step. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/bd73f520-d463-4afd-8ada-ce13d03735d4?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/bd73f520-d463-4afd-8ada-ce13d03735d4?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/bd73f520-d463-4afd-8ada-ce13d03735d4?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/bd73f520-d463-4afd-8ada-ce13d03735d4?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/bd73f520-d463-4afd-8ada-ce13d03735d4?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/bd73f520-d463-4afd-8ada-ce13d03735d4?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/bd73f520-d463-4afd-8ada-ce13d03735d4?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=The%20%22State%20not%20found%22%20error%20means%20the%20backend%20couldn%27t%20find%20or%20validate%20the%20state%20cookie%20during%20the%20Apple%20OAuth%20callback%2C%20even%20though%20the%20state%20parameter%20is%20present%20in%20the%20POST%20body.%20This%20almost%20always%20happens%20because%20the%20state%20cookie%20wasn%27t%20sent%20with%20the%20POST%20request%E2%80%94often%20due%20to%20browser%20restrictions%20on%20cross-site%20POSTs%2C%20cookie%20SameSite%20settings%2C%20or%20domain%20mismatches.%20Google%20works%20because%20its%20callback%20is%20a%20GET%2C%20which%20is%20less%20restrictive%20for%20cookies.%0A%0ATo%20debug%3A%20in%20your%20browser%27s%20dev%20tools%2C%20check%20that%20the%20__Secure-better-auth.state%20cookie%20is%20present%20before%20the%20Apple%20callback%20and%20is%20actually%20sent%20with%20the%20POST%20to%20/v1/bauth/callback/apple.%20If%20it%27s%20missing%2C%20double-check%20your%20cookie%20config%20%28SameSite%3DNone%2C%20Secure%3Dtrue%29%2C%20domain%20alignment%2C%20and%20try%20disabling%20Cloudflare%20or%20any%20proxy%20to%20rule%20out%20interference.%20If%20the%20cookie%20is%20present%20but%20you%20still%20get%20the%20error%2C%20you%20can%20temporarily%20set%20skipStateCookieCheck%3A%20true%20in%20your%20config%20to%20see%20if%20strict%20state%20validation%20is%20the%20blocker%20%28not%20for%20production%20use%29%C2%A0%5Bdetails%5D%28https%3A//github.com/better-auth/better-auth/issues/5243%29%C2%A0%5Bcallback%20logic%5D%28https%3A//github.com/better-auth/better-auth/blob/d1602ef0ae9822e462a5a42497072a0a1756e804/packages/better-auth/src/api/routes/callback.ts%23L40-L282%29.%0A%0AIf%20you%20want%20to%20dig%20deeper%2C%20capture%20a%20HAR%20file%20of%20the%20full%20OAuth%20flow%20and%20check%20for%20the%20presence%20and%20attributes%20of%20the%20state%20cookie%20at%20each%20step.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/7642)
GiteaMirror commented 2026-03-13 10:19:41 -05:00
Author
Owner
Copy Link

@iamibadd commented on GitHub (Jan 28, 2026):

@bytaesu

Could you please take a look? I tried all solutions but nothing works.

@iamibadd commented on GitHub (Jan 28, 2026): @bytaesu Could you please take a look? I tried all solutions but nothing works.
GiteaMirror commented 2026-03-13 10:19:41 -05:00
Author
Owner
Copy Link

@bytaesu commented on GitHub (Jan 28, 2026):

Hi @iamibadd, let me check 🧐

@bytaesu commented on GitHub (Jan 28, 2026): Hi @iamibadd, let me check 🧐
GiteaMirror commented 2026-03-13 10:19:42 -05:00
Author
Owner
Copy Link

@bytaesu commented on GitHub (Jan 28, 2026):

Did you configured this option?

https://www.better-auth.com/docs/integrations/nestjs#1-disable-body-parser

Image
@bytaesu commented on GitHub (Jan 28, 2026): Did you configured this option? https://www.better-auth.com/docs/integrations/nestjs#1-disable-body-parser <img width="500" alt="Image" src="https://github.com/user-attachments/assets/de512c4c-3500-4d90-a3fb-02fbd2a33fbe" />
GiteaMirror commented 2026-03-13 10:19:43 -05:00
Author
Owner
Copy Link

@bytaesu commented on GitHub (Jan 28, 2026):

It works with GET but not with POST, and based on the server logs, it looks like the body is being consumed incorrectly somewhere.

@bytaesu commented on GitHub (Jan 28, 2026): It works with GET but not with POST, and based on the server logs, it looks like the body is being consumed incorrectly somewhere.
GiteaMirror commented 2026-03-13 10:19:44 -05:00
Author
Owner
Copy Link

@iamibadd commented on GitHub (Jan 28, 2026):

Did you configured this option?

https://www.better-auth.com/docs/integrations/nestjs#1-disable-body-parser

Image

Yes. Somehow I missed it, but now I set it to false. Still seeing state_not_found.

@iamibadd commented on GitHub (Jan 28, 2026): > Did you configured this option? > > https://www.better-auth.com/docs/integrations/nestjs#1-disable-body-parser > > <img alt="Image" width="500" src="https://private-user-images.githubusercontent.com/166604494/541337696-de512c4c-3500-4d90-a3fb-02fbd2a33fbe.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3Njk1NjAyMTcsIm5iZiI6MTc2OTU1OTkxNywicGF0aCI6Ii8xNjY2MDQ0OTQvNTQxMzM3Njk2LWRlNTEyYzRjLTM1MDAtNGQ5MC1hM2ZiLTAyZmJkMmEzM2ZiZS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjYwMTI4JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI2MDEyOFQwMDI1MTdaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1kNjM4YzI3ZTQ5MDkyY2VjZTZkMjhjNzc4Nzg2YTc4OTBmNmY1MmVhYzQ4MjBjYWM4ODRiZDMzNDgwNjA4ZGY2JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.f1FH4hAeT1Llr3nKSyfeNAlRmfkHr59GG35kVuH_6Ko"> Yes. Somehow I missed it, but now I set it to false. Still seeing state_not_found.
GiteaMirror commented 2026-03-13 10:19:44 -05:00
Author
Owner
Copy Link

@iamibadd commented on GitHub (Jan 28, 2026):

It works with GET but not with POST, and based on the server logs, it looks like the body is being consumed incorrectly somewhere.

I checked Google and its working fine. Not sure why Apple is not working :/

@iamibadd commented on GitHub (Jan 28, 2026): > It works with GET but not with POST, and based on the server logs, it looks like the body is being consumed incorrectly somewhere. I checked Google and its working fine. Not sure why Apple is not working :/
GiteaMirror commented 2026-03-13 10:19:44 -05:00
Author
Owner
Copy Link

@bytaesu commented on GitHub (Jan 28, 2026):

We don't provide an official NestJS integration for now, and it's likely an issue with the NestJS app setup. The request body disappearing isn't an error on the better-auth side 🤔

If you can share minimal reproducible repo with me, I will take a look!

@bytaesu commented on GitHub (Jan 28, 2026): We don't provide an official NestJS integration for now, and it's likely an issue with the NestJS app setup. The request body disappearing isn't an error on the `better-auth` side 🤔 If you can share minimal reproducible repo with me, I will take a look!
GiteaMirror commented 2026-03-13 10:19:45 -05:00
Author
Owner
Copy Link

@iamibadd commented on GitHub (Jan 28, 2026):

I'll provide the minimal NestJS setup as well. If you could look at the logs in meantime, it may help.

[05:30:03.079] INFO (64696):
    method: "POST"
    url: "/v1/bauth/sign-in/social"
    statusCode: 200
    duration: "14ms"
    body: {
      "provider": "apple",
      "callbackURL": "https://merge-shield-basin-members.trycloudflare.com/signin",
      "errorCallbackURL": "https://merge-shield-basin-members.trycloudflare.com/signin",
      "additionalData": {
        "accountType": "cmkrfrckm0000oeg2dctx3mkr"
      }
    }
2026-01-28T00:30:16.764Z ERROR [Better Auth]: State not found undefined
[05:30:16.669] INFO (64696):
    method: "POST"
    url: "/v1/bauth/callback/apple"
    statusCode: 302
    duration: "9ms"
    body: {
      "state": "-KcYsgdCJL-ossSaBl24laVE621kgJMW",
      "code": "c94341ab5afb047b382a39bc6d3c8a30d.0.stuy.ZPf6fKaYKiWy8zFQnH1tqg",
      "id_token": "eyJraWQiOiJIdlZJNkVzWlhKIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnRyeWNsb3VkZmxhcmUubWVyZ2Utc2hpZWxkLWJhc2luLW1lbWJlcnMuc2kiLCJleHAiOjE3Njk2NDY2MTYsImlhdCI6MTc2OTU2MDIxNiwic3ViIjoiMDAwMzQ4LjkzYzQxYzJjZjY3MzQ0YmM5Y2EwMTdjMWUzOGE1YTczLjE4NDAiLCJjX2hhc2giOiJraFczTkVSUWNpVGtRVVc2U05pbjhnIiwiZW1haWwiOiJpYW1pYmFkZEBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXV0aF90aW1lIjoxNzY5NTYwMjE2LCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.rDeCpzfejbnA5Nb2tX8WtAOXldQDG4NmkrF4iwzylzSQGd48OjZQ2PFJ9w393aKZkRDSf3bIJqzZxaBJZkbdNaU4WkPvommzplfMWB1au25CA5ybbeRKxEcOQ2dcCv-UGu_dwigCv6_Ufi-f8A72XiRgwN5u8E8g5BMWh8F7s26xNqASbxhcCvvOhHjVrQ0m0jGOc7nvhmeJgzT738OJtteKQO2awPngAxdypB42WL3Kdf8is4MYcdUnGrGmspMXAb7U0JasFgx-16qtjz_vf_Z1RMTL94G-6ueHF03MMyvYQGMSio9Qj5-2aKL4hgbx7kDgk_j2y0zj0ADskcxNaw"
    }
[05:30:16.765] INFO (64696):
    method: "GET"
    url: "/v1/bauth/callback/apple?"
    statusCode: 302
    duration: "9ms"
[05:30:17.079] INFO (64696):
    method: "GET"
    url: "/v1/bauth/error?state=state_not_found"
    statusCode: 200
    duration: "8ms"
@iamibadd commented on GitHub (Jan 28, 2026): I'll provide the minimal NestJS setup as well. If you could look at the logs in meantime, it may help. ``` [05:30:03.079] INFO (64696): method: "POST" url: "/v1/bauth/sign-in/social" statusCode: 200 duration: "14ms" body: { "provider": "apple", "callbackURL": "https://merge-shield-basin-members.trycloudflare.com/signin", "errorCallbackURL": "https://merge-shield-basin-members.trycloudflare.com/signin", "additionalData": { "accountType": "cmkrfrckm0000oeg2dctx3mkr" } } 2026-01-28T00:30:16.764Z ERROR [Better Auth]: State not found undefined [05:30:16.669] INFO (64696): method: "POST" url: "/v1/bauth/callback/apple" statusCode: 302 duration: "9ms" body: { "state": "-KcYsgdCJL-ossSaBl24laVE621kgJMW", "code": "c94341ab5afb047b382a39bc6d3c8a30d.0.stuy.ZPf6fKaYKiWy8zFQnH1tqg", "id_token": "eyJraWQiOiJIdlZJNkVzWlhKIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnRyeWNsb3VkZmxhcmUubWVyZ2Utc2hpZWxkLWJhc2luLW1lbWJlcnMuc2kiLCJleHAiOjE3Njk2NDY2MTYsImlhdCI6MTc2OTU2MDIxNiwic3ViIjoiMDAwMzQ4LjkzYzQxYzJjZjY3MzQ0YmM5Y2EwMTdjMWUzOGE1YTczLjE4NDAiLCJjX2hhc2giOiJraFczTkVSUWNpVGtRVVc2U05pbjhnIiwiZW1haWwiOiJpYW1pYmFkZEBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXV0aF90aW1lIjoxNzY5NTYwMjE2LCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.rDeCpzfejbnA5Nb2tX8WtAOXldQDG4NmkrF4iwzylzSQGd48OjZQ2PFJ9w393aKZkRDSf3bIJqzZxaBJZkbdNaU4WkPvommzplfMWB1au25CA5ybbeRKxEcOQ2dcCv-UGu_dwigCv6_Ufi-f8A72XiRgwN5u8E8g5BMWh8F7s26xNqASbxhcCvvOhHjVrQ0m0jGOc7nvhmeJgzT738OJtteKQO2awPngAxdypB42WL3Kdf8is4MYcdUnGrGmspMXAb7U0JasFgx-16qtjz_vf_Z1RMTL94G-6ueHF03MMyvYQGMSio9Qj5-2aKL4hgbx7kDgk_j2y0zj0ADskcxNaw" } [05:30:16.765] INFO (64696): method: "GET" url: "/v1/bauth/callback/apple?" statusCode: 302 duration: "9ms" [05:30:17.079] INFO (64696): method: "GET" url: "/v1/bauth/error?state=state_not_found" statusCode: 200 duration: "8ms" ```
GiteaMirror commented 2026-03-13 10:19:45 -05:00
Author
Owner
Copy Link

@iamibadd commented on GitHub (Jan 28, 2026):

@bytaesu

Just to give you a little context

I'm using Nestjs on the backend.
I'm using api methods mostly but for provider signin, I'm using the default endpoints.

app.module looks like this

import { AuthModule } from './auth/auth.module';
import { AuthModule as BetterAuthModule } from '@thallesp/nestjs-better-auth';

@Module({
  imports: [
    ConfigModule.forRoot({
      isGlobal: true,
      load: [appConfig],
      envFilePath: ['.env'],
    }),
    AuthModule,
    // registered for Better Auth default endpoints. Used for social logins.
    BetterAuthModule.forRoot({
      auth,
      disableGlobalAuthGuard: true,
      middleware: (req, _res, next) => {
        req.url = req.originalUrl;
        req.baseUrl = '';
        next();
      },
    }),
})

auth.config

backend url = "https://nation-crucial-possession-fast.trycloudflare.com"

basePath: '/v1/bauth',
  socialProviders: {
    google: {
      prompt: 'select_account',
      clientId: googleClientId,
      clientSecret: googleClientSecret,
    },
    apple: {
      clientId: appleClientId,
      clientSecret: appleClientSecret,
    },

 trustedOrigins: ["https://merge-shield-basin-members.trycloudflare.com", "https://appleid.apple.com",  "https://nation-crucial-possession-fast.trycloudflare.com"]
  cookies: {
    state: {
      attributes: {
        sameSite: 'none',
        secure: true,
        httpOnly: true,
      },
    },
  },
  trustedOrigins: corsAllowedOrigins,
  advanced: {
    disableOriginCheck: true,
    useSecureCookies: true,
    defaultCookieAttributes: {
      sameSite: 'none',
      secure: true,
      httpOnly: true,
    },
  },

main.ts

async function bootstrap() {
  const app = await NestFactory.create(AppModule, { bodyParser: false });

  // Get env variables from config
  const configService = app.get(ConfigService<AllConfigType>);

  // Global middlewares
  app.use(json());
  app.use(urlencoded({ extended: true }));
  app.use(helmet());
  const corsAllowedOrigins = configService
    .getOrThrow('app.corsAllowedOrigins', { infer: true })
    .split(',')
    .map((origin) => origin.trim())
    .filter(Boolean);
  app.enableCors({
    origin: (
      origin: string | undefined,
      callback: (err: Error | null, allow?: boolean) => void,
    ) => {
      callback(null, !origin || corsAllowedOrigins.includes(origin));
    },
    credentials: true,
  });

Frontend Nextjs

import { createAuthClient } from 'better-auth/react';

const backendBaseUrl = 'https://nation-crucial-possession-fast.trycloudflare.com';
const backendApiVersion = 'v1';
const authClient = createAuthClient({
  baseURL: backendBaseUrl,
  basePath: `/${backendApiVersion}/bauth`,
});

   await authClient.signIn.social({
      provider: 'google',
    });

   await authClient.signIn.social({
      provider: 'apple',
    });

Apple

Image

Do you think this information may give you some idea?

@iamibadd commented on GitHub (Jan 28, 2026): @bytaesu Just to give you a little context I'm using Nestjs on the backend. I'm using `api` methods mostly but for provider signin, I'm using the default endpoints. app.module looks like this ```JS import { AuthModule } from './auth/auth.module'; import { AuthModule as BetterAuthModule } from '@thallesp/nestjs-better-auth'; @Module({ imports: [ ConfigModule.forRoot({ isGlobal: true, load: [appConfig], envFilePath: ['.env'], }), AuthModule, // registered for Better Auth default endpoints. Used for social logins. BetterAuthModule.forRoot({ auth, disableGlobalAuthGuard: true, middleware: (req, _res, next) => { req.url = req.originalUrl; req.baseUrl = ''; next(); }, }), }) ``` auth.config backend url = "https://nation-crucial-possession-fast.trycloudflare.com" ```JS basePath: '/v1/bauth', socialProviders: { google: { prompt: 'select_account', clientId: googleClientId, clientSecret: googleClientSecret, }, apple: { clientId: appleClientId, clientSecret: appleClientSecret, }, trustedOrigins: ["https://merge-shield-basin-members.trycloudflare.com", "https://appleid.apple.com", "https://nation-crucial-possession-fast.trycloudflare.com"] cookies: { state: { attributes: { sameSite: 'none', secure: true, httpOnly: true, }, }, }, trustedOrigins: corsAllowedOrigins, advanced: { disableOriginCheck: true, useSecureCookies: true, defaultCookieAttributes: { sameSite: 'none', secure: true, httpOnly: true, }, }, ``` main.ts ```JS async function bootstrap() { const app = await NestFactory.create(AppModule, { bodyParser: false }); // Get env variables from config const configService = app.get(ConfigService<AllConfigType>); // Global middlewares app.use(json()); app.use(urlencoded({ extended: true })); app.use(helmet()); const corsAllowedOrigins = configService .getOrThrow('app.corsAllowedOrigins', { infer: true }) .split(',') .map((origin) => origin.trim()) .filter(Boolean); app.enableCors({ origin: ( origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void, ) => { callback(null, !origin || corsAllowedOrigins.includes(origin)); }, credentials: true, }); ``` Frontend Nextjs ```JS import { createAuthClient } from 'better-auth/react'; const backendBaseUrl = 'https://nation-crucial-possession-fast.trycloudflare.com'; const backendApiVersion = 'v1'; const authClient = createAuthClient({ baseURL: backendBaseUrl, basePath: `/${backendApiVersion}/bauth`, }); await authClient.signIn.social({ provider: 'google', }); await authClient.signIn.social({ provider: 'apple', }); ``` Apple <img width="640" height="707" alt="Image" src="https://github.com/user-attachments/assets/52b7fb6b-0d83-41a1-8085-222abd99624c" /> Do you think this information may give you some idea?
GiteaMirror commented 2026-03-13 10:19:45 -05:00
Author
Owner
Copy Link

@bytaesu commented on GitHub (Jan 28, 2026):

@iamibadd This might be happening because global middleware are consuming the request body first. Could you try excluding the Better Auth routes in those middleware?

@bytaesu commented on GitHub (Jan 28, 2026): @iamibadd This might be happening because global middleware are consuming the request body first. Could you try excluding the Better Auth routes in those middleware?
GiteaMirror commented 2026-03-13 10:19:46 -05:00
Author
Owner
Copy Link

@iamibadd commented on GitHub (Jan 28, 2026):

Ah, yes. It works after disabling app.use(json()) and app.use(urlencoded({ extended: true })). Thanks a lot!
Wondering how would webhooks work when we set bodyParser: false.
Ref https://github.com/ThallesP/nestjs-better-auth/issues/101

@iamibadd commented on GitHub (Jan 28, 2026): Ah, yes. It works after disabling `app.use(json())` and `app.use(urlencoded({ extended: true }))`. Thanks a lot! Wondering how would webhooks work when we set `bodyParser: false`. Ref https://github.com/ThallesP/nestjs-better-auth/issues/101
GiteaMirror commented 2026-03-13 10:19:46 -05:00
Author
Owner
Copy Link

@bytaesu commented on GitHub (Jan 28, 2026):

If the request Readable stream is consumed somewhere first, Better Auth won't be able to read the body. For Better Auth routes, the body parser must be skipped. Feel free to use it everywhere except the paths where the Better Auth handler is mounted 🙂

@bytaesu commented on GitHub (Jan 28, 2026): If the request Readable stream is consumed somewhere first, Better Auth won't be able to read the body. For Better Auth routes, the body parser must be skipped. Feel free to use it everywhere except the paths where the Better Auth handler is mounted 🙂
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label social-provider
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#2777
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?