Update: Closed. The bug had nothing to do with Better Auth #2854

New Issue

GiteaMirror · 2026-03-13T10:23:45-05:00

GiteaMirror commented

2026-03-13 10:23:45 -05:00

Originally created by @TahaBoulehmi on GitHub (Feb 10, 2026).

Update: Closed. The bug had nothing to do with Better Auth

Originally created by @TahaBoulehmi on GitHub (Feb 10, 2026). Update: Closed. The bug had nothing to do with Better Auth

GiteaMirror added the tanstack-start label 2026-03-13 10:23:45 -05:00

GiteaMirror closed this issue

2026-03-13 10:23:48 -05:00

GiteaMirror commented

2026-03-13 10:23:49 -05:00

@better-auth-agent[bot] commented on GitHub (Feb 10, 2026):

It appears that you've encountered an issue where auth.api.getSession() and auth.api.getActiveMember() function correctly during server-side rendering (SSR) but fail during client-side RPC calls with TanStack Start middleware. This is a known situation several developers have faced.

The problem could be due to cookie handling during client-side navigation. Specifically, ensure you are using the getRequestHeaders() function to retrieve the request headers correctly, as recent updates indicate that relying on request.headers may not work properly [5].

You might also consider checking whether the session cookie is set correctly and whether you are using the tanstackStartCookies plugin to handle cookies automatically during these API calls [3], [7]. If you have issues after these adjustments, consider implementing a workaround with TanStack Query's ensureQueryData to avoid client-side RPC calls directly, as you mentioned in your issue description.

If you continue to face difficulties, you might want to tag @bekacru or @ping__ for more insights directly from the Better Auth team.

What method have you found most effective so far in handling these types of session management issues?

If you need more help, tag @better-auth-agent in a comment so I can respond.

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Feb 10, 2026): It appears that you've encountered an issue where `auth.api.getSession()` and `auth.api.getActiveMember()` function correctly during server-side rendering (SSR) but fail during client-side RPC calls with TanStack Start middleware. This is a known situation several developers have faced. The problem could be due to cookie handling during client-side navigation. Specifically, ensure you are using the `getRequestHeaders()` function to retrieve the request headers correctly, as recent updates indicate that relying on `request.headers` may not work properly [[5]](https://github.com/better-auth/better-auth/issues/6818). You might also consider checking whether the session cookie is set correctly and whether you are using the `tanstackStartCookies` plugin to handle cookies automatically during these API calls [[3]](https://github.com/better-auth/better-auth/issues/4517), [[7]](https://www.better-auth.com/docs/integrations/tanstack). If you have issues after these adjustments, consider implementing a workaround with TanStack Query's `ensureQueryData` to avoid client-side RPC calls directly, as you mentioned in your issue description. If you continue to face difficulties, you might want to tag @bekacru or @ping__ for more insights directly from the Better Auth team. What method have you found most effective so far in handling these types of session management issues? _If you need more help, tag @better-auth-agent in a comment so I can respond._  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-03-13 10:23:50 -05:00

@dosubot[bot] commented on GitHub (Feb 10, 2026):

Hi @TahaBoulehmi! I'm Dosu and I’m helping the better-auth team.

The root cause is that TanStack Start middleware and server functions do not automatically forward Set-Cookie headers from Better Auth responses to the client during client-side RPC calls. This means session cookies may not be refreshed or updated, so subsequent calls to auth.api.getSession() or auth.api.getActiveMember() can return null or throw, even if cookies are present in the incoming request headers. This does not affect SSR because the server has direct access to cookies and headers in-process, but it breaks on client navigation where the HTTP boundary matters see discussion see code.

Your plugin setup (with tanstackStartCookies() last) matches the latest recommendations docs, but you still need to ensure that any Set-Cookie headers returned by Better Auth are actually sent to the client in your middleware/server function responses. Here’s a pattern that works in TanStack Start:

import { createMiddleware } from '@tanstack/react-start';
import { getHeaders, setHeader } from 'vinxi/http';
import { auth } from '@/utils/auth';

export const authMiddleware = createMiddleware().server(async ({ next }) => {
  const headers = new Headers(getHeaders() as HeadersInit);
  const response = await auth.api.getSession({ headers, asResponse: true });
  const setCookieHeader = response.headers.get('set-cookie');
  const data = (await response.json()) || null;

  if (setCookieHeader) {
    setHeader('set-cookie', setCookieHeader);
  }

  return next({ context: { user: data?.user, session: data?.session } });
});

This ensures that any updated session cookies are sent back to the browser, keeping session state in sync during client-side RPC example.

If you want to avoid this complexity, you can use TanStack Query’s dehydration/hydration to transfer SSR data to the client, or disable session refresh in server functions and refresh the session client-side using a component workaround.

If you’re still seeing issues, double-check that your frontend requests use credentials: 'include', your backend CORS config allows credentials, and your cookie settings (sameSite, secure, domain) match your environment troubleshooting.

Recent versions of Better Auth and the tanstackStartCookies plugin have improved reliability, so make sure you’re on the latest versions and using the correct imports PR #7389.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Feb 10, 2026):  Hi @TahaBoulehmi! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team.  The root cause is that TanStack Start middleware and server functions do not automatically forward Set-Cookie headers from Better Auth responses to the client during client-side RPC calls. This means session cookies may not be refreshed or updated, so subsequent calls to `auth.api.getSession()` or `auth.api.getActiveMember()` can return `null` or throw, even if cookies are present in the incoming request headers. This does not affect SSR because the server has direct access to cookies and headers in-process, but it breaks on client navigation where the HTTP boundary matters [see discussion](https://github.com/better-auth/better-auth/discussions/4231) [see code](https://github.com/better-auth/better-auth/blob/0669ed804d8e0ada004c5ba266a6a12be6557cfc/packages/better-auth/src/integrations/tanstack-start.ts#L6-L59). Your plugin setup (with `tanstackStartCookies()` last) matches the latest recommendations [docs](https://github.com/better-auth/better-auth/pull/7389), but you still need to ensure that any Set-Cookie headers returned by Better Auth are actually sent to the client in your middleware/server function responses. Here’s a pattern that works in TanStack Start: ```ts import { createMiddleware } from '@tanstack/react-start'; import { getHeaders, setHeader } from 'vinxi/http'; import { auth } from '@/utils/auth'; export const authMiddleware = createMiddleware().server(async ({ next }) => { const headers = new Headers(getHeaders() as HeadersInit); const response = await auth.api.getSession({ headers, asResponse: true }); const setCookieHeader = response.headers.get('set-cookie'); const data = (await response.json()) || null; if (setCookieHeader) { setHeader('set-cookie', setCookieHeader); } return next({ context: { user: data?.user, session: data?.session } }); }); ``` This ensures that any updated session cookies are sent back to the browser, keeping session state in sync during client-side RPC [example](https://github.com/better-auth/better-auth/issues/722). If you want to avoid this complexity, you can use TanStack Query’s dehydration/hydration to transfer SSR data to the client, or disable session refresh in server functions and refresh the session client-side using a component [workaround](https://github.com/better-auth/better-auth/issues/2115). If you’re still seeing issues, double-check that your frontend requests use `credentials: 'include'`, your backend CORS config allows credentials, and your cookie settings (`sameSite`, `secure`, `domain`) match your environment [troubleshooting](https://github.com/better-auth/better-auth/issues/4188). Recent versions of Better Auth and the tanstackStartCookies plugin have improved reliability, so make sure you’re on the latest versions and using the correct imports [PR #7389](https://github.com/better-auth/better-auth/pull/7389).  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/84dbc7ec-c48a-4d44-9ca5-51b14c0e5b87?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/84dbc7ec-c48a-4d44-9ca5-51b14c0e5b87?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/84dbc7ec-c48a-4d44-9ca5-51b14c0e5b87?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/84dbc7ec-c48a-4d44-9ca5-51b14c0e5b87?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/84dbc7ec-c48a-4d44-9ca5-51b14c0e5b87?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/84dbc7ec-c48a-4d44-9ca5-51b14c0e5b87?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/84dbc7ec-c48a-4d44-9ca5-51b14c0e5b87?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=The%20root%20cause%20is%20that%20TanStack%20Start%20middleware%20and%20server%20functions%20do%20not%20automatically%20forward%20Set-Cookie%20headers%20from%20Better%20Auth%20responses%20to%20the%20client%20during%20client-side%20RPC%20calls.%20This%20means%20session%20cookies%20may%20not%20be%20refreshed%20or%20updated%2C%20so%20subsequent%20calls%20to%20%60auth.api.getSession%28%29%60%20or%20%60auth.api.getActiveMember%28%29%60%20can%20return%20%60null%60%20or%20throw%2C%20even%20if%20cookies%20are%20present%20in%20the%20incoming%20request%20headers.%20This%20does%20not%20affect%20SSR%20because%20the%20server%20has%20direct%20access%20to%20cookies%20and%20headers%20in-process%2C%20but%20it%20breaks%20on%20client%20navigation%20where%20the%20HTTP%20boundary%20matters%C2%A0%5Bsee%20discussion%5D%28https%3A//github.com/better-auth/better-auth/discussions/4231%29%C2%A0%5Bsee%20code%5D%28https%3A//github.com/better-auth/better-auth/blob/0669ed804d8e0ada004c5ba266a6a12be6557cfc/packages/better-auth/src/integrations/tanstack-start.ts%23L6-L59%29.%0A%0AYour%20plugin%20setup%20%28with%20%60tanstackStartCookies%28%29%60%20last%29%20matches%20the%20latest%20recommendations%C2%A0%5Bdocs%5D%28https%3A//github.com/better-auth/better-auth/pull/7389%29%2C%20but%20you%20still%20need%20to%20ensure%20that%20any%20Set-Cookie%20headers%20returned%20by%20Better%20Auth%20are%20actually%20sent%20to%20the%20client%20in%20your%20middleware/server%20function%20responses.%20Here%E2%80%99s%20a%20pattern%20that%20works%20in%20TanStack%20Start%3A%0A%0A%60%60%60ts%0Aimport%20%7B%20createMiddleware%20%7D%20from%20%27%40tanstack/react-start%27%3B%0Aimport%20%7B%20getHeaders%2C%20setHeader%20%7D%20from%20%27vinxi/http%27%3B%0Aimport%20%7B%20auth%20%7D%20from%20%27%40/utils/auth%27%3B%0A%0Aexport%20const%20authMiddleware%20%3D%20createMiddleware%28%29.server%28async%20%28%7B%20next%20%7D%29%20%3D%3E%20%7B%0A%20%20const%20headers%20%3D%20new%20Headers%28getHeaders%28%29%20as%20HeadersInit%29%3B%0A%20%20const%20response%20%3D%20await%20auth.api.getSession%28%7B%20headers%2C%20asResponse%3A%20true%20%7D%29%3B%0A%20%20const%20setCookieHeader%20%3D%20response.headers.get%28%27set-cookie%27%29%3B%0A%20%20const%20data%20%3D%20%28await%20response.json%28%29%29%20%7C%7C%20null%3B%0A%0A%20%20if%20%28setCookieHeader%29%20%7B%0A%20%20%20%20setHeader%28%27set-cookie%27%2C%20setCookieHeader%29%3B%0A%20%20%7D%0A%0A%20%20return%20next%28%7B%20context%3A%20%7B%20user%3A%20data%3F.user%2C%20session%3A%20data%3F.session%20%7D%20%7D%29%3B%0A%7D%29%3B%0A%60%60%60%0AThis%20ensures%20that%20any%20updated%20session%20cookies%20are%20sent%20back%20to%20the%20browser%2C%20keeping%20session%20state%20in%20sync%20during%20client-side%20RPC%C2%A0%5Bexample%5D%28https%3A//github.com/better-auth/better-auth/issues/722%29.%0A%0AIf%20you%20want%20to%20avoid%20this%20complexity%2C%20you%20can%20use%20TanStack%20Query%E2%80%99s%20dehydration/hydration%20to%20transfer%20SSR%20data%20to%20the%20client%2C%20or%20disable%20session%20refresh%20in%20server%20functions%20and%20refresh%20the%20session%20client-side%20using%20a%20component%C2%A0%5Bworkaround%5D%28https%3A//github.com/better-auth/better-auth/issues/2115%29.%0A%0AIf%20you%E2%80%99re%20still%20seeing%20issues%2C%20double-check%20that%20your%20frontend%20requests%20use%20%60credentials%3A%20%27include%27%60%2C%20your%20backend%20CORS%20config%20allows%20credentials%2C%20and%20your%20cookie%20settings%20%28%60sameSite%60%2C%20%60secure%60%2C%20%60domain%60%29%20match%20your%20environment%C2%A0%5Btroubleshooting%5D%28https%3A//github.com/better-auth/better-auth/issues/4188%29.%0A%0ARecent%20versions%20of%20Better%20Auth%20and%20the%20tanstackStartCookies%20plugin%20have%20improved%20reliability%2C%20so%20make%20sure%20you%E2%80%99re%20on%20the%20latest%20versions%20and%20using%20the%20correct%20imports%C2%A0%5BPR%20%237389%5D%28https%3A//github.com/better-auth/better-auth/pull/7389%29.) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/7891)

GiteaMirror referenced this issue

2026-03-13 11:49:52 -05:00

[PR #2854] [CLOSED] Fix rate limits and lastUsed in api-keys #4524

GiteaMirror referenced this issue

2026-04-13 08:35:06 -05:00

[PR #2854] [CLOSED] Fix rate limits and lastUsed in api-keys #12771

GiteaMirror referenced this issue

2026-04-15 20:21:52 -05:00

[PR #2854] [CLOSED] Fix rate limits and lastUsed in api-keys #21425

GiteaMirror referenced this issue

2026-04-17 21:18:47 -05:00

[PR #2854] [CLOSED] Fix rate limits and lastUsed in api-keys #30125

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#2854