Documentation says 'send2FaOTP' but function is called sendTwoFactorOTP #3014

New Issue

GiteaMirror · 2026-03-13T10:34:26-05:00

GiteaMirror commented

2026-03-13 10:34:26 -05:00

Originally created by @kvanbere on GitHub (Mar 7, 2026).

Is this suited for github?

Yes, this is suited for github

To Reproduce

N/A

Current vs. Expected behavior

See
7fefc2bbed/packages/better-auth/src/plugins/two-factor/otp/index.ts (L387-L405)

vs the documentation:

https://better-auth.com/docs/plugins/2fa#sending-otp

What version of Better Auth are you using?

v1.5.3

System info

N/A

Which area(s) are affected? (Select all that apply)

Documentation

Auth config (if applicable)

Additional context

See also https://github.com/better-auth/better-auth/discussions/8471 .

Originally created by @kvanbere on GitHub (Mar 7, 2026). ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce N/A ### Current vs. Expected behavior See https://github.com/better-auth/better-auth/blob/7fefc2bbed2b66b2349ca182144b10eff171e345/packages/better-auth/src/plugins/two-factor/otp/index.ts#L387-L405 vs the documentation: https://better-auth.com/docs/plugins/2fa#sending-otp ### What version of Better Auth are you using? v1.5.3 ### System info ```bash N/A ``` ### Which area(s) are affected? (Select all that apply) Documentation ### Auth config (if applicable) ```typescript ``` ### Additional context See also https://github.com/better-auth/better-auth/discussions/8471 .

GiteaMirror added the documentation label 2026-03-13 10:34:26 -05:00

GiteaMirror closed this issue

2026-03-13 10:34:26 -05:00

GiteaMirror commented

2026-03-13 10:34:28 -05:00

@dosubot[bot] commented on GitHub (Mar 7, 2026):

You're correct—this is a documentation bug. The code exports the function as sendTwoFactorOTP, but the documentation incorrectly shows send2FaOTP.

The correct usage is:

await auth.api.sendTwoFactorOTP()

Interestingly, send2FaOTP is the internal function name in the code, but it's explicitly exported under the name sendTwoFactorOTP in the endpoints object—so the docs just need to be updated to match the public API.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Mar 7, 2026):  You're correct—this is a documentation bug. The [code exports the function as `sendTwoFactorOTP`](https://github.com/better-auth/better-auth/blob/7fefc2bbed2b66b2349ca182144b10eff171e345/packages/better-auth/src/plugins/two-factor/otp/index.ts#L405), but the [documentation incorrectly shows `send2FaOTP`](https://better-auth.com/docs/plugins/2fa#sending-otp). The correct usage is: ```javascript await auth.api.sendTwoFactorOTP() ``` Interestingly, `send2FaOTP` is the internal function name in the code, but it's explicitly exported under the name `sendTwoFactorOTP` in the endpoints object—so the docs just need to be updated to match the public API.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- How did I do? [Good](https://app.dosu.dev/response-feedback/ac635af9-f453-4fc1-bdb0-26100966a056?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/ac635af9-f453-4fc1-bdb0-26100966a056?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/ac635af9-f453-4fc1-bdb0-26100966a056?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/ac635af9-f453-4fc1-bdb0-26100966a056?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/ac635af9-f453-4fc1-bdb0-26100966a056?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/ac635af9-f453-4fc1-bdb0-26100966a056?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/ac635af9-f453-4fc1-bdb0-26100966a056?feedback_type=other) [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=You%27re%20correct%E2%80%94this%20is%20a%20documentation%20bug.%20The%20%5Bcode%20exports%20the%20function%20as%20%60sendTwoFactorOTP%60%5D%28https%3A//github.com/better-auth/better-auth/blob/7fefc2bbed2b66b2349ca182144b10eff171e345/packages/better-auth/src/plugins/two-factor/otp/index.ts%23L405%29%2C%20but%20the%20%5Bdocumentation%20incorrectly%20shows%20%60send2FaOTP%60%5D%28https%3A//better-auth.com/docs/plugins/2fa%23sending-otp%29.%0A%0AThe%20correct%20usage%20is%3A%0A%60%60%60javascript%0Aawait%20auth.api.sendTwoFactorOTP%28%29%0A%60%60%60%0A%0AInterestingly%2C%20%60send2FaOTP%60%20is%20the%20internal%20function%20name%20in%20the%20code%2C%20but%20it%27s%20explicitly%20exported%20under%20the%20name%20%60sendTwoFactorOTP%60%20in%20the%20endpoints%20object%E2%80%94so%20the%20docs%20just%20need%20to%20be%20updated%20to%20match%20the%20public%20API.) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/8473)

GiteaMirror commented

2026-03-13 10:34:29 -05:00

@kvanbere commented on GitHub (Mar 7, 2026):

@dosu please check all the function names in this file and report which ones are incorrect, for example verifyOTP also seems incorrect.

@kvanbere commented on GitHub (Mar 7, 2026): @dosu please check all the function names in this file and report which ones are incorrect, for example `verifyOTP` also seems incorrect.

GiteaMirror commented

2026-03-13 10:34:30 -05:00

@dosubot[bot] commented on GitHub (Mar 7, 2026):

I checked the OTP file and found that the JSDoc comments in the code itself document the correct server API method names:

Endpoint Export Name	Server API (`auth.api.*`)	Client API (`authClient.twoFactor.*`)
`sendTwoFactorOTP`	`send2FaOTP`	`sendOtp`
`verifyTwoFactorOTP`	`verifyOTP`	`verifyOtp`

So the documentation should be correct—send2FaOTP and verifyOTP are the intended server API method names. The endpoint export names (sendTwoFactorOTP, verifyTwoFactorOTP) are internal identifiers, while auth.api.send2FaOTP and auth.api.verifyOTP are what developers actually call.

That said, based on the linked discussion #8471, users are getting TypeError when calling auth.api.send2FaOTP, which suggests there may be a runtime mismatch where the actual exported method doesn't match the documented name. Could you confirm the exact error you or the other user experienced? That would help determine if there's a bug in how the endpoints are being registered.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Mar 7, 2026):  I checked the [OTP file](https://github.com/better-auth/better-auth/blob/7fefc2bbed2b66b2349ca182144b10eff171e345/packages/better-auth/src/plugins/two-factor/otp/index.ts#L387-L425) and found that the JSDoc comments in the code itself document the correct server API method names: | Endpoint Export Name | Server API (`auth.api.*`) | Client API (`authClient.twoFactor.*`) | |---------------------|---------------------------|--------------------------------------| | `sendTwoFactorOTP` | `send2FaOTP` | `sendOtp` | | `verifyTwoFactorOTP` | `verifyOTP` | `verifyOtp` | So the documentation should be correct—`send2FaOTP` and `verifyOTP` are the intended server API method names. The endpoint export names (`sendTwoFactorOTP`, `verifyTwoFactorOTP`) are internal identifiers, while `auth.api.send2FaOTP` and `auth.api.verifyOTP` are what developers actually call. That said, based on the [linked discussion #8471](https://github.com/better-auth/better-auth/discussions/8471), users are getting `TypeError` when calling `auth.api.send2FaOTP`, which suggests there may be a runtime mismatch where the actual exported method doesn't match the documented name. Could you confirm the exact error you or the other user experienced? That would help determine if there's a bug in how the endpoints are being registered.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- How did I do? [Good](https://app.dosu.dev/response-feedback/637a5e89-dc4a-4954-b8e5-65ba032e4d06?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/637a5e89-dc4a-4954-b8e5-65ba032e4d06?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/637a5e89-dc4a-4954-b8e5-65ba032e4d06?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/637a5e89-dc4a-4954-b8e5-65ba032e4d06?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/637a5e89-dc4a-4954-b8e5-65ba032e4d06?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/637a5e89-dc4a-4954-b8e5-65ba032e4d06?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/637a5e89-dc4a-4954-b8e5-65ba032e4d06?feedback_type=other) [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=I%20checked%20the%20%5BOTP%20file%5D%28https%3A//github.com/better-auth/better-auth/blob/7fefc2bbed2b66b2349ca182144b10eff171e345/packages/better-auth/src/plugins/two-factor/otp/index.ts%23L387-L425%29%20and%20found%20that%20the%20JSDoc%20comments%20in%20the%20code%20itself%20document%20the%20correct%20server%20API%20method%20names%3A%0A%0A%7C%20Endpoint%20Export%20Name%20%7C%20Server%20API%20%28%60auth.api.%2A%60%29%20%7C%20Client%20API%20%28%60authClient.twoFactor.%2A%60%29%20%7C%0A%7C---------------------%7C---------------------------%7C--------------------------------------%7C%0A%7C%20%60sendTwoFactorOTP%60%20%7C%20%60send2FaOTP%60%20%7C%20%60sendOtp%60%20%7C%0A%7C%20%60verifyTwoFactorOTP%60%20%7C%20%60verifyOTP%60%20%7C%20%60verifyOtp%60%20%7C%0A%0ASo%20the%20documentation%20should%20be%20correct%E2%80%94%60send2FaOTP%60%20and%20%60verifyOTP%60%20are%20the%20intended%20server%20API%20method%20names.%20The%20endpoint%20export%20names%20%28%60sendTwoFactorOTP%60%2C%20%60verifyTwoFactorOTP%60%29%20are%20internal%20identifiers%2C%20while%20%60auth.api.send2FaOTP%60%20and%20%60auth.api.verifyOTP%60%20are%20what%20developers%20actually%20call.%0A%0AThat%20said%2C%20based%20on%20the%20%5Blinked%20discussion%20%238471%5D%28https%3A//github.com/better-auth/better-auth/discussions/8471%29%2C%20users%20are%20getting%20%60TypeError%60%20when%20calling%20%60auth.api.send2FaOTP%60%2C%20which%20suggests%20there%20may%20be%20a%20runtime%20mismatch%20where%20the%20actual%20exported%20method%20doesn%27t%20match%20the%20documented%20name.%20Could%20you%20confirm%20the%20exact%20error%20you%20or%20the%20other%20user%20experienced%3F%20That%20would%20help%20determine%20if%20there%27s%20a%20bug%20in%20how%20the%20endpoints%20are%20being%20registered.) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/8473)

GiteaMirror commented

2026-03-13 10:34:31 -05:00

@kvanbere commented on GitHub (Mar 7, 2026):

@dosu it looks like the period configuration option is measured in seconds, not minutes per the documentation, could you please confirm in the code.

@kvanbere commented on GitHub (Mar 7, 2026): @dosu it looks like the `period` configuration option is measured in seconds, not minutes per the documentation, could you please confirm in the code.

GiteaMirror commented

2026-03-13 10:34:31 -05:00

@dosubot[bot] commented on GitHub (Mar 7, 2026):

There are actually two different period options with different units depending on which 2FA method you're using:

OTP (email/SMS codes) - Period is in minutes (default: 3 minutes). The code confirms this by converting to milliseconds: period * 60 * 1000.

TOTP (authenticator apps) - Period is in seconds (default: 30 seconds). This follows the standard TOTP spec where codes rotate every 30 seconds.

Which period option are you looking at in the documentation? That would help confirm if there's a doc error for one of these.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Mar 7, 2026):  There are actually **two different `period` options** with different units depending on which 2FA method you're using: **OTP (email/SMS codes)** - [Period is in **minutes**](https://github.com/better-auth/better-auth/blob/7fefc2bbed2b66b2349ca182144b10eff171e345/packages/better-auth/src/plugins/two-factor/otp/index.ts#L20-L25) (default: 3 minutes). The code confirms this by [converting to milliseconds: `period * 60 * 1000`](https://github.com/better-auth/better-auth/blob/7fefc2bbed2b66b2349ca182144b10eff171e345/packages/better-auth/src/plugins/two-factor/otp/index.ts#L114). **TOTP (authenticator apps)** - [Period is in **seconds**](https://github.com/better-auth/better-auth/blob/7fefc2bbed2b66b2349ca182144b10eff171e345/packages/better-auth/src/plugins/two-factor/totp/index.ts#L29-L32) (default: 30 seconds). This follows the standard TOTP spec where codes rotate every 30 seconds. Which `period` option are you looking at in the documentation? That would help confirm if there's a doc error for one of these.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- How did I do? [Good](https://app.dosu.dev/response-feedback/6ad4fa09-00b9-4064-a470-319d8f643406?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/6ad4fa09-00b9-4064-a470-319d8f643406?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/6ad4fa09-00b9-4064-a470-319d8f643406?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/6ad4fa09-00b9-4064-a470-319d8f643406?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/6ad4fa09-00b9-4064-a470-319d8f643406?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/6ad4fa09-00b9-4064-a470-319d8f643406?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/6ad4fa09-00b9-4064-a470-319d8f643406?feedback_type=other) [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=There%20are%20actually%20%2A%2Atwo%20different%20%60period%60%20options%2A%2A%20with%20different%20units%20depending%20on%20which%202FA%20method%20you%27re%20using%3A%0A%0A%2A%2AOTP%20%28email/SMS%20codes%29%2A%2A%20-%20%5BPeriod%20is%20in%20%2A%2Aminutes%2A%2A%5D%28https%3A//github.com/better-auth/better-auth/blob/7fefc2bbed2b66b2349ca182144b10eff171e345/packages/better-auth/src/plugins/two-factor/otp/index.ts%23L20-L25%29%20%28default%3A%203%20minutes%29.%20The%20code%20confirms%20this%20by%20%5Bconverting%20to%20milliseconds%3A%20%60period%20%2A%2060%20%2A%201000%60%5D%28https%3A//github.com/better-auth/better-auth/blob/7fefc2bbed2b66b2349ca182144b10eff171e345/packages/better-auth/src/plugins/two-factor/otp/index.ts%23L114%29.%0A%0A%2A%2ATOTP%20%28authenticator%20apps%29%2A%2A%20-%20%5BPeriod%20is%20in%20%2A%2Aseconds%2A%2A%5D%28https%3A//github.com/better-auth/better-auth/blob/7fefc2bbed2b66b2349ca182144b10eff171e345/packages/better-auth/src/plugins/two-factor/totp/index.ts%23L29-L32%29%20%28default%3A%2030%20seconds%29.%20This%20follows%20the%20standard%20TOTP%20spec%20where%20codes%20rotate%20every%2030%20seconds.%0A%0AWhich%20%60period%60%20option%20are%20you%20looking%20at%20in%20the%20documentation%3F%20That%20would%20help%20confirm%20if%20there%27s%20a%20doc%20error%20for%20one%20of%20these.) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/8473)