github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 22:32:01 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

Verify OTP method for forgot password flow #533

New Issue
Closed
opened 2026-03-13 07:51:35 -05:00 by GiteaMirror · 6 comments
GiteaMirror commented 2026-03-13 07:51:35 -05:00
Owner
Copy Link

Originally created by @jasongerbes on GitHub (Jan 6, 2025).

Is this suited for github?

  • Yes, this is suited for github

Is your feature request related to a problem? Please describe.

The Email OTP plugin currently has a 2-step password reset flow:

1. Send OTP

await authClient.emailOtp.sendVerificationOtp({
    email: "user-email@email.com",
    type: "forget-password"
})

2. Reset Password

await authClient.emailOtp.resetPassword({
    email: "user-email@email.com",
    otp: "123456",
    password: "password"
})

This flow requires the user to enter their new password before the OTP has been verified, rather than providing early feedback if the OTP is invalid or expired.

Describe the solution you'd like

To enable a 3-step password reset flow, I propose adding a verifyOtp() method that can be used to verify an OTP before the new password is entered.

await authClient.emailOtp.verifyOtp({
    email: "user-email@email.com",
    type: "forget-password", // or "sign-in", "email-verification"
    otp: "123456"
})

Suggested behaviour:

  • Rate limited.
  • Returns a 200 response if the OTP is valid.
  • Returns a relevant error (or 200 response?) if the OTP is invalid or expired.
  • Deletes the OTP from the database if it's expired.

Describe alternatives you've considered

As a workaround, the getVerificationOTP() method could be used to manually verify an OTP.

However, this method:

  • Isn't currently documented in the Email OTP docs.
  • Is server-only and not rate limited (should it be?).
  • Doesn't indicate whether a token is expired.

Additional context

No response

Originally created by @jasongerbes on GitHub (Jan 6, 2025). ### Is this suited for github? - [X] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. The Email OTP plugin currently has a 2-step password reset flow: **1. Send OTP** ```ts await authClient.emailOtp.sendVerificationOtp({ email: "user-email@email.com", type: "forget-password" }) ``` **2. Reset Password** ```ts await authClient.emailOtp.resetPassword({ email: "user-email@email.com", otp: "123456", password: "password" }) ``` This flow requires the user to enter their new password before the OTP has been verified, rather than providing early feedback if the OTP is invalid or expired. ### Describe the solution you'd like To enable a 3-step password reset flow, I propose adding a `verifyOtp()` method that can be used to verify an OTP before the new password is entered. ```ts await authClient.emailOtp.verifyOtp({ email: "user-email@email.com", type: "forget-password", // or "sign-in", "email-verification" otp: "123456" }) ``` Suggested behaviour: - Rate limited. - Returns a `200` response if the OTP is valid. - Returns a relevant error (or `200` response?) if the OTP is invalid or expired. - Deletes the OTP from the database if it's expired. ### Describe alternatives you've considered As a workaround, the `getVerificationOTP()` method could be used to manually verify an OTP. However, this method: - Isn't currently documented in the [Email OTP docs](https://www.better-auth.com/docs/plugins/email-otp). - Is server-only and not rate limited (should it be?). - Doesn't indicate whether a token is expired. ### Additional context _No response_
GiteaMirror added the enhancement label 2026-03-13 07:51:35 -05:00
GiteaMirror commented 2026-03-13 07:51:36 -05:00
Author
Owner
Copy Link

@YounessHassoune commented on GitHub (Apr 21, 2025):

any updates yet ??

@YounessHassoune commented on GitHub (Apr 21, 2025): any updates yet ??
GiteaMirror commented 2026-03-13 07:51:36 -05:00
Author
Owner
Copy Link

@giridhar1610 commented on GitHub (May 4, 2025):

Any updates on when will this be merged?

@giridhar1610 commented on GitHub (May 4, 2025): Any updates on when will this be merged?
GiteaMirror commented 2026-03-13 07:51:37 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Aug 3, 2025):

Hi, @jasongerbes. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

  • You proposed adding a verifyOtp() method to the Email OTP plugin to enable a 3-step password reset flow.
  • This method would allow OTP verification before setting a new password, providing early feedback on OTP validity.
  • It would include rate limiting and handle expired OTPs by deleting them.
  • Currently, the workaround using getVerificationOTP() is undocumented, server-only, and lacks expiration checks.
  • Other users have expressed interest in updates or merging of this feature.

Next Steps:

  • Please let me know if this feature is still relevant to the latest version of better-auth by commenting on this issue.
  • If I don’t hear back within 7 days, I will automatically close this issue.

Thanks for your understanding and contribution!

@dosubot[bot] commented on GitHub (Aug 3, 2025): Hi, @jasongerbes. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You proposed adding a `verifyOtp()` method to the Email OTP plugin to enable a 3-step password reset flow. - This method would allow OTP verification before setting a new password, providing early feedback on OTP validity. - It would include rate limiting and handle expired OTPs by deleting them. - Currently, the workaround using `getVerificationOTP()` is undocumented, server-only, and lacks expiration checks. - Other users have expressed interest in updates or merging of this feature. **Next Steps:** - Please let me know if this feature is still relevant to the latest version of better-auth by commenting on this issue. - If I don’t hear back within 7 days, I will automatically close this issue. Thanks for your understanding and contribution!
GiteaMirror commented 2026-03-13 07:51:37 -05:00
Author
Owner
Copy Link

@giridhar1610 commented on GitHub (Aug 3, 2025):

Hey, we still want this future. I'm looking to bump the better-auth version immediately after this feature's inclusion

@giridhar1610 commented on GitHub (Aug 3, 2025): Hey, we still want this future. I'm looking to bump the better-auth version immediately after this feature's inclusion
GiteaMirror commented 2026-03-13 07:51:37 -05:00
Author
Owner
Copy Link

@sheridanprakash commented on GitHub (Aug 22, 2025):

Thank you so much for adding this middle step! Reading the docs and was wondering why it could find it just to realize it was added just last week.
Thank you Better-Auth team!

@sheridanprakash commented on GitHub (Aug 22, 2025): Thank you so much for adding this middle step! Reading the docs and was wondering why it could find it just to realize it was added just last week. Thank you Better-Auth team!
GiteaMirror commented 2026-03-13 07:51:37 -05:00
Author
Owner
Copy Link

@junwen-k commented on GitHub (Dec 19, 2025):

I’m running into the same limitation as described here, but for the phoneNumber plugin instead of email.

Currently, after calling authClient.phoneNumber.requestPasswordReset(), there doesn’t seem to be any way to manually verify the OTP first. I initially assumed authClient.phoneNumber.verify() could be reused, but it appears that password reset OTPs are scoped differently and can’t be verified through that API.

This means the only supported flow right now is passing { otp, newPassword } together to resetPassword, without an intermediate “OTP verified” step.

For production flows, it would be really useful to support:

  1. Request password reset OTP
  2. Verify OTP independently
  3. Proceed to reset password after verification

This would align the phone number reset flow with more flexible UX patterns and with how verification is handled elsewhere.

@junwen-k commented on GitHub (Dec 19, 2025): I’m running into the same limitation as described here, but for the `phoneNumber` plugin instead of email. Currently, after calling `authClient.phoneNumber.requestPasswordReset()`, there doesn’t seem to be any way to manually verify the OTP first. I initially assumed `authClient.phoneNumber.verify()` could be reused, but it appears that password reset OTPs are scoped differently and can’t be verified through that API. This means the only supported flow right now is passing { otp, newPassword } together to resetPassword, without an intermediate “OTP verified” step. For production flows, it would be really useful to support: 1. Request password reset OTP 1. Verify OTP independently 1. Proceed to reset password after verification This would align the phone number reset flow with more flexible UX patterns and with how verification is handled elsewhere.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#533
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?