github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 14:21:55 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #1119] Insufficient documentation about baseUrl/BETTER_AUTH_URL and non-working config #8604

New Issue
Closed
opened 2026-04-13 03:43:14 -05:00 by GiteaMirror · 15 comments
GiteaMirror commented 2026-04-13 03:43:14 -05:00
Owner
Copy Link

Originally created by @JosipPardon on GitHub (Jan 4, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/1119

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

I tried really hard to understand what baseUrl and BETTER_AUTH_URL are used for, but I eventually gave up. I know that baseUrl in authClient tells authClient where requests should be sent, but server side remains boggling to me.

I tried intentionally setting baseUrl and BETTER_AUTH_URL to incorrect values, but everything continued to work totally fine (on local dev server). How?! My server was running at http://localhost:3000 and I set both values to be http://localhost:1234 or something like that.

I think that these values tell auth.api where to send requests. In that case, it does not make sense to use https://mydomain.com because unnecessary DNS requests will be sent, http://localhost:3000 should be used in both production and dev environments.

But I suppose this is not what these values are used for...

Docs should describe this in much more detail. It should be stated exactly how baseUrl and BETTER_AUTH_URL are used under the hood so that we can determine which values to use in different environments.

Current vs. Expected behavior

Described above

What version of Better Auth are you using?

1.1.8

Provide environment information

-

Which area(s) are affected? (Select all that apply)

Documentation, Package

Auth config (if applicable)

No response

Additional context

No response

Originally created by @JosipPardon on GitHub (Jan 4, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/1119 ### Is this suited for github? - [X] Yes, this is suited for github ### To Reproduce I tried really hard to understand what `baseUrl` and `BETTER_AUTH_URL` are used for, but I eventually gave up. I know that `baseUrl` in `authClient` tells `authClient` where requests should be sent, but server side remains boggling to me. I tried intentionally setting `baseUrl` and `BETTER_AUTH_URL` to incorrect values, but everything continued to work totally fine (on local dev server). How?! My server was running at `http://localhost:3000` and I set both values to be `http://localhost:1234` or something like that. I think that these values tell `auth.api` where to send requests. In that case, it does not make sense to use `https://mydomain.com` because unnecessary DNS requests will be sent, `http://localhost:3000` should be used in both production and dev environments. But I suppose this is not what these values are used for... Docs should describe this in much more detail. It should be stated exactly how `baseUrl` and `BETTER_AUTH_URL` are used under the hood so that we can determine which values to use in different environments. ### Current vs. Expected behavior Described above ### What version of Better Auth are you using? 1.1.8 ### Provide environment information ```bash - ``` ### Which area(s) are affected? (Select all that apply) Documentation, Package ### Auth config (if applicable) _No response_ ### Additional context _No response_
GiteaMirror added the locked label 2026-04-13 03:43:14 -05:00
GiteaMirror commented 2026-04-13 03:43:16 -05:00
Author
Owner
Copy Link

@moshetanzer commented on GitHub (Mar 23, 2025):

Hey,

Are you using oauth or email and password?

<!-- gh-comment-id:2746385626 --> @moshetanzer commented on GitHub (Mar 23, 2025): Hey, Are you using oauth or email and password?
GiteaMirror commented 2026-04-13 03:43:17 -05:00
Author
Owner
Copy Link

@JosipPardon commented on GitHub (Mar 24, 2025):

Hi @moshetanzer

Thanks for the response!

I prefer to have email OTP and Google for auth in my apps with BetterAuth.

But I don't understand how is that relevant to this issue. Problem is that baseUrl and BETTER_AUTH_URL are not sufficiently described how they work under the hood, regardless of which auth type we are using.

<!-- gh-comment-id:2746589836 --> @JosipPardon commented on GitHub (Mar 24, 2025): Hi @moshetanzer Thanks for the response! I prefer to have email OTP and Google for auth in my apps with BetterAuth. But I don't understand how is that relevant to this issue. Problem is that `baseUrl` and `BETTER_AUTH_URL` are not sufficiently described how they work under the hood, regardless of which auth type we are using.
GiteaMirror commented 2026-04-13 03:43:18 -05:00
Author
Owner
Copy Link

@lord007tn commented on GitHub (Mar 24, 2025):

same problem here
I end up giving up on better-auth for our company project and was inspired by it to build a custom one for us

the problem when you have separation between frontend and backend apps ( our case, nextjs in frontend, honojs in backend )

Google auth seems to work until the part of callback when it always redirect to the backend with non valid path always to /

and according to docs, it should redirect to /google/callback to handle it properly

there are other problems that I manage to go around, especially with prisma and people already mentioning them but still no fix

I am not hating nor telling you that better auth is not ready, but for a complex structure monorepo app it can't do the job fine

always going back to see what have been fixed over time and the progress of the library.

<!-- gh-comment-id:2747006044 --> @lord007tn commented on GitHub (Mar 24, 2025): same problem here I end up giving up on better-auth for our company project and was inspired by it to build a custom one for us the problem when you have separation between frontend and backend apps ( our case, nextjs in frontend, honojs in backend ) Google auth seems to work until the part of callback when it always redirect to the backend with non valid path always to / and according to docs, it should redirect to /google/callback to handle it properly there are other problems that I manage to go around, especially with prisma and people already mentioning them but still no fix I am not hating nor telling you that better auth is not ready, but for a complex structure monorepo app it can't do the job fine always going back to see what have been fixed over time and the progress of the library.
GiteaMirror commented 2026-04-13 03:43:19 -05:00
Author
Owner
Copy Link

@moshetanzer commented on GitHub (Mar 24, 2025):

Hey @lord007tn not sure exactly what your issue is. Feel free to open another issue with reproduction - at first glance seems like more of a question than a bug.

@JosipPardon will try get some more docs on it. As far as I understand is that it tried to auto detect base for things like oauth callback, but if for example you using a separate front end and server and it is unable to detect than you have the ability to set correct base url. Could be wrong though @Bekacru is this correct?

<!-- gh-comment-id:2747763710 --> @moshetanzer commented on GitHub (Mar 24, 2025): Hey @lord007tn not sure exactly what your issue is. Feel free to open another issue with reproduction - at first glance seems like more of a question than a bug. @JosipPardon will try get some more docs on it. As far as I understand is that it tried to auto detect base for things like oauth callback, but if for example you using a separate front end and server and it is unable to detect than you have the ability to set correct base url. Could be wrong though @Bekacru is this correct?
GiteaMirror commented 2026-04-13 03:43:19 -05:00
Author
Owner
Copy Link

@Bekacru commented on GitHub (Mar 24, 2025):

I'm not sure what's hard to understand about baseURL. Basically, it tells the server what URL it is currently running on. If the request comes from a client, the server can detect this from the request URL or forwarded headers. However, if no request is present, it will use the baseURL to determine things like routing, whether it's running on HTTPS (to set secure cookies), and which URLs to include or exclude. Also, in case the calls you're making are initiated by auth.api, they are mostly not affected by baseURL

<!-- gh-comment-id:2747837055 --> @Bekacru commented on GitHub (Mar 24, 2025): I'm not sure what's hard to understand about baseURL. Basically, it tells the server what URL it is currently running on. If the request comes from a client, the server can detect this from the request URL or forwarded headers. However, if no request is present, it will use the baseURL to determine things like routing, whether it's running on HTTPS (to set secure cookies), and which URLs to include or exclude. Also, in case the calls you're making are initiated by `auth.api`, they are mostly not affected by baseURL
GiteaMirror commented 2026-04-13 03:43:20 -05:00
Author
Owner
Copy Link

@RaeesBhatti commented on GitHub (Jun 2, 2025):

An app could be running on ten different URLs at the same time. e.g. an app deployed on Vercel might have a couple of custom domain names, deployment id sub domain, and environment sub domain. It's not practical to change the environment variable on every deployment or even change the value of baseUrl parameter since betterAuth() instance is created once and reused; and the URL might not be known at startup time.
I would suggest that baseUrl parameter be changed to accept a function that takes a Request as parameter and returns a URL, similar to trustedOrigins parameter. This will allow developers to derive baseUrl from the received request (taking x-forwarded-host, etc into account).

<!-- gh-comment-id:2928697529 --> @RaeesBhatti commented on GitHub (Jun 2, 2025): An app could be running on ten different URLs at the same time. e.g. an app deployed on Vercel might have a couple of custom domain names, deployment id sub domain, and environment sub domain. It's not practical to change the environment variable on every deployment or even change the value of `baseUrl` parameter since `betterAuth()` instance is created once and reused; and the URL might not be known at startup time. I would suggest that `baseUrl ` parameter be changed to accept a function that takes a `Request` as parameter and returns a URL, similar to `trustedOrigins` parameter. This will allow developers to derive `baseUrl` from the received request (taking `x-forwarded-host`, etc into account).
GiteaMirror commented 2026-04-13 03:43:21 -05:00
Author
Owner
Copy Link

@Stadly commented on GitHub (Aug 22, 2025):

@RaeesBhatti Very good idea! I created a separate issue with your idea, since this issue is mainly concerning documentation.

https://github.com/better-auth/better-auth/issues/4151

<!-- gh-comment-id:3213407836 --> @Stadly commented on GitHub (Aug 22, 2025): @RaeesBhatti Very good idea! I created a separate issue with your idea, since this issue is mainly concerning documentation. https://github.com/better-auth/better-auth/issues/4151
GiteaMirror commented 2026-04-13 03:43:21 -05:00
Author
Owner
Copy Link

@moshetanzer commented on GitHub (Aug 22, 2025):

@Stadly @RaeesBhatti Vercel has a env url with current deployment url available. Most platforms have this I think. You should never have to set manually.

See https://vercel.com/docs/environment-variables/system-environment-variables

<!-- gh-comment-id:3213769156 --> @moshetanzer commented on GitHub (Aug 22, 2025): @Stadly @RaeesBhatti Vercel has a env url with current deployment url available. Most platforms have this I think. You should never have to set manually. See https://vercel.com/docs/environment-variables/system-environment-variables
GiteaMirror commented 2026-04-13 03:43:22 -05:00
Author
Owner
Copy Link

@Stadly commented on GitHub (Aug 22, 2025):

I'm using SvelteKit, and I have to set baseUrl in order to use the Microsoft social provider in my local development envionment. I have not tested it when deployed yet.

<!-- gh-comment-id:3213800079 --> @Stadly commented on GitHub (Aug 22, 2025): I'm using SvelteKit, and I have to set `baseUrl` in order to use the Microsoft social provider in my local development envionment. I have not tested it when deployed yet.
GiteaMirror commented 2026-04-13 03:43:23 -05:00
Author
Owner
Copy Link

@himself65 commented on GitHub (Aug 23, 2025):

I'm checking this recently and debugging the Vercel preview environment. And I, yeah, I have the same problem with you guys at the beginning.

The baseURL would affect where we store the cookie; if it's in the wrong domain, the user session will not be stored. So that most of the logic relies on cookies (like useSession) will just be unauthenticated. You should always check the API response for set-cookie to have the right domain.

And my fix for the Vercel preview:

d476fbed07/demo/nextjs/lib/auth.ts (L52-L68)

But yeah, we should improve the document and UX to help developers address this pitfall.

<!-- gh-comment-id:3216511709 --> @himself65 commented on GitHub (Aug 23, 2025): I'm checking this recently and debugging the Vercel preview environment. And I, yeah, I have the same problem with you guys at the beginning. The baseURL would affect where we store the cookie; if it's in the wrong domain, the user session will not be stored. So that most of the logic relies on cookies (like `useSession`) will just be unauthenticated. You should always check the API response for `set-cookie` to have the right domain. And my fix for the Vercel preview: https://github.com/better-auth/better-auth/blob/d476fbed074253121df0e23414bd059c93274553/demo/nextjs/lib/auth.ts#L52-L68 But yeah, we should improve the document and UX to help developers address this pitfall.
GiteaMirror commented 2026-04-13 03:43:24 -05:00
Author
Owner
Copy Link

@RaeesBhatti commented on GitHub (Aug 23, 2025):

@Stadly @RaeesBhatti Vercel has a env url with current deployment url available. Most platforms have this I think. You should never have to set manually.

See https://vercel.com/docs/environment-variables/system-environment-variables

Thank you for the correction. I might have been wrong about Vercel's implementation of this but those env vars might not be available for Next.js or other frameworks outside of Vercel.
I think we should focus on the principle rather than a platform's implementation: should Better-Auth be usable on multiple different hostnames running on the same app process. I think yes.

<!-- gh-comment-id:3217039496 --> @RaeesBhatti commented on GitHub (Aug 23, 2025): > [@Stadly](https://github.com/Stadly) [@RaeesBhatti](https://github.com/RaeesBhatti) Vercel has a env url with current deployment url available. Most platforms have this I think. You should never have to set manually. > > See https://vercel.com/docs/environment-variables/system-environment-variables Thank you for the correction. I might have been wrong about Vercel's implementation of this but those env vars might not be available for Next.js or other frameworks outside of Vercel. I think we should focus on the principle rather than a platform's implementation: should Better-Auth be usable on multiple different hostnames running on the same app process. I think yes.
GiteaMirror commented 2026-04-13 03:43:24 -05:00
Author
Owner
Copy Link

@Stadly commented on GitHub (Aug 24, 2025):

This would also be useful in other scenarios than running the same app on multiple hostnames. For example, the Vite dev server uses port 5173 by default. If that port is taken, it spins up on port 5174, etc. When developing on multiple apps, or using git worktrees, the port the app is running on might therefore not always be the same (since multiple dev servers might be running at the same time). Currently, the developer must then change the baseUrl based on which port the dev server is currently using.

<!-- gh-comment-id:3218358070 --> @Stadly commented on GitHub (Aug 24, 2025): This would also be useful in other scenarios than running the same app on multiple hostnames. For example, the Vite dev server uses port 5173 by default. If that port is taken, it spins up on port 5174, etc. When developing on multiple apps, or using git worktrees, the port the app is running on might therefore not always be the same (since multiple dev servers might be running at the same time). Currently, the developer must then change the `baseUrl` based on which port the dev server is currently using.
GiteaMirror commented 2026-04-13 03:43:25 -05:00
Author
Owner
Copy Link

@Cali93 commented on GitHub (Nov 4, 2025):

Couldn't agree more with the feedback provided here.
I've spent too much time debugging confirmation emails on Vercel preview links because the confirmation URL didn't contain the baseUrl. Which is super weird because for change email it did contain the complete URL but not for email verification.

I would love to see an example configuration on the docs that works both locally and on Vercel.

<!-- gh-comment-id:3486944650 --> @Cali93 commented on GitHub (Nov 4, 2025): Couldn't agree more with the feedback provided here. I've spent too much time debugging confirmation emails on Vercel preview links because the confirmation URL didn't contain the `baseUrl`. Which is super weird because for change email it did contain the complete URL but not for email verification. I would love to see an example configuration on the docs that works both locally and on Vercel.
GiteaMirror commented 2026-04-13 03:43:26 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Feb 3, 2026):

Hi, @JosipPardon. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

  • You raised concerns about unclear documentation regarding baseUrl and BETTER_AUTH_URL in Better Auth.
  • It was clarified that baseUrl is used by the server to determine its running URL when no request context is available, impacting routing and secure cookies.
  • Other users shared difficulties with multi-host setups and suggested enhancements like allowing baseUrl to be a function for dynamic URL resolution.
  • A separate issue was created to track the feature request for dynamic baseUrl handling.
  • The core need remains clearer documentation and improved support for dynamic environments such as Vercel and local development.

Next Steps:

  • Please let me know if this issue is still relevant with the latest version of better-auth by commenting here to keep the discussion open.
  • If I don’t hear back within 7 days, I will automatically close this issue to help us focus on active items.

Thanks for your understanding and contribution!

<!-- gh-comment-id:3842247897 --> @dosubot[bot] commented on GitHub (Feb 3, 2026): Hi, @JosipPardon. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You raised concerns about unclear documentation regarding `baseUrl` and `BETTER_AUTH_URL` in Better Auth. - It was clarified that `baseUrl` is used by the server to determine its running URL when no request context is available, impacting routing and secure cookies. - Other users shared difficulties with multi-host setups and suggested enhancements like allowing `baseUrl` to be a function for dynamic URL resolution. - A separate issue was created to track the feature request for dynamic `baseUrl` handling. - The core need remains clearer documentation and improved support for dynamic environments such as Vercel and local development. **Next Steps:** - Please let me know if this issue is still relevant with the latest version of better-auth by commenting here to keep the discussion open. - If I don’t hear back within 7 days, I will automatically close this issue to help us focus on active items. Thanks for your understanding and contribution!
GiteaMirror commented 2026-04-13 03:43:27 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Apr 1, 2026):

This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.

<!-- gh-comment-id:4166560255 --> @github-actions[bot] commented on GitHub (Apr 1, 2026): This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#8604
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?