[GH-ISSUE #2317] [phone number] Allow for phone verification providers which don't allow OTP customization #9144

New Issue

GiteaMirror · 2026-04-13T04:30:04-05:00

GiteaMirror commented

2026-04-13 04:30:04 -05:00

Originally created by @kevcube on GitHub (Apr 16, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/2317

Is this suited for github?

Yes, this is suited for github

To Reproduce

I am using Telegram Gateway to verify phone numbers - this platform allows me to send an OTP which is managed by the platform, and allows me to check the user's input against the OTP via API.

The phone number plugin should allow for passing a custom function which sends the OTP, and also passing a custom function which performs validation of the input OTP.

Additionally, telegram gateway will return a request_id which is linked to that OTP, and supports revocation of OTPs.

https://core.telegram.org/gateway/api

Current vs. Expected behavior

current phone number plugin expects the server to set the OTP, when in Telegram Gateway the app's server is never aware of the true OTP. This is also presumably better for security because it limits one way that a backend admin could perform account takeover of a user.

What version of Better Auth are you using?

latest

Provide environment information

- n/a

Which area(s) are affected? (Select all that apply)

Package

Auth config (if applicable)

Additional context

No response

Originally created by @kevcube on GitHub (Apr 16, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/2317 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce I am using Telegram Gateway to verify phone numbers - this platform allows me to send an OTP which is managed by the platform, and allows me to check the user's input against the OTP via API. The phone number plugin should allow for passing a custom function which sends the OTP, and also passing a custom function which performs validation of the input OTP. Additionally, telegram gateway will return a request_id which is linked to that OTP, and supports revocation of OTPs. https://core.telegram.org/gateway/api ### Current vs. Expected behavior current phone number plugin expects the server to set the OTP, when in Telegram Gateway the app's server is never aware of the true OTP. This is also presumably better for security because it limits one way that a backend admin could perform account takeover of a user. ### What version of Better Auth are you using? latest ### Provide environment information ```bash - n/a ``` ### Which area(s) are affected? (Select all that apply) Package ### Auth config (if applicable) ```typescript ``` ### Additional context _No response_

GiteaMirror added the enhancement locked labels 2026-04-13 04:30:04 -05:00

GiteaMirror closed this issue

2026-04-13 04:30:05 -05:00

GiteaMirror commented

2026-04-13 04:30:07 -05:00

@catpddo commented on GitHub (Apr 20, 2025):

I noticed that the Telegram Gateway API allows passing a 'code' parameter.
Documentation
The verification code. Use this parameter if you want to set the verification code yourself. Only fully numeric strings between 4 and 8 characters in length are supported. If this parameter is set, code_length is ignored.

Better Auth uses phone number validation and can also use a custom function to send the code.
Documentation

@catpddo commented on GitHub (Apr 20, 2025): I noticed that the Telegram Gateway API allows passing a 'code' parameter. [Documentation](https://core.telegram.org/gateway/api#sendverificationmessage) `The verification code. Use this parameter if you want to set the verification code yourself. Only fully numeric strings between 4 and 8 characters in length are supported. If this parameter is set, code_length is ignored.` Better Auth uses phone number validation and can also use a custom function to send the code. [Documentation](https://www.better-auth.com/docs/plugins/phone-number#allow-sign-up-with-phone-number)

GiteaMirror commented

2026-04-13 04:30:09 -05:00

@kevcube commented on GitHub (Apr 20, 2025):

@catpddo you’re right, and I switched to using custom codes. I also use phone verification. But it would still be nice to be able to pass a custom verification function, because I prefer telegram gateway’s method of black-box OTP code sending and verification.

@kevcube commented on GitHub (Apr 20, 2025): @catpddo you’re right, and I switched to using custom codes. I also use phone verification. But it would still be nice to be able to pass a custom verification function, because I prefer telegram gateway’s method of black-box OTP code sending and verification.

GiteaMirror commented

2026-04-13 04:30:10 -05:00

@dosubot[bot] commented on GitHub (Jul 20, 2025):

Hi, @kevcube. I'm Dosu, and I'm helping the better-auth team manage their backlog. I'm marking this issue as stale.

Issue Summary:

You suggested enhancing the phone number plugin to support providers like Telegram Gateway by allowing custom functions for OTP handling.
@Catpddo noted that Telegram Gateway API supports custom verification codes and referenced Better Auth's documentation.
You acknowledged this but prefer Telegram Gateway's black-box approach for security reasons.
@Ninest reacted positively to your comment.

Next Steps:

Please confirm if this issue is still relevant to the latest version of the better-auth repository by commenting here.
If no updates are provided, the issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Jul 20, 2025): Hi, @kevcube. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog. I'm marking this issue as stale. **Issue Summary:** - You suggested enhancing the phone number plugin to support providers like Telegram Gateway by allowing custom functions for OTP handling. - @Catpddo noted that Telegram Gateway API supports custom verification codes and referenced Better Auth's documentation. - You acknowledged this but prefer Telegram Gateway's black-box approach for security reasons. - @Ninest reacted positively to your comment. **Next Steps:** - Please confirm if this issue is still relevant to the latest version of the better-auth repository by commenting here. - If no updates are provided, the issue will be automatically closed in 7 days. Thank you for your understanding and contribution!

GiteaMirror commented

2026-04-13 04:30:11 -05:00

@Yarmeli commented on GitHub (Jul 24, 2025):

+1

This was also requested a few months ago in #1159 with a fix and a PR attached to it

@Yarmeli commented on GitHub (Jul 24, 2025): +1 This was also requested a few months ago in #1159 with a fix and a PR attached to it

GiteaMirror commented

2026-04-13 04:30:12 -05:00

@dosubot[bot] commented on GitHub (Oct 23, 2025):

Hi, @kevcube. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

You requested the phone number plugin to support providers like Telegram Gateway that handle OTPs internally, suggesting custom functions for sending and validating OTPs to improve security.
A contributor noted Telegram Gateway's API supports custom verification codes and referenced Better Auth's existing documentation.
You acknowledged the documentation but expressed a preference for a black-box OTP approach.
The issue remains unresolved with interest shown but no implemented solution yet.
A related PR was mentioned in issue #1159 by another user.

Next Steps:

Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open.
Otherwise, this issue will be automatically closed in 7 days.

Thanks for your understanding and contribution!

@dosubot[bot] commented on GitHub (Oct 23, 2025): Hi, @kevcube. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You requested the phone number plugin to support providers like Telegram Gateway that handle OTPs internally, suggesting custom functions for sending and validating OTPs to improve security. - A contributor noted Telegram Gateway's API supports custom verification codes and referenced Better Auth's existing documentation. - You acknowledged the documentation but expressed a preference for a black-box OTP approach. - The issue remains unresolved with interest shown but no implemented solution yet. - A related PR was mentioned in issue #1159 by another user. **Next Steps:** - Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open. - Otherwise, this issue will be automatically closed in 7 days. Thanks for your understanding and contribution!

GiteaMirror commented

2026-04-13 04:30:13 -05:00

@kevcube commented on GitHub (Oct 23, 2025):

Not stale afaikOn Oct 24, 2025, at 00:04, dosubot[bot] @.***> wrote:dosubot[bot] left a comment (better-auth/better-auth#2317)
Hi, @kevcube. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.
Issue Summary:

You requested the phone number plugin to support providers like Telegram Gateway that handle OTPs internally, suggesting custom functions for sending and validating OTPs to improve security.
A contributor noted Telegram Gateway's API supports custom verification codes and referenced Better Auth's existing documentation.
You acknowledged the documentation but expressed a preference for a black-box OTP approach.
The issue remains unresolved with interest shown but no implemented solution yet.
A related PR was mentioned in issue #1159 by another user.

Next Steps:

Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open.
Otherwise, this issue will be automatically closed in 7 days.

Thanks for your understanding and contribution!

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

@kevcube commented on GitHub (Oct 23, 2025): Not stale afaikOn Oct 24, 2025, at 00:04, dosubot[bot] ***@***.***> wrote:dosubot[bot] left a comment (better-auth/better-auth#2317) Hi, @kevcube. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale. Issue Summary: You requested the phone number plugin to support providers like Telegram Gateway that handle OTPs internally, suggesting custom functions for sending and validating OTPs to improve security. A contributor noted Telegram Gateway's API supports custom verification codes and referenced Better Auth's existing documentation. You acknowledged the documentation but expressed a preference for a black-box OTP approach. The issue remains unresolved with interest shown but no implemented solution yet. A related PR was mentioned in issue #1159 by another user. Next Steps: Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open. Otherwise, this issue will be automatically closed in 7 days. Thanks for your understanding and contribution! —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

GiteaMirror commented

2026-04-13 04:30:14 -05:00

@dosubot[bot] commented on GitHub (Jan 22, 2026):

Hi, @kevcube. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

You requested the phone number plugin to support OTP providers like Telegram Gateway that handle OTPs internally.
You suggested adding the ability to pass custom functions for sending and validating OTPs to improve security.
A contributor noted Telegram Gateway's API supports custom verification codes and referenced existing documentation.
You prefer Telegram's black-box OTP approach over custom verification.
The issue remains open with interest from other users and references to related PRs, but no resolution yet.

Next Steps:

Please confirm if this issue is still relevant to the latest version of better-auth by commenting here.
If no response is received within 7 days, I will automatically close the issue.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Jan 22, 2026): Hi, @kevcube. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You requested the phone number plugin to support OTP providers like Telegram Gateway that handle OTPs internally. - You suggested adding the ability to pass custom functions for sending and validating OTPs to improve security. - A contributor noted Telegram Gateway's API supports custom verification codes and referenced existing documentation. - You prefer Telegram's black-box OTP approach over custom verification. - The issue remains open with interest from other users and references to related PRs, but no resolution yet. **Next Steps:** - Please confirm if this issue is still relevant to the latest version of better-auth by commenting here. - If no response is received within 7 days, I will automatically close the issue. Thank you for your understanding and contribution!

GiteaMirror referenced this issue

2026-04-13 10:39:13 -05:00

[PR #9144] [MERGED] docs(sso): extract inline fields to named exports #16711

GiteaMirror referenced this issue

2026-04-15 22:51:19 -05:00

[PR #9144] [MERGED] docs(sso): extract inline fields to named exports #25365

GiteaMirror referenced this issue

2026-04-15 22:51:48 -05:00

[PR #9172] [MERGED] chore: sync main to next #25385

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#9144