[GH-ISSUE #3547] Server side impersonateUser() doesn't work #9639

New Issue

GiteaMirror · 2026-04-13T05:13:47-05:00

GiteaMirror commented

2026-04-13 05:13:47 -05:00

Originally created by @j1mbo64 on GitHub (Jul 22, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/3547

Is this suited for github?

Yes, this is suited for github

To Reproduce

export async function testImpersonate(id: string) {

  const impersonateResult = await auth.api.impersonateUser({
    body: { userId: id },
    headers: await headers(),
  });

  console.log("Impersonation result :", impersonateResult);
  console.log("During Impersonation Session :", await getSession());

  // Stop impersonating the owner
  auth.api.stopImpersonating({
    headers: await headers(),
  });
}

Current vs. Expected behavior

Here is the impersonateResult value (works as expected)

Impersonation result : {
  session: {
    expiresAt: 2025-07-22T14:55:09.483Z,
    token: '4mCfkEIPz3k82HxgeO0pawzrq8a8Rhqa',
    createdAt: 2025-07-22T14:54:09.484Z,
    updatedAt: 2025-07-22T14:54:09.484Z,
    ipAddress: '',
    userAgent: 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36',
    userId: 'cA06KJqI0Xrbi6AW2TvqxFgtg4PdHHmV',
    impersonatedBy: '9RuxBUf5cvN3JvNKNQ0qpOITdsLuxNxp',
    id: 'h0N1t4Xlv18nCgYKynPDZNjDa5SPbDZy'
  },
  user: {
    name: 'toto',
    email: 'toto@gmail.com',
    emailVerified: false,
    image: null,
    createdAt: 2025-07-21T14:12:46.489Z,
    updatedAt: 2025-07-21T14:12:46.489Z,
    role: 'user',
    banned: null,
    banReason: null,
    banExpires: null,
    onboarding: true,
    selectedEntityId: null,
    id: 'cA06KJqI0Xrbi6AW2TvqxFgtg4PdHHmV'
  }
}

Here is the getSession() result value

During Impersonation Session : {
  session: {
    expiresAt: 2025-07-29T13:26:33.986Z,
    token: 'rakYHAxt14TanjfgS43blXN01NvOEkU0',
    createdAt: 2025-07-22T13:26:33.987Z,
    updatedAt: 2025-07-22T13:26:33.987Z,
    ipAddress: '',
    userAgent: 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36',
    userId: '9RuxBUf5cvN3JvNKNQ0qpOITdsLuxNxp',
    impersonatedBy: null,
    id: 'QaBuqjB96tXYlyNoDA4xFvjSvwWJ3hBU'
  },
  user: {
    name: 'admin',
    email: 'admin@gmail.com',
    emailVerified: false,
    image: null,
    createdAt: 2025-07-21T14:12:46.650Z,
    updatedAt: 2025-07-21T14:12:46.650Z,
    role: 'admin',
    banned: null,
    banReason: null,
    banExpires: null,
    onboarding: true,
    selectedEntityId: null,
    id: '9RuxBUf5cvN3JvNKNQ0qpOITdsLuxNxp'
  }
}

When getSession() I still admin user.

getSession() is a simple wrapper like this :

export async function getSession(): Promise<any | undefined> {
  const session = await auth.api.getSession({
    headers: await headers(),
  });
  return session;
}

What version of Better Auth are you using?

1.3.2

Provide environment information

- OS: ArchLinux
- Browser: Chrome

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

export const auth = betterAuth({
  user: {
    additionalFields: {
      onboarding: {
        type: "boolean",
        required: true,
        defaultValue: false,
      },
      selectedEntityId: {
        type: "string",
        required: false,
        input: true,
      },
    },
  },
  emailAndPassword: {
    enabled: true,
    // async sendResetPassword(data, request) {
    // 	// Send an email to the user with a link to reset their password
    // },
  },
  session: {
    cookieCache: {
      enabled: true,
      maxAge: 5 * 60, // Cache duration in seconds
    },
  },
  database: prismaAdapter(prisma, {
    provider: "postgresql",
  }),
  plugins: [
    admin({
      defaultRole: "user", // Set default role for new users
      impersonationSessionDuration: 60, // 1 minute
    }),
    apiKey(),
  ],
});

Additional context

No response

Originally created by @j1mbo64 on GitHub (Jul 22, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/3547 ### Is this suited for github? - [ ] Yes, this is suited for github ### To Reproduce ```ts export async function testImpersonate(id: string) { const impersonateResult = await auth.api.impersonateUser({ body: { userId: id }, headers: await headers(), }); console.log("Impersonation result :", impersonateResult); console.log("During Impersonation Session :", await getSession()); // Stop impersonating the owner auth.api.stopImpersonating({ headers: await headers(), }); } ``` ### Current vs. Expected behavior Here is the `impersonateResult` value (works as expected) ``` Impersonation result : { session: { expiresAt: 2025-07-22T14:55:09.483Z, token: '4mCfkEIPz3k82HxgeO0pawzrq8a8Rhqa', createdAt: 2025-07-22T14:54:09.484Z, updatedAt: 2025-07-22T14:54:09.484Z, ipAddress: '', userAgent: 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36', userId: 'cA06KJqI0Xrbi6AW2TvqxFgtg4PdHHmV', impersonatedBy: '9RuxBUf5cvN3JvNKNQ0qpOITdsLuxNxp', id: 'h0N1t4Xlv18nCgYKynPDZNjDa5SPbDZy' }, user: { name: 'toto', email: 'toto@gmail.com', emailVerified: false, image: null, createdAt: 2025-07-21T14:12:46.489Z, updatedAt: 2025-07-21T14:12:46.489Z, role: 'user', banned: null, banReason: null, banExpires: null, onboarding: true, selectedEntityId: null, id: 'cA06KJqI0Xrbi6AW2TvqxFgtg4PdHHmV' } } ``` Here is the `getSession()` result value ``` During Impersonation Session : { session: { expiresAt: 2025-07-29T13:26:33.986Z, token: 'rakYHAxt14TanjfgS43blXN01NvOEkU0', createdAt: 2025-07-22T13:26:33.987Z, updatedAt: 2025-07-22T13:26:33.987Z, ipAddress: '', userAgent: 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36', userId: '9RuxBUf5cvN3JvNKNQ0qpOITdsLuxNxp', impersonatedBy: null, id: 'QaBuqjB96tXYlyNoDA4xFvjSvwWJ3hBU' }, user: { name: 'admin', email: 'admin@gmail.com', emailVerified: false, image: null, createdAt: 2025-07-21T14:12:46.650Z, updatedAt: 2025-07-21T14:12:46.650Z, role: 'admin', banned: null, banReason: null, banExpires: null, onboarding: true, selectedEntityId: null, id: '9RuxBUf5cvN3JvNKNQ0qpOITdsLuxNxp' } } ``` When `getSession()` I still `admin` user. `getSession()` is a simple wrapper like this : ```ts export async function getSession(): Promise<any | undefined> { const session = await auth.api.getSession({ headers: await headers(), }); return session; } ``` ### What version of Better Auth are you using? 1.3.2 ### Provide environment information ```bash - OS: ArchLinux - Browser: Chrome ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript export const auth = betterAuth({ user: { additionalFields: { onboarding: { type: "boolean", required: true, defaultValue: false, }, selectedEntityId: { type: "string", required: false, input: true, }, }, }, emailAndPassword: { enabled: true, // async sendResetPassword(data, request) { // // Send an email to the user with a link to reset their password // }, }, session: { cookieCache: { enabled: true, maxAge: 5 * 60, // Cache duration in seconds }, }, database: prismaAdapter(prisma, { provider: "postgresql", }), plugins: [ admin({ defaultRole: "user", // Set default role for new users impersonationSessionDuration: 60, // 1 minute }), apiKey(), ], }); ``` ### Additional context _No response_

GiteaMirror added the locked bug labels 2026-04-13 05:13:47 -05:00

GiteaMirror closed this issue

2026-04-13 05:13:48 -05:00

GiteaMirror commented

2026-04-13 05:13:49 -05:00

@dosubot[bot] commented on GitHub (Jul 22, 2025):

Hi @j1mbo64! I'm Dosu and I’m helping the better-auth team.

This is expected behavior: after calling impersonateUser(), the new session token for the impersonated user is returned in the response, but your server-side context (headers/cookies) is not automatically updated. Subsequent calls like getSession() will still use the original admin session unless you explicitly pass the new session token from impersonateResult.session.token in your headers or cookies for further API calls.

To impersonate on the server side, you need to manually propagate the new session token. For example:

export async function testImpersonate(id: string) {
  const impersonateResult = await auth.api.impersonateUser({
    body: { userId: id },
    headers: await headers(),
  });

  // Use the new session token for subsequent calls
  const impersonationHeaders = {
    ...await headers(),
    'Authorization': `Bearer ${impersonateResult.session.token}`,
  };

  console.log("Impersonation result :", impersonateResult);
  console.log(
    "During Impersonation Session :",
    await auth.api.getSession({ headers: impersonationHeaders })
  );

  // Stop impersonating (pass the impersonation token)
  await auth.api.stopImpersonating({
    headers: impersonationHeaders,
  });
}

This stateless pattern is by design: Better Auth does not mutate your server-side session context automatically—you must use the new token for impersonated requests [source].

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Jul 22, 2025):  Hi @j1mbo64! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team.  This is expected behavior: after calling impersonateUser(), the new session token for the impersonated user is returned in the response, but your server-side context (headers/cookies) is not automatically updated. Subsequent calls like getSession() will still use the original admin session unless you explicitly pass the new session token from impersonateResult.session.token in your headers or cookies for further API calls. To impersonate on the server side, you need to manually propagate the new session token. For example: ```ts export async function testImpersonate(id: string) { const impersonateResult = await auth.api.impersonateUser({ body: { userId: id }, headers: await headers(), }); // Use the new session token for subsequent calls const impersonationHeaders = { ...await headers(), 'Authorization': `Bearer ${impersonateResult.session.token}`, }; console.log("Impersonation result :", impersonateResult); console.log( "During Impersonation Session :", await auth.api.getSession({ headers: impersonationHeaders }) ); // Stop impersonating (pass the impersonation token) await auth.api.stopImpersonating({ headers: impersonationHeaders, }); } ``` This stateless pattern is by design: Better Auth does not mutate your server-side session context automatically—you must use the new token for impersonated requests [[source]](https://github.com/better-auth/better-auth/issues/3297).  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/e7083d86-f837-49b6-bc77-6e5c5a8c8659?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/e7083d86-f837-49b6-bc77-6e5c5a8c8659?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/e7083d86-f837-49b6-bc77-6e5c5a8c8659?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/e7083d86-f837-49b6-bc77-6e5c5a8c8659?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/e7083d86-f837-49b6-bc77-6e5c5a8c8659?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/e7083d86-f837-49b6-bc77-6e5c5a8c8659?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/e7083d86-f837-49b6-bc77-6e5c5a8c8659?feedback_type=other)</sup>  [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3547)

GiteaMirror commented

2026-04-13 05:13:50 -05:00

@DkR-Luca-Lucidera commented on GitHub (Aug 28, 2025):

i have the same error, here the code:

const {
  headers,
  response: impersonateResult
} = await auth.api.impersonateUser({
  body: {
    userId: memberInfo.user.id
  },
  headers: ctx.headers,
  returnHeaders: true,
});

// Use the new session token for subsequent calls
const impersonationHeaders = {...headers,
  Authorization: `Bearer $ {
    impersonateResult.session.token
  }`,
};

console.log("Impersonation result :", impersonateResult);
console.log("During Impersonation Session :", await auth.api.getSession({
  headers: impersonationHeaders
}), );

await auth.api.stopImpersonating({
  headers: impersonationHeaders,
});

even with ctx.headers give the same output

console output:

Impersonation result : {
  session: {
    expiresAt: 2025-08-29T08:07:18.708Z,
    token: 'fRq0PFulsOkFvLvYA6on6tz6ZaAjUqFm',
    createdAt: 2025-08-28T08:07:18.709Z,
    updatedAt: 2025-08-28T08:07:18.709Z,
    ipAddress: '',
    userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36',
    userId: 'zP3BtfkHLfYtjHnIrMUePqaWMXh2tbQC',
    impersonatedBy: 'Kzli40rM8C9TQ8mNz2iBzg6gYx8cqmjS',
    activeOrganizationId: null,
    id: 'jBoM3zOH41UaMSJbdGfVHlVWoxUinJCE'
  },
  user: {
    name: 'ref',
    email: 'ref@one.com',
    emailVerified: false,
    image: null,
    createdAt: 2025-08-28T07:53:48.220Z,
    updatedAt: 2025-08-28T07:53:48.220Z,
    role: 'user',
    banned: null,
    banReason: null,
    banExpires: null,
    lastName: 'one',
    id: 'zP3BtfkHLfYtjHnIrMUePqaWMXh2tbQC'
  }
}
During Impersonation Session : null
[Error [APIError]: ] {
  status: 'UNAUTHORIZED',
  body: undefined,
  headers: {},
  statusCode: 401
}

@DkR-Luca-Lucidera commented on GitHub (Aug 28, 2025): i have the same error, here the code: ```ts const { headers, response: impersonateResult } = await auth.api.impersonateUser({ body: { userId: memberInfo.user.id }, headers: ctx.headers, returnHeaders: true, }); // Use the new session token for subsequent calls const impersonationHeaders = {...headers, Authorization: `Bearer $ { impersonateResult.session.token }`, }; console.log("Impersonation result :", impersonateResult); console.log("During Impersonation Session :", await auth.api.getSession({ headers: impersonationHeaders }), ); await auth.api.stopImpersonating({ headers: impersonationHeaders, }); ``` even with ctx.headers give the same output console output: ```sh Impersonation result : { session: { expiresAt: 2025-08-29T08:07:18.708Z, token: 'fRq0PFulsOkFvLvYA6on6tz6ZaAjUqFm', createdAt: 2025-08-28T08:07:18.709Z, updatedAt: 2025-08-28T08:07:18.709Z, ipAddress: '', userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36', userId: 'zP3BtfkHLfYtjHnIrMUePqaWMXh2tbQC', impersonatedBy: 'Kzli40rM8C9TQ8mNz2iBzg6gYx8cqmjS', activeOrganizationId: null, id: 'jBoM3zOH41UaMSJbdGfVHlVWoxUinJCE' }, user: { name: 'ref', email: 'ref@one.com', emailVerified: false, image: null, createdAt: 2025-08-28T07:53:48.220Z, updatedAt: 2025-08-28T07:53:48.220Z, role: 'user', banned: null, banReason: null, banExpires: null, lastName: 'one', id: 'zP3BtfkHLfYtjHnIrMUePqaWMXh2tbQC' } } During Impersonation Session : null [Error [APIError]: ] { status: 'UNAUTHORIZED', body: undefined, headers: {}, statusCode: 401 } ```

GiteaMirror commented

2026-04-13 05:13:52 -05:00

@ping-maxwell commented on GitHub (Oct 8, 2025):

The reason you're running into this issue is because when calling impersonateUser, it will issue a new session and will create a set-cookie header in the response, since you didn't change the current header value to use the new session cookie, the getSession call is running off an older session, not the new one.

@ping-maxwell commented on GitHub (Oct 8, 2025): The reason you're running into this issue is because when calling `impersonateUser`, it will issue a new session and will create a `set-cookie` header in the response, since you didn't change the current header value to use the new session cookie, the `getSession` call is running off an older session, not the new one.

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#9639

[GH-ISSUE #3547] Server side impersonateUser() doesn't work #9639

Is this suited for github?

To Reproduce

Current vs. Expected behavior

What version of Better Auth are you using?

Provide environment information

Which area(s) are affected? (Select all that apply)

Auth config (if applicable)

Additional context

[GH-ISSUE #3547] Server side `impersonateUser()` doesn't work #9639