[GH-ISSUE #3780] Type issue when using "auth.api.getSession" #9723

New Issue

GiteaMirror · 2026-04-13T05:23:52-05:00

GiteaMirror commented

2026-04-13 05:23:52 -05:00

Originally created by @kevinmarrec on GitHub (Aug 4, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/3780

To Reproduce

Create a backend
Use auth.api.getSession
The endpoint signature does not allow to use returnHeaders option

Current vs. Expected behavior

Current :

No returnHeaders option for getSession endpoint

Note: Still, we can force the returnHeaders option (even if not typed) and it will work as expected but with many typscript errors ! 👇

Expected :

Having returnHeaders option + correct typings when using the option, like other endpoints, here is an example with signUpEmail endpoint :

We should have no problem using the following code :

const { headers, response } = await auth.api.getSession({
  headers,
  returnHeaders: true
}

console.log(headers) // Should be of type Headers
console.log(response) // Should be of type { session: ..., user: ... }

What version of Better Auth are you using?

1.3.4

Provide environment information

OS: Ubuntu

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

import { betterAuth } from 'better-auth'

export const auth = betterAuth({
  emailAndPassword: {
    enabled: true,
  },
})

Additional context

https://github.com/better-auth/better-auth/issues/2115
https://github.com/better-auth/better-auth/issues/2115#issuecomment-3069526380

It looks like there a big type issue, as using "Go to Type Definition" on getSession leads to this :

Meanwhile other endpoints lead to a definition where there is all other endpoints :

And the big surprise, there is another getSession definition there that looks correctly typed :

So overall I think there's something in the types that override this correctly typed getSession endpoint by a wrong typed getSession endpoint (the one with InferAPI thing)

Originally created by @kevinmarrec on GitHub (Aug 4, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/3780 ### To Reproduce 1. Create a backend 2. Use `auth.api.getSession` 3. The endpoint signature does not allow to use `returnHeaders` option ### Current vs. Expected behavior **Current** : - No `returnHeaders` option for `getSession` endpoint <img width="799" height="120" alt="Image" src="https://github.com/user-attachments/assets/d922d6be-feca-4dec-b385-92357b0a2a62" /> *__Note__: Still, we can force the `returnHeaders` option (even if not typed) and it will work as expected but with many typscript errors !* 👇 <img width="685" height="79" alt="Image" src="https://github.com/user-attachments/assets/3d642473-5e5d-48a2-9086-72b6903b8c81" /> **Expected** : - Having `returnHeaders` option + correct typings when using the option, like other endpoints, here is an example with `signUpEmail` endpoint : <img width="1121" height="336" alt="Image" src="https://github.com/user-attachments/assets/236156e6-6286-49fe-8cea-e18cfe9faa91" /> We should have no problem using the following code : ```ts const { headers, response } = await auth.api.getSession({ headers, returnHeaders: true } console.log(headers) // Should be of type Headers console.log(response) // Should be of type { session: ..., user: ... } ``` ### What version of Better Auth are you using? 1.3.4 ### Provide environment information ```bash OS: Ubuntu ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript import { betterAuth } from 'better-auth' export const auth = betterAuth({ emailAndPassword: { enabled: true, }, }) ``` ### Additional context https://github.com/better-auth/better-auth/issues/2115 https://github.com/better-auth/better-auth/issues/2115#issuecomment-3069526380 It looks like there a big type issue, as using "Go to Type Definition" on `getSession` leads to this : <img width="732" height="330" alt="Image" src="https://github.com/user-attachments/assets/a504db9c-557f-4113-baf8-788047018b58" /> Meanwhile other endpoints lead to a definition where there is all other endpoints : <img width="908" height="353" alt="Image" src="https://github.com/user-attachments/assets/b572e49d-834d-4023-b683-badb13ff5424" /> And the big surprise, there is another `getSession` definition there that looks correctly typed : <img width="828" height="425" alt="Image" src="https://github.com/user-attachments/assets/dbce0937-b8f6-4525-88d1-e1a2ee2c3b72" /> So overall I think there's something in the types that override this correctly typed `getSession` endpoint by a wrong typed `getSession` endpoint (the one with `InferAPI` thing)

GiteaMirror added the locked label 2026-04-13 05:23:53 -05:00

GiteaMirror closed this issue

2026-04-13 05:23:55 -05:00

GiteaMirror commented

2026-04-13 05:23:57 -05:00

@dosubot[bot] commented on GitHub (Aug 4, 2025):

Hi @kevinmarrec! I'm Dosu and I’m helping the better-auth team.

You're right—there's a type issue with auth.api.getSession in Better Auth v1.3.4: the returnHeaders option isn't properly typed, even though it works at runtime if you force it. This happens because the type for getSession is inferred through a generic system (InferAPI), which doesn't handle special-case options like returnHeaders as precisely as endpoints like signUpEmail do. As a result, TypeScript errors appear, and intellisense is incomplete, even though the endpoint itself works as expected.

There are actually two definitions for getSession in the codebase: one is correctly typed (with proper returnHeaders support), but it's overridden by the more generic, less precise type generated by the API inference system. This is a common pitfall in frameworks that generate endpoint types dynamically—special-case parameters can get dropped or overgeneralized in the process, leading to the exact issue you're seeing. Other endpoints like signUpEmail have more explicit typings, so they don't have this problem citation.

Workarounds:

You can use a type assertion or manually cast the return type when calling getSession to suppress TypeScript errors.
If you're using custom fields or plugins, consider using the inferAdditionalFields plugin on the client side to improve type inference for session-related endpoints citation.
As a last resort, manually cast the session type in your code where needed.

This type inference issue is known and discussed in several related issues (#2115, #1194, #2818, #3328). Runtime/session context bugs in getSession have been fixed in recent PRs, but the typing problem for returnHeaders remains citation.

Keep an eye on future releases for a proper fix. For now, type assertions or the inferAdditionalFields plugin are your best options.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Aug 4, 2025):  Hi @kevinmarrec! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team.  You're right—there's a type issue with `auth.api.getSession` in Better Auth v1.3.4: the `returnHeaders` option isn't properly typed, even though it works at runtime if you force it. This happens because the type for `getSession` is inferred through a generic system (`InferAPI`), which doesn't handle special-case options like `returnHeaders` as precisely as endpoints like `signUpEmail` do. As a result, TypeScript errors appear, and intellisense is incomplete, even though the endpoint itself works as expected. There are actually two definitions for `getSession` in the codebase: one is correctly typed (with proper `returnHeaders` support), but it's overridden by the more generic, less precise type generated by the API inference system. This is a common pitfall in frameworks that generate endpoint types dynamically—special-case parameters can get dropped or overgeneralized in the process, leading to the exact issue you're seeing. Other endpoints like `signUpEmail` have more explicit typings, so they don't have this problem [citation](https://github.com/better-auth/better-auth/blob/987be984b4d840a409ca1e0d6098ee0f3303bcb6/packages/better-auth/src/api/index.ts). Workarounds: - You can use a type assertion or manually cast the return type when calling `getSession` to suppress TypeScript errors. - If you're using custom fields or plugins, consider using the `inferAdditionalFields` plugin on the client side to improve type inference for session-related endpoints [citation](https://github.com/better-auth/better-auth/issues/3328). - As a last resort, manually cast the session type in your code where needed. This type inference issue is known and discussed in several related issues ([#2115](https://github.com/better-auth/better-auth/issues/2115), [#1194](https://github.com/better-auth/better-auth/issues/1194), [#2818](https://github.com/better-auth/better-auth/issues/2818), [#3328](https://github.com/better-auth/better-auth/issues/3328)). Runtime/session context bugs in `getSession` have been fixed in recent PRs, but the typing problem for `returnHeaders` remains [citation](https://github.com/better-auth/better-auth/pull/3578). Keep an eye on future releases for a proper fix. For now, type assertions or the `inferAdditionalFields` plugin are your best options.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/03fa09b3-6f0c-4c64-99c5-ad4301d902b5?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/03fa09b3-6f0c-4c64-99c5-ad4301d902b5?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/03fa09b3-6f0c-4c64-99c5-ad4301d902b5?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/03fa09b3-6f0c-4c64-99c5-ad4301d902b5?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/03fa09b3-6f0c-4c64-99c5-ad4301d902b5?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/03fa09b3-6f0c-4c64-99c5-ad4301d902b5?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/03fa09b3-6f0c-4c64-99c5-ad4301d902b5?feedback_type=other)</sup>  [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3780)

GiteaMirror commented

2026-04-13 05:23:59 -05:00

@kevinmarrec commented on GitHub (Aug 4, 2025):

As for now the more suitable workaround is one of the bot (@Dosubot) suggestion, which would look like something like this :

const response = await context.auth.api.getSession({
      headers: context.request.headers,
      asResponse: true,
    })

const session = await response.json() as typeof context.auth.$Infer.Session | null

I think that using context.auth.$Infer.Session make it correctly typed with custom session plugin as well.

That said, hopefully we'll have a better solution by making getSession types better and smarter, which would mean handling returnsHeader option, while using InferAPI generic system which seems to be the problem today.

@kevinmarrec commented on GitHub (Aug 4, 2025): As for now the more suitable workaround is one of the bot (**@Dosubot**) suggestion, which would look like something like this : ```ts const response = await context.auth.api.getSession({ headers: context.request.headers, asResponse: true, }) const session = await response.json() as typeof context.auth.$Infer.Session | null ``` I think that using `context.auth.$Infer.Session` make it correctly typed with custom session plugin as well. That said, hopefully we'll have a better solution by making `getSession` types better and smarter, which would mean handling `returnsHeader` option, while using `InferAPI` generic system which seems to be the problem today.

GiteaMirror commented

2026-04-13 05:24:00 -05:00

@frectonz commented on GitHub (Aug 13, 2025):

asResponse is a good way to handle this. I just created a PR to add returnHeaders to getSession.

@kevinmarrec I was wondering why do you want to get the headers returned by getSession.

@frectonz commented on GitHub (Aug 13, 2025): `asResponse` is a good way to handle this. I just created a PR to add `returnHeaders` to `getSession`. @kevinmarrec I was wondering why do you want to get the headers returned by `getSession`.

GiteaMirror commented

2026-04-13 05:24:01 -05:00

@kevinmarrec commented on GitHub (Aug 13, 2025):

@frectonz I want to get access to cookie headers generated by getSession when updateAge occurs (session refresh), so I can return it to my client (I'm not using better-auth client for client bundle optimization)

@kevinmarrec commented on GitHub (Aug 13, 2025): @frectonz I want to get access to cookie headers generated by `getSession` when updateAge occurs (session refresh), so I can return it to my client (I'm not using better-auth client for client bundle optimization)

GiteaMirror commented

2026-04-13 05:24:02 -05:00

@frectonz commented on GitHub (Aug 14, 2025):

@kevinmarrec I understand what you want to do, seems like #3983 correctly address the problem you are facing.

@frectonz commented on GitHub (Aug 14, 2025): @kevinmarrec I understand what you want to do, seems like #3983 correctly address the problem you are facing.

GiteaMirror commented

2026-04-13 05:24:03 -05:00

@kevinmarrec commented on GitHub (Aug 14, 2025):

@frectonz Indeed the solution seems to perfectly fit the need, thanks !

@kevinmarrec commented on GitHub (Aug 14, 2025): @frectonz Indeed the solution seems to perfectly fit the need, thanks !

GiteaMirror commented

2026-04-13 05:24:04 -05:00

@mhornbacher commented on GitHub (Aug 18, 2025):

Hi everyone,

I’m not sure if this is directly related to the current discussion, but I noticed that if zod is not listed as a dependency of the project, this change in version 1.3.7 seems to break the types, causing most types to resolve as any. I had to add zod as a devDependency and reset my lock file in order to resolve it.

Just wanted to flag it in case it’s helpful for debugging or planning a fix.

@mhornbacher commented on GitHub (Aug 18, 2025): Hi everyone, I’m not sure if this is directly related to the current discussion, but I noticed that if zod is not listed as a dependency of the project, [this change](https://github.com/better-auth/better-auth/compare/v1.3.6...v1.3.7#diff-5fa366118e2fc5e98f8dbce4eb9fffc7f5a57c2bed3815cd9aebdb374c717fc8R53) in version 1.3.7 seems to break the types, causing most types to resolve as any. I had to add `zod` as a `devDependency` and reset my lock file in order to resolve it. Just wanted to flag it in case it’s helpful for debugging or planning a fix.

GiteaMirror commented

2026-04-13 05:24:05 -05:00

@widavies commented on GitHub (Mar 26, 2026):

Are returnHeaders or asResponse available for the client variants as well (authClient.getSession and authClient.useSession)?

It would be nice to have access to the headers & other response metadata returned by the server. In particular, I set the JWT in a header using an after hook in /get-session. It would be nice to have it immediately ready for use rather than also having to wait until authClient.token() completes.

I patched better-auth to achieve this for my use case - I added headers to the useAuthQuery atoms, is this something you'd be interested in for a PR?

Looks like this might also be possible with better fetch plugins as an alternative?

@Bekacru @frectonz

@widavies commented on GitHub (Mar 26, 2026): Are `returnHeaders` or `asResponse` available for the client variants as well (`authClient.getSession` and `authClient.useSession`)? It would be nice to have access to the headers & other response metadata returned by the server. In particular, I set the JWT in a header using an after hook in `/get-session`. It would be nice to have it immediately ready for use rather than also having to wait until `authClient.token()` completes. I patched better-auth to achieve this for my use case - I added `headers` to the `useAuthQuery` atoms, is this something you'd be interested in for a PR? Looks like this might also be possible with better fetch plugins as an alternative? @Bekacru @frectonz

GiteaMirror commented

2026-04-13 05:24:05 -05:00

@github-actions[bot] commented on GitHub (Apr 3, 2026):

This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.

@github-actions[bot] commented on GitHub (Apr 3, 2026): This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#9723