@better-auth/core 1.6.15 → 1.6.16

package/dist/context/global.mjs

@@ -2,7 +2,7 @@
 const symbol = Symbol.for("better-auth:global");
 let bind = null;
 const __context = {};
-const __betterAuthVersion = "1.6.15";
+const __betterAuthVersion = "1.6.16";
 /**
 * We store context instance in the globalThis.
 *

package/dist/env/env-impl.mjs

@@ -27,7 +27,7 @@ const env = new Proxy(_envShim, {
 function toBoolean(val) {
 	return val ? val !== "false" : false;
 }
-const nodeENV = typeof process !== "undefined" && process.env && process.env.NODE_ENV || "";
+const nodeENV = env.NODE_ENV ?? "";
 /** Detect if `NODE_ENV` environment variable is `production` */
 const isProduction = nodeENV === "production";
 /** Detect if `NODE_ENV` environment variable is `dev` or `development` */

package/dist/instrumentation/tracer.mjs

@@ -2,7 +2,7 @@ import { ATTR_HTTP_RESPONSE_STATUS_CODE } from "./attributes.mjs";
 import { getOpenTelemetryAPI } from "./api.mjs";
 //#region src/instrumentation/tracer.ts
 const INSTRUMENTATION_SCOPE = "better-auth";
-const INSTRUMENTATION_VERSION = "1.6.15";
+const INSTRUMENTATION_VERSION = "1.6.16";
 /**
 * Better-auth uses `throw ctx.redirect(url)` for flow control (e.g. OAuth
 * callbacks). These are APIErrors with 3xx status codes and should not be

package/dist/oauth2/verify.d.mts

@@ -14,6 +14,20 @@ interface VerifyAccessTokenRemote {
    * is also still active.
    */
   force?: boolean;
+  /**
+   * Accept introspection responses that omit the `aud` claim even when a
+   * required `audience` is configured in `verifyOptions`.
+   *
+   * By default verification fails closed: if you configure an `audience` and
+   * the introspection response has no `aud` (or a mismatching one), the token
+   * is rejected. Some authorization servers legitimately omit `aud` from
+   * introspection responses (it is OPTIONAL per RFC 7662 §2.2); only enable
+   * this if you trust the issuer to bind the token to this resource through
+   * another mechanism, as it skips the audience check in that case.
+   *
+   * @default false
+   */
+  allowMissingAudience?: boolean;
 }
 /**
  * Performs local verification of an access token for your APIs.

package/dist/oauth2/verify.mjs

@@ -11,8 +11,13 @@ const joseInfrastructureErrorCodes = new Set([
 function isJoseInfrastructureError(error) {
 	return joseInfrastructureErrorCodes.has(error.code);
 }
-/** Last fetched jwks used locally in getJwks @internal */
-let jwks;
+const jwksCache = /* @__PURE__ */ new Map();
+/**
+* How long a cached JWKS is trusted before it is refetched
+*
+* @internal
+*/
+const JWKS_CACHE_TTL_MS = 300 * 1e3;
 /**
 * Performs local verification of an access token for your APIs.
 *
@@ -37,14 +42,24 @@ async function getJwks(token, opts) {
 		throw new Error(error);
 	}
 	if (!jwtHeaders.kid) throw new APIError("UNAUTHORIZED", { message: "invalid access token" });
-	if (!jwks || !jwks.keys.find((jwk) => jwk.kid === jwtHeaders.kid)) {
-		jwks = typeof opts.jwksFetch === "string" ? await betterFetch(opts.jwksFetch, { headers: { Accept: "application/json" } }).then(async (res) => {
+	const kid = jwtHeaders.kid;
+	const cacheKey = opts.jwksFetch;
+	const cached = jwksCache.get(cacheKey);
+	const isFresh = cached ? Date.now() - cached.fetchedAt < JWKS_CACHE_TTL_MS : false;
+	const hasKid = cached?.jwks.keys.some((jwk) => jwk.kid === kid) ?? false;
+	if (!cached || !isFresh || !hasKid) {
+		const jwks = typeof opts.jwksFetch === "string" ? await betterFetch(opts.jwksFetch, { headers: { Accept: "application/json" } }).then(async (res) => {
 			if (res.error) throw new Error(`Jwks failed: ${res.error.message ?? res.error.statusText}`);
 			return res.data;
 		}) : await opts.jwksFetch();
 		if (!jwks) throw new Error("No jwks found");
+		jwksCache.set(cacheKey, {
+			jwks,
+			fetchedAt: Date.now()
+		});
+		return jwks;
 	}
-	return jwks;
+	return cached.jwks;
 }
 /**
 * Performs local verification of an access token for your API.
@@ -85,8 +100,9 @@ async function verifyAccessToken(token, opts) {
 		if (!introspect.active) throw new APIError("UNAUTHORIZED", { message: "token inactive" });
 		try {
 			const unsecuredJwt = new UnsecuredJWT(introspect).encode();
-			const { audience: _audience, ...verifyOptions } = opts.verifyOptions;
-			payload = (introspect.aud ? UnsecuredJWT.decode(unsecuredJwt, opts.verifyOptions) : UnsecuredJWT.decode(unsecuredJwt, verifyOptions)).payload;
+			const { audience: _audience, ...verifyOptionsNoAudience } = opts.verifyOptions;
+			const skipAudience = !introspect.aud && opts.remoteVerify.allowMissingAudience === true;
+			payload = UnsecuredJWT.decode(unsecuredJwt, skipAudience ? verifyOptionsNoAudience : opts.verifyOptions).payload;
 		} catch (error) {
 			throw new Error(error);
 		}

package/dist/social-providers/facebook.mjs

@@ -7,6 +7,34 @@ import { validateAuthorizationCode } from "../oauth2/validate-authorization-code
 import { betterFetch } from "@better-fetch/fetch";
 import { createRemoteJWKSet, decodeJwt, jwtVerify } from "jose";
 //#region src/social-providers/facebook.ts
+/**
+* Validate an opaque Facebook access token against the configured app.
+*
+* Facebook access tokens are not audience-bound at the Graph `/me` endpoint: a
+* token minted for any Facebook app returns that app's profile. Without this
+* check, a token issued to an unrelated app could be presented to this
+* app's direct sign-in path and accepted as proof of identity. We call the
+* `debug_token` endpoint and require the token to be valid, bound to one of the
+* configured client ids, and tied to a user.
+*
+* @see https://developers.facebook.com/docs/facebook-login/guides/access-tokens/debugging
+*
+* @returns the inspected token's `user_id` when the token is valid and bound to
+* the configured app, otherwise `null`.
+*/
+async function verifyFacebookAccessToken(accessToken, options) {
+	const primaryClientId = getPrimaryClientId(options.clientId);
+	if (!primaryClientId || !options.clientSecret) return null;
+	const clientIds = Array.isArray(options.clientId) ? options.clientId : [options.clientId];
+	const { data, error } = await betterFetch("https://graph.facebook.com/debug_token", { query: {
+		input_token: accessToken,
+		access_token: `${primaryClientId}|${options.clientSecret}`
+	} });
+	if (error || !data?.data) return null;
+	const { is_valid, app_id, user_id } = data.data;
+	if (is_valid !== true || !app_id || !clientIds.includes(app_id) || !user_id) return null;
+	return user_id;
+}
 const facebook = (options) => {
 	return {
 		id: "facebook",
@@ -52,7 +80,7 @@ const facebook = (options) => {
 			} catch {
 				return false;
 			}
-			return true;
+			return await verifyFacebookAccessToken(token, options) !== null;
 		},
 		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
 			return refreshAccessToken({
@@ -93,6 +121,10 @@ const facebook = (options) => {
 					data: profile
 				};
 			}
+			const accessToken = token.accessToken;
+			if (!accessToken) return null;
+			const tokenUserId = await verifyFacebookAccessToken(accessToken, options);
+			if (!tokenUserId) return null;
 			const { data: profile, error } = await betterFetch("https://graph.facebook.com/me?fields=" + [
 				"id",
 				"name",
@@ -101,9 +133,10 @@ const facebook = (options) => {
 				...options?.fields || []
 			].join(","), { auth: {
 				type: "Bearer",
-				token: token.accessToken
+				token: accessToken
 			} });
 			if (error) return null;
+			if (profile.id !== tokenUserId) return null;
 			const userMap = await options.mapProfileToUser?.(profile);
 			return {
 				user: {

package/dist/social-providers/google.d.mts

@@ -37,7 +37,12 @@ interface GoogleOptions extends ProviderOptions<GoogleProfile> {
    */
   display?: ("page" | "popup" | "touch" | "wap") | undefined;
   /**
-   * The hosted domain of the user
+   * The hosted domain (Google Workspace) the user must belong to.
+   *
+   * This is sent to Google as the `hd` authorization hint and, when set, is
+   * also enforced against the `hd` claim of the returned id token/profile.
+   * Sign-in is rejected when the claim is missing or does not match, so this
+   * can be used to restrict sign-in to a Workspace domain.
    */
   hd?: string | undefined;
 }

package/dist/social-providers/google.mjs

@@ -73,6 +73,7 @@ const google = (options) => {
 					maxTokenAge: "1h"
 				});
 				if (nonce && jwtClaims.nonce !== nonce) return false;
+				if (options.hd && jwtClaims.hd !== options.hd) return false;
 				return true;
 			} catch {
 				return false;
@@ -82,6 +83,10 @@ const google = (options) => {
 			if (options.getUserInfo) return options.getUserInfo(token);
 			if (!token.idToken) return null;
 			const user = decodeJwt(token.idToken);
+			if (options.hd && user.hd !== options.hd) {
+				logger.error(`Google sign-in rejected: id token hosted domain (hd) "${user.hd ?? "<missing>"}" does not match the configured "hd" option "${options.hd}".`);
+				return null;
+			}
 			const userMap = await options.mapProfileToUser?.(user);
 			return {
 				user: {

package/dist/social-providers/index.d.mts

@@ -28,7 +28,7 @@ import { KakaoOptions, KakaoProfile, kakao } from "./kakao.mjs";
 import { NaverOptions, NaverProfile, naver } from "./naver.mjs";
 import { LineIdTokenPayload, LineOptions, LineUserInfo, line } from "./line.mjs";
 import { PaybinOptions, PaybinProfile, paybin } from "./paybin.mjs";
-import { PayPalOptions, PayPalProfile, PayPalTokenResponse, paypal } from "./paypal.mjs";
+import { PayPalOptions, PayPalProfile, PayPalTokenResponse, getPayPalPublicKey, paypal } from "./paypal.mjs";
 import { PolarOptions, PolarProfile, polar } from "./polar.mjs";
 import { RailwayOptions, RailwayProfile, railway } from "./railway.mjs";
 import { VercelOptions, VercelProfile, vercel } from "./vercel.mjs";
@@ -1831,4 +1831,4 @@ type SocialProviders = { [K in SocialProviderList[number]]?: AwaitableFunction<P
 }> };
 type SocialProviderList = typeof socialProviderList;
 //#endregion
-export { AccountStatus, AppleNonConformUser, AppleOptions, AppleProfile, AtlassianOptions, AtlassianProfile, CognitoOptions, CognitoProfile, DiscordOptions, DiscordProfile, DropboxOptions, DropboxProfile, FacebookOptions, FacebookProfile, FigmaOptions, FigmaProfile, GithubOptions, GithubProfile, GitlabOptions, GitlabProfile, GoogleOptions, GoogleProfile, HuggingFaceOptions, HuggingFaceProfile, KakaoOptions, KakaoProfile, KickOptions, KickProfile, LineIdTokenPayload, LineOptions, LineUserInfo, LinearOptions, LinearProfile, LinearUser, LinkedInOptions, LinkedInProfile, LoginType, MicrosoftEntraIDProfile, MicrosoftOptions, NaverOptions, NaverProfile, NotionOptions, NotionProfile, PayPalOptions, PayPalProfile, PayPalTokenResponse, PaybinOptions, PaybinProfile, PhoneNumber, PolarOptions, PolarProfile, PronounOption, RailwayOptions, RailwayProfile, RedditOptions, RedditProfile, RobloxOptions, RobloxProfile, SalesforceOptions, SalesforceProfile, SlackOptions, SlackProfile, SocialProvider, SocialProviderList, SocialProviderListEnum, SocialProviders, SpotifyOptions, SpotifyProfile, TiktokOptions, TiktokProfile, TwitchOptions, TwitchProfile, TwitterOption, TwitterProfile, VercelOptions, VercelProfile, VkOption, VkProfile, WeChatOptions, WeChatProfile, ZoomOptions, ZoomProfile, apple, atlassian, cognito, discord, dropbox, facebook, figma, getApplePublicKey, getCognitoPublicKey, getGooglePublicKey, getMicrosoftPublicKey, github, gitlab, google, huggingface, kakao, kick, line, linear, linkedin, microsoft, naver, notion, paybin, paypal, polar, railway, reddit, roblox, salesforce, slack, socialProviderList, socialProviders, spotify, tiktok, twitch, twitter, vercel, vk, wechat, zoom };
+export { AccountStatus, AppleNonConformUser, AppleOptions, AppleProfile, AtlassianOptions, AtlassianProfile, CognitoOptions, CognitoProfile, DiscordOptions, DiscordProfile, DropboxOptions, DropboxProfile, FacebookOptions, FacebookProfile, FigmaOptions, FigmaProfile, GithubOptions, GithubProfile, GitlabOptions, GitlabProfile, GoogleOptions, GoogleProfile, HuggingFaceOptions, HuggingFaceProfile, KakaoOptions, KakaoProfile, KickOptions, KickProfile, LineIdTokenPayload, LineOptions, LineUserInfo, LinearOptions, LinearProfile, LinearUser, LinkedInOptions, LinkedInProfile, LoginType, MicrosoftEntraIDProfile, MicrosoftOptions, NaverOptions, NaverProfile, NotionOptions, NotionProfile, PayPalOptions, PayPalProfile, PayPalTokenResponse, PaybinOptions, PaybinProfile, PhoneNumber, PolarOptions, PolarProfile, PronounOption, RailwayOptions, RailwayProfile, RedditOptions, RedditProfile, RobloxOptions, RobloxProfile, SalesforceOptions, SalesforceProfile, SlackOptions, SlackProfile, SocialProvider, SocialProviderList, SocialProviderListEnum, SocialProviders, SpotifyOptions, SpotifyProfile, TiktokOptions, TiktokProfile, TwitchOptions, TwitchProfile, TwitterOption, TwitterProfile, VercelOptions, VercelProfile, VkOption, VkProfile, WeChatOptions, WeChatProfile, ZoomOptions, ZoomProfile, apple, atlassian, cognito, discord, dropbox, facebook, figma, getApplePublicKey, getCognitoPublicKey, getGooglePublicKey, getMicrosoftPublicKey, getPayPalPublicKey, github, gitlab, google, huggingface, kakao, kick, line, linear, linkedin, microsoft, naver, notion, paybin, paypal, polar, railway, reddit, roblox, salesforce, slack, socialProviderList, socialProviders, spotify, tiktok, twitch, twitter, vercel, vk, wechat, zoom };

package/dist/social-providers/index.mjs

@@ -18,7 +18,7 @@ import { getMicrosoftPublicKey, microsoft } from "./microsoft-entra-id.mjs";
 import { naver } from "./naver.mjs";
 import { notion } from "./notion.mjs";
 import { paybin } from "./paybin.mjs";
-import { paypal } from "./paypal.mjs";
+import { getPayPalPublicKey, paypal } from "./paypal.mjs";
 import { polar } from "./polar.mjs";
 import { railway } from "./railway.mjs";
 import { reddit } from "./reddit.mjs";
@@ -75,4 +75,4 @@ const socialProviders = {
 const socialProviderList = Object.keys(socialProviders);
 const SocialProviderListEnum = z.enum(socialProviderList).or(z.string());
 //#endregion
-export { SocialProviderListEnum, apple, atlassian, cognito, discord, dropbox, facebook, figma, getApplePublicKey, getCognitoPublicKey, getGooglePublicKey, getMicrosoftPublicKey, github, gitlab, google, huggingface, kakao, kick, line, linear, linkedin, microsoft, naver, notion, paybin, paypal, polar, railway, reddit, roblox, salesforce, slack, socialProviderList, socialProviders, spotify, tiktok, twitch, twitter, vercel, vk, wechat, zoom };
+export { SocialProviderListEnum, apple, atlassian, cognito, discord, dropbox, facebook, figma, getApplePublicKey, getCognitoPublicKey, getGooglePublicKey, getMicrosoftPublicKey, getPayPalPublicKey, github, gitlab, google, huggingface, kakao, kick, line, linear, linkedin, microsoft, naver, notion, paybin, paypal, polar, railway, reddit, roblox, salesforce, slack, socialProviderList, socialProviders, spotify, tiktok, twitch, twitter, vercel, vk, wechat, zoom };

package/dist/social-providers/paypal.d.mts

@@ -125,5 +125,6 @@ declare const paypal: (options: PayPalOptions) => {
   } | null>;
   options: PayPalOptions;
 };
+declare const getPayPalPublicKey: (kid: string, jwksUri: string) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
 //#endregion
-export { PayPalOptions, PayPalProfile, PayPalTokenResponse, paypal };
+export { PayPalOptions, PayPalProfile, PayPalTokenResponse, getPayPalPublicKey, paypal };

package/dist/social-providers/paypal.mjs

@@ -1,15 +1,30 @@
-import { BetterAuthError } from "../error/index.mjs";
+import { APIError, BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { decodeJwt } from "jose";
+import { decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 //#region src/social-providers/paypal.ts
+/**
+* ID token signing algorithms advertised by PayPal's OpenID configuration.
+* Anything outside this allowlist is rejected so each token is only ever
+* verified with the algorithm it was issued for.
+*
+* @see https://www.paypal.com/.well-known/openid-configuration
+*/
+const PAYPAL_ID_TOKEN_ALGORITHMS = ["RS256", "HS256"];
 const paypal = (options) => {
 	const isSandbox = (options.environment || "sandbox") === "sandbox";
 	const authorizationEndpoint = isSandbox ? "https://www.sandbox.paypal.com/signin/authorize" : "https://www.paypal.com/signin/authorize";
 	const tokenEndpoint = isSandbox ? "https://api-m.sandbox.paypal.com/v1/oauth2/token" : "https://api-m.paypal.com/v1/oauth2/token";
 	const userInfoEndpoint = isSandbox ? "https://api-m.sandbox.paypal.com/v1/identity/oauth2/userinfo" : "https://api-m.paypal.com/v1/identity/oauth2/userinfo";
+	/**
+	* Issuer and JWKS endpoints used to cryptographically verify ID tokens.
+	*
+	* @see https://www.paypal.com/.well-known/openid-configuration
+	*/
+	const issuer = isSandbox ? "https://www.sandbox.paypal.com" : "https://www.paypal.com";
+	const jwksEndpoint = isSandbox ? "https://api.sandbox.paypal.com/v1/oauth2/certs" : "https://api.paypal.com/v1/oauth2/certs";
 	return {
 		id: "paypal",
 		name: "PayPal",
@@ -94,7 +109,19 @@ const paypal = (options) => {
 			if (options.disableIdTokenSignIn) return false;
 			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
 			try {
-				return !!decodeJwt(token).sub;
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!jwtAlg) return false;
+				if (!PAYPAL_ID_TOKEN_ALGORITHMS.includes(jwtAlg)) return false;
+				const key = jwtAlg === "HS256" ? new TextEncoder().encode(options.clientSecret) : kid ? await getPayPalPublicKey(kid, jwksEndpoint) : void 0;
+				if (!key) return false;
+				const { payload: jwtClaims } = await jwtVerify(token, key, {
+					algorithms: [jwtAlg],
+					issuer,
+					audience: options.clientId,
+					maxTokenAge: "1h"
+				});
+				if (nonce && jwtClaims.nonce !== nonce) return false;
+				return true;
 			} catch (error) {
 				logger.error("Failed to verify PayPal ID token:", error);
 				return false;
@@ -136,5 +163,12 @@ const paypal = (options) => {
 		options
 	};
 };
+const getPayPalPublicKey = async (kid, jwksUri) => {
+	const { data } = await betterFetch(jwksUri);
+	if (!data?.keys) throw new APIError("BAD_REQUEST", { message: "Keys not found" });
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) throw new Error(`JWK with kid ${kid} not found`);
+	return await importJWK(jwk, jwk.alg);
+};
 //#endregion
-export { paypal };
+export { getPayPalPublicKey, paypal };

package/dist/social-providers/reddit.mjs

@@ -61,14 +61,15 @@ const reddit = (options) => {
 			} });
 			if (error) return null;
 			const userMap = await options.mapProfileToUser?.(profile);
+			const email = userMap?.email || `${profile.id}@reddit.com`;
 			return {
 				user: {
 					id: profile.id,
 					name: profile.name,
-					email: profile.oauth_client_id,
-					emailVerified: profile.has_verified_email,
 					image: profile.icon_img?.split("?")[0],
-					...userMap
+					...userMap,
+					email,
+					emailVerified: userMap?.emailVerified ?? false
 				},
 				data: profile
 			};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.6.15",
+  "version": "1.6.16",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -153,11 +153,11 @@
   },
   "devDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
+    "@better-fetch/fetch": "1.2.2",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/sdk-trace-base": "^1.30.0",
     "@opentelemetry/sdk-trace-node": "^1.30.0",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "@cloudflare/workers-types": "^4.20250121.0",
     "jose": "^6.1.3",
     "kysely": "^0.28.17 || ^0.29.0",
@@ -166,9 +166,9 @@
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
+    "@better-fetch/fetch": "1.2.2",
     "@opentelemetry/api": "^1.9.0",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "@cloudflare/workers-types": ">=4",
     "jose": "^6.1.0",
     "kysely": "^0.28.5 || ^0.29.0",

package/src/env/env-impl.ts

@@ -46,8 +46,7 @@ function toBoolean(val: boolean | string | undefined) {
 	return val ? val !== "false" : false;
 }
 
-export const nodeENV =
-	(typeof process !== "undefined" && process.env && process.env.NODE_ENV) || "";
+export const nodeENV = env.NODE_ENV ?? "";
 
 /** Detect if `NODE_ENV` environment variable is `production` */
 export const isProduction = nodeENV === "production";

package/src/oauth2/verify.ts

@@ -25,8 +25,22 @@ function isJoseInfrastructureError(error: joseErrors.JOSEError) {
 	return joseInfrastructureErrorCodes.has(error.code);
 }
 
-/** Last fetched jwks used locally in getJwks @internal */
-let jwks: JSONWebKeySet | undefined;
+interface JwksCacheEntry {
+	jwks: JSONWebKeySet;
+	fetchedAt: number;
+}
+
+const jwksCache = new Map<
+	string | (() => Promise<JSONWebKeySet | undefined>),
+	JwksCacheEntry
+>();
+
+/**
+ * How long a cached JWKS is trusted before it is refetched
+ *
+ * @internal
+ */
+const JWKS_CACHE_TTL_MS = 5 * 60 * 1000;
 
 export interface VerifyAccessTokenRemote {
 	/** Full url of the introspect endpoint. Should end with `/oauth2/introspect` */
@@ -41,6 +55,20 @@ export interface VerifyAccessTokenRemote {
 	 * is also still active.
 	 */
 	force?: boolean;
+	/**
+	 * Accept introspection responses that omit the `aud` claim even when a
+	 * required `audience` is configured in `verifyOptions`.
+	 *
+	 * By default verification fails closed: if you configure an `audience` and
+	 * the introspection response has no `aud` (or a mismatching one), the token
+	 * is rejected. Some authorization servers legitimately omit `aud` from
+	 * introspection responses (it is OPTIONAL per RFC 7662 §2.2); only enable
+	 * this if you trust the issuer to bind the token to this resource through
+	 * another mechanism, as it skips the audience check in that case.
+	 *
+	 * @default false
+	 */
+	allowMissingAudience?: boolean;
 }
 
 /**
@@ -96,10 +124,21 @@ export async function getJwks(
 	if (!jwtHeaders.kid) {
 		throw new APIError("UNAUTHORIZED", { message: "invalid access token" });
 	}
+	const kid = jwtHeaders.kid;
 
-	// Fetch jwks if not set or has a different kid than the one stored
-	if (!jwks || !jwks.keys.find((jwk) => jwk.kid === jwtHeaders.kid)) {
-		jwks =
+	const cacheKey = opts.jwksFetch;
+	const cached = jwksCache.get(cacheKey);
+	const isFresh = cached
+		? Date.now() - cached.fetchedAt < JWKS_CACHE_TTL_MS
+		: false;
+	const hasKid = cached?.jwks.keys.some((jwk) => jwk.kid === kid) ?? false;
+
+	// Refetch when this source has no cached set, the cached set has expired, or
+	// it does not contain the token's kid (e.g. a newly rotated-in key). The
+	// cache is scoped to `cacheKey`, so a token is only ever matched against the
+	// key set published by its own source.
+	if (!cached || !isFresh || !hasKid) {
+		const jwks =
 			typeof opts.jwksFetch === "string"
 				? await betterFetch<JSONWebKeySet>(opts.jwksFetch, {
 						headers: {
@@ -114,9 +153,11 @@ export async function getJwks(
 					})
 				: await opts.jwksFetch();
 		if (!jwks) throw new Error("No jwks found");
+		jwksCache.set(cacheKey, { jwks, fetchedAt: Date.now() });
+		return jwks;
 	}
 
-	return jwks;
+	return cached.jwks;
 }
 
 /**
@@ -201,13 +242,23 @@ export async function verifyAccessToken(
 			throw new APIError("UNAUTHORIZED", {
 				message: "token inactive",
 			});
-		// Verifies payload using verify options (token valid through introspect)
+		// Verifies payload using verify options (token valid through introspect).
+		// Audience is enforced by default: when `verifyOptions.audience` is set
+		// but the introspection response omits `aud` (or it mismatches),
+		// `UnsecuredJWT.decode` throws and the token is rejected. Otherwise a
+		// token issued for a different resource/client on the same issuer would
+		// also pass. Only drop the audience check when the caller has explicitly
+		// opted in via `remoteVerify.allowMissingAudience`.
 		try {
 			const unsecuredJwt = new UnsecuredJWT(introspect).encode();
-			const { audience: _audience, ...verifyOptions } = opts.verifyOptions;
-			const verify = introspect.aud
-				? UnsecuredJWT.decode(unsecuredJwt, opts.verifyOptions)
-				: UnsecuredJWT.decode(unsecuredJwt, verifyOptions);
+			const { audience: _audience, ...verifyOptionsNoAudience } =
+				opts.verifyOptions;
+			const skipAudience =
+				!introspect.aud && opts.remoteVerify.allowMissingAudience === true;
+			const verify = UnsecuredJWT.decode(
+				unsecuredJwt,
+				skipAudience ? verifyOptionsNoAudience : opts.verifyOptions,
+			);
 			payload = verify.payload;
 		} catch (error) {
 			throw new Error(error as unknown as string);

package/src/social-providers/facebook.ts

@@ -24,6 +24,58 @@ export interface FacebookProfile {
 	};
 }
 
+interface FacebookDebugTokenData {
+	app_id?: string;
+	is_valid?: boolean;
+	user_id?: string;
+}
+
+/**
+ * Validate an opaque Facebook access token against the configured app.
+ *
+ * Facebook access tokens are not audience-bound at the Graph `/me` endpoint: a
+ * token minted for any Facebook app returns that app's profile. Without this
+ * check, a token issued to an unrelated app could be presented to this
+ * app's direct sign-in path and accepted as proof of identity. We call the
+ * `debug_token` endpoint and require the token to be valid, bound to one of the
+ * configured client ids, and tied to a user.
+ *
+ * @see https://developers.facebook.com/docs/facebook-login/guides/access-tokens/debugging
+ *
+ * @returns the inspected token's `user_id` when the token is valid and bound to
+ * the configured app, otherwise `null`.
+ */
+async function verifyFacebookAccessToken(
+	accessToken: string,
+	options: FacebookOptions,
+): Promise<string | null> {
+	const primaryClientId = getPrimaryClientId(options.clientId);
+	if (!primaryClientId || !options.clientSecret) {
+		return null;
+	}
+	const clientIds = Array.isArray(options.clientId)
+		? options.clientId
+		: [options.clientId];
+	const appAccessToken = `${primaryClientId}|${options.clientSecret}`;
+	const { data, error } = await betterFetch<{ data?: FacebookDebugTokenData }>(
+		"https://graph.facebook.com/debug_token",
+		{
+			query: {
+				input_token: accessToken,
+				access_token: appAccessToken,
+			},
+		},
+	);
+	if (error || !data?.data) {
+		return null;
+	}
+	const { is_valid, app_id, user_id } = data.data;
+	if (is_valid !== true || !app_id || !clientIds.includes(app_id) || !user_id) {
+		return null;
+	}
+	return user_id;
+}
+
 export interface FacebookOptions extends ProviderOptions<FacebookProfile> {
 	clientId: string | string[];
 	/**
@@ -117,7 +169,10 @@ export const facebook = (options: FacebookOptions) => {
 			}
 
 			/* access_token */
-			return true;
+			// An opaque access token carries no app binding of its own, so it
+			// must be validated against the configured app before it can be
+			// trusted as proof of identity.
+			return (await verifyFacebookAccessToken(token, options)) !== null;
 		},
 		refreshAccessToken: options.refreshAccessToken
 			? options.refreshAccessToken
@@ -178,6 +233,20 @@ export const facebook = (options: FacebookOptions) => {
 				};
 			}
 
+			// The profile is fetched with `accessToken`, which is the credential
+			// that actually proves identity here — and a separate request field
+			// from the `idToken`/token validated by `verifyIdToken`. Since an
+			// opaque token is not app-bound at `/me`, validate this exact token
+			// against the configured app before trusting the profile it returns.
+			const accessToken = token.accessToken;
+			if (!accessToken) {
+				return null;
+			}
+			const tokenUserId = await verifyFacebookAccessToken(accessToken, options);
+			if (!tokenUserId) {
+				return null;
+			}
+
 			const fields = [
 				"id",
 				"name",
@@ -190,13 +259,17 @@ export const facebook = (options: FacebookOptions) => {
 				{
 					auth: {
 						type: "Bearer",
-						token: token.accessToken,
+						token: accessToken,
 					},
 				},
 			);
 			if (error) {
 				return null;
 			}
+			// Bind the validated token to the profile it returned.
+			if (profile.id !== tokenUserId) {
+				return null;
+			}
 			const userMap = await options.mapProfileToUser?.(profile);
 			return {
 				user: {

package/src/social-providers/google.ts

@@ -48,7 +48,12 @@ export interface GoogleOptions extends ProviderOptions<GoogleProfile> {
 	 */
 	display?: ("page" | "popup" | "touch" | "wap") | undefined;
 	/**
-	 * The hosted domain of the user
+	 * The hosted domain (Google Workspace) the user must belong to.
+	 *
+	 * This is sent to Google as the `hd` authorization hint and, when set, is
+	 * also enforced against the `hd` claim of the returned id token/profile.
+	 * Sign-in is rejected when the claim is missing or does not match, so this
+	 * can be used to restrict sign-in to a Workspace domain.
 	 */
 	hd?: string | undefined;
 }
@@ -147,6 +152,15 @@ export const google = (options: GoogleOptions) => {
 					return false;
 				}
 
+				// Google's `hd` authorization parameter is only a UI hint and can
+				// be removed or changed by the user. When a hosted domain is
+				// configured, the `hd` claim in the verified id token is the
+				// authoritative value and must match, otherwise accounts outside
+				// the workspace domain would be accepted.
+				if (options.hd && jwtClaims.hd !== options.hd) {
+					return false;
+				}
+
 				return true;
 			} catch {
 				return false;
@@ -160,6 +174,18 @@ export const google = (options: GoogleOptions) => {
 				return null;
 			}
 			const user = decodeJwt(token.idToken) as GoogleProfile;
+			// Enforce the configured hosted domain on the callback profile path
+			// as well. The `hd` claim must be present and match, since the
+			// authorization-time `hd` hint does not restrict which account signs
+			// in.
+			if (options.hd && user.hd !== options.hd) {
+				logger.error(
+					`Google sign-in rejected: id token hosted domain (hd) "${
+						user.hd ?? "<missing>"
+					}" does not match the configured "hd" option "${options.hd}".`,
+				);
+				return null;
+			}
 			const userMap = await options.mapProfileToUser?.(user);
 			return {
 				user: {

package/src/social-providers/paypal.ts

@@ -1,11 +1,20 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { decodeJwt } from "jose";
+import { decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 import { logger } from "../env";
-import { BetterAuthError } from "../error";
+import { APIError, BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import { createAuthorizationURL } from "../oauth2";
 
+/**
+ * ID token signing algorithms advertised by PayPal's OpenID configuration.
+ * Anything outside this allowlist is rejected so each token is only ever
+ * verified with the algorithm it was issued for.
+ *
+ * @see https://www.paypal.com/.well-known/openid-configuration
+ */
+const PAYPAL_ID_TOKEN_ALGORITHMS = ["RS256", "HS256"] as const;
+
 export interface PayPalProfile {
 	user_id: string;
 	name: string;
@@ -75,6 +84,19 @@ export const paypal = (options: PayPalOptions) => {
 		? "https://api-m.sandbox.paypal.com/v1/identity/oauth2/userinfo"
 		: "https://api-m.paypal.com/v1/identity/oauth2/userinfo";
 
+	/**
+	 * Issuer and JWKS endpoints used to cryptographically verify ID tokens.
+	 *
+	 * @see https://www.paypal.com/.well-known/openid-configuration
+	 */
+	const issuer = isSandbox
+		? "https://www.sandbox.paypal.com"
+		: "https://www.paypal.com";
+
+	const jwksEndpoint = isSandbox
+		? "https://api.sandbox.paypal.com/v1/oauth2/certs"
+		: "https://api.paypal.com/v1/oauth2/certs";
+
 	return {
 		id: "paypal",
 		name: "PayPal",
@@ -201,9 +223,48 @@ export const paypal = (options: PayPalOptions) => {
 			if (options.verifyIdToken) {
 				return options.verifyIdToken(token, nonce);
 			}
+
+			// Cryptographically verify the ID token. Decoding alone is not enough:
+			// the signature, issuer, audience and expiration must all be checked
+			// before the token's claims can be relied on as proof of identity.
+			// See https://www.paypal.com/.well-known/openid-configuration
+
 			try {
-				const payload = decodeJwt(token);
-				return !!payload.sub;
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!jwtAlg) return false;
+				if (
+					!PAYPAL_ID_TOKEN_ALGORITHMS.includes(
+						jwtAlg as (typeof PAYPAL_ID_TOKEN_ALGORITHMS)[number],
+					)
+				) {
+					return false;
+				}
+
+				// PayPal can sign ID tokens either asymmetrically (RS256, verified
+				// against the published JWKS) or symmetrically (HS256, verified with
+				// the client secret). Selecting the key by algorithm keeps the two
+				// paths separate so each algorithm is only verified with its
+				// corresponding key type.
+				const key =
+					jwtAlg === "HS256"
+						? new TextEncoder().encode(options.clientSecret)
+						: kid
+							? await getPayPalPublicKey(kid, jwksEndpoint)
+							: undefined;
+				if (!key) return false;
+
+				const { payload: jwtClaims } = await jwtVerify(token, key, {
+					algorithms: [jwtAlg],
+					issuer,
+					audience: options.clientId,
+					maxTokenAge: "1h",
+				});
+
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
+
+				return true;
 			} catch (error) {
 				logger.error("Failed to verify PayPal ID token:", error);
 				return false;
@@ -261,3 +322,29 @@ export const paypal = (options: PayPalOptions) => {
 		options,
 	} satisfies OAuthProvider<PayPalProfile>;
 };
+
+export const getPayPalPublicKey = async (kid: string, jwksUri: string) => {
+	const { data } = await betterFetch<{
+		keys: Array<{
+			kid: string;
+			alg: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+		}>;
+	}>(jwksUri);
+
+	if (!data?.keys) {
+		throw new APIError("BAD_REQUEST", {
+			message: "Keys not found",
+		});
+	}
+
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) {
+		throw new Error(`JWK with kid ${kid} not found`);
+	}
+
+	return await importJWK(jwk, jwk.alg);
+};

package/src/social-providers/reddit.ts

@@ -104,15 +104,15 @@ export const reddit = (options: RedditOptions) => {
 			}
 
 			const userMap = await options.mapProfileToUser?.(profile);
-
+			const email = userMap?.email || `${profile.id}@reddit.com`;
 			return {
 				user: {
 					id: profile.id,
 					name: profile.name,
-					email: profile.oauth_client_id,
-					emailVerified: profile.has_verified_email,
 					image: profile.icon_img?.split("?")[0]!,
 					...userMap,
+					email,
+					emailVerified: userMap?.emailVerified ?? false,
 				},
 				data: profile,
 			};