@better-auth/core 1.7.0-beta.5 → 1.7.0-beta.7

package/dist/api/index.d.mts

@@ -8,6 +8,24 @@ import { EndpointContext, EndpointOptions, StrictEndpoint } from "better-call";
 import * as _better_auth_core0 from "@better-auth/core";
 
 //#region src/api/index.d.ts
+/**
+ * Response headers that forbid any intermediary (proxy, CDN, browser) from
+ * caching a response body. Credential-bearing responses (access/refresh tokens,
+ * ID tokens, client secrets, device codes) must carry them.
+ *
+ * Set `metadata: { noStore: true }` on an endpoint and {@link createAuthEndpoint}
+ * applies these to the responses its handler produces: the success body and any
+ * error the handler throws. A request rejected by schema or media-type
+ * validation before the handler runs is not covered, and carries no credentials
+ * to protect. Spread them into a hand-built `Response` or `APIError`'s headers
+ * for the rare endpoint that constructs its own response.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+ */
+declare const NO_STORE_HEADERS: {
+  readonly "Cache-Control": "no-store";
+  readonly Pragma: "no-cache";
+};
 declare const optionsMiddleware: <InputCtx extends better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>>(inputContext: InputCtx) => Promise<AuthContext>;
 declare const createAuthMiddleware: {
   <Options extends better_call0.MiddlewareOptions, R>(options: Options, handler: (ctx: better_call0.MiddlewareContext<Options, {
@@ -272,7 +290,32 @@ declare const createAuthMiddleware: {
 type EndpointHandler<Path extends string, Options extends EndpointOptions, R> = (context: EndpointContext<Path, Options, AuthContext>) => Promise<R>;
 declare function createAuthEndpoint<Path extends string, Options extends EndpointOptions, R>(path: Path, options: Options, handler: EndpointHandler<Path, Options, R>): StrictEndpoint<Path, Options, R>;
 declare function createAuthEndpoint<Path extends string, Options extends EndpointOptions, R>(options: Options, handler: EndpointHandler<Path, Options, R>): StrictEndpoint<Path, Options, R>;
+declare namespace createAuthEndpoint {
+  /**
+   * Declare a **server-only** endpoint.
+   *
+   * The endpoint is callable through `auth.api.*` from trusted server code but is
+   * never registered on the HTTP router and never emitted into the OpenAPI
+   * schema. It takes no path because it has no URL to be reached at.
+   *
+   * Prefer this over the path-less `createAuthEndpoint({ ... }, handler)` form.
+   * Setting `metadata.SERVER_ONLY` makes the intent explicit at the call site and
+   * keeps the endpoint off the HTTP surface even if a path is later added by
+   * mistake: better-call's router skips an endpoint when its path is missing *or*
+   * when `SERVER_ONLY` is set, so the two together are defense in depth. Relying
+   * on path omission alone is invisible and one keystroke away from exposure.
+   *
+   * @example
+   * ```ts
+   * viewBackupCodes: createAuthEndpoint.serverOnly(
+   * 	{ method: "POST", body: schema },
+   * 	async (ctx) => { ... },
+   * )
+   * ```
+   */
+  function serverOnly<Path extends string, Options extends EndpointOptions, R>(options: Options, handler: EndpointHandler<Path, Options, R>): StrictEndpoint<Path, Options, R>;
+}
 type AuthEndpoint<Path extends string, Opts extends EndpointOptions, R> = ReturnType<typeof createAuthEndpoint<Path, Opts, R>>;
 type AuthMiddleware = ReturnType<typeof createAuthMiddleware>;
 //#endregion
-export { AuthEndpoint, AuthMiddleware, createAuthEndpoint, createAuthMiddleware, optionsMiddleware };
+export { AuthEndpoint, AuthMiddleware, NO_STORE_HEADERS, createAuthEndpoint, createAuthMiddleware, optionsMiddleware };

package/dist/api/index.mjs

@@ -3,6 +3,24 @@ import { isAPIError } from "../utils/is-api-error.mjs";
 import { createEndpoint, createMiddleware, kAPIErrorHeaderSymbol } from "better-call";
 //#region src/api/index.ts
 /**
+* Response headers that forbid any intermediary (proxy, CDN, browser) from
+* caching a response body. Credential-bearing responses (access/refresh tokens,
+* ID tokens, client secrets, device codes) must carry them.
+*
+* Set `metadata: { noStore: true }` on an endpoint and {@link createAuthEndpoint}
+* applies these to the responses its handler produces: the success body and any
+* error the handler throws. A request rejected by schema or media-type
+* validation before the handler runs is not covered, and carries no credentials
+* to protect. Spread them into a hand-built `Response` or `APIError`'s headers
+* for the rare endpoint that constructs its own response.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+*/
+const NO_STORE_HEADERS = {
+	"Cache-Control": "no-store",
+	Pragma: "no-cache"
+};
+/**
 * Better-call's createEndpoint re-throws APIError without exposing the headers
 * accumulated on ctx.responseHeaders (e.g. Set-Cookie from deleteSessionCookie
 * before throw). Attach them to the error via kAPIErrorHeaderSymbol — matching
@@ -34,7 +52,9 @@ function createAuthEndpoint(pathOrOptions, handlerOrOptions, handlerOrNever) {
 	const path = typeof pathOrOptions === "string" ? pathOrOptions : void 0;
 	const options = typeof handlerOrOptions === "object" ? handlerOrOptions : pathOrOptions;
 	const handler = typeof handlerOrOptions === "function" ? handlerOrOptions : handlerOrNever;
+	const noStore = options.metadata?.noStore === true;
 	const wrapped = async (ctx) => {
+		if (noStore) for (const [name, value] of Object.entries(NO_STORE_HEADERS)) ctx.setHeader(name, value);
 		const runtimeCtx = ctx;
 		try {
 			return await runWithEndpointContext(ctx, () => handler(ctx));
@@ -52,5 +72,24 @@ function createAuthEndpoint(pathOrOptions, handlerOrOptions, handlerOrNever) {
 		use: [...options?.use || [], ...use]
 	}, wrapped);
 }
+/**
+* Set `metadata.SERVER_ONLY` while preserving any existing metadata
+* (`$Infer`, `openapi`, ...).
+*/
+function withServerOnly(options) {
+	return {
+		...options,
+		metadata: {
+			...options.metadata,
+			SERVER_ONLY: true
+		}
+	};
+}
+(function(_createAuthEndpoint) {
+	function serverOnly(options, handler) {
+		return createAuthEndpoint(withServerOnly(options), handler);
+	}
+	_createAuthEndpoint.serverOnly = serverOnly;
+})(createAuthEndpoint || (createAuthEndpoint = {}));
 //#endregion
-export { createAuthEndpoint, createAuthMiddleware, optionsMiddleware };
+export { NO_STORE_HEADERS, createAuthEndpoint, createAuthMiddleware, optionsMiddleware };

package/dist/context/global.mjs

@@ -2,7 +2,7 @@
 const symbol = Symbol.for("better-auth:global");
 let bind = null;
 const __context = {};
-const __betterAuthVersion = "1.7.0-beta.5";
+const __betterAuthVersion = "1.7.0-beta.7";
 /**
 * We store context instance in the globalThis.
 *

package/dist/context/transaction.d.mts

@@ -1,10 +1,13 @@
 import { DBAdapter, DBTransactionAdapter } from "../db/adapter/index.mjs";
+import { BetterAuthOptions } from "../types/init-options.mjs";
 import { AsyncLocalStorage } from "node:async_hooks";
 
 //#region src/context/transaction.d.ts
+type StoredAdapter = DBTransactionAdapter<BetterAuthOptions>;
 type HookContext = {
-  adapter: DBTransactionAdapter;
+  adapter: StoredAdapter;
   pendingHooks: Array<() => Promise<void>>;
+  isTransactionActive: boolean;
 };
 /**
  * This is for internal use only. Most users should use `getCurrentAdapter` instead.
@@ -12,9 +15,9 @@ type HookContext = {
  * It is exposed for advanced use cases where you need direct access to the AsyncLocalStorage instance.
  */
 declare const getCurrentDBAdapterAsyncLocalStorage: () => Promise<AsyncLocalStorage<HookContext>>;
-declare const getCurrentAdapter: (fallback: DBTransactionAdapter) => Promise<DBTransactionAdapter>;
-declare const runWithAdapter: <R>(adapter: DBAdapter, fn: () => R) => Promise<R>;
-declare const runWithTransaction: <R>(adapter: DBAdapter, fn: () => R) => Promise<R>;
+declare const getCurrentAdapter: <Options extends BetterAuthOptions = BetterAuthOptions>(fallback: DBTransactionAdapter<Options>) => Promise<DBTransactionAdapter<Options>>;
+declare const runWithAdapter: <R, Options extends BetterAuthOptions = BetterAuthOptions>(adapter: DBAdapter<Options>, fn: () => R) => Promise<R>;
+declare const runWithTransaction: <R, Options extends BetterAuthOptions = BetterAuthOptions>(adapter: DBAdapter<Options>, fn: () => R) => Promise<R>;
 /**
  * Queue a hook to be executed after the current transaction commits.
  * If not in a transaction, the hook will execute immediately.

package/dist/context/transaction.mjs

@@ -35,7 +35,8 @@ const runWithAdapter = async (adapter, fn) => {
 		try {
 			result = await als.run({
 				adapter,
-				pendingHooks
+				pendingHooks,
+				isTransactionActive: false
 			}, fn);
 		} catch (err) {
 			error = err;
@@ -50,9 +51,10 @@ const runWithAdapter = async (adapter, fn) => {
 	});
 };
 const runWithTransaction = async (adapter, fn) => {
-	let called = true;
+	let called = false;
 	return ensureAsyncStorage().then(async (als) => {
 		called = true;
+		if (als.getStore()?.isTransactionActive) return fn();
 		const pendingHooks = [];
 		let result;
 		let error;
@@ -61,7 +63,8 @@ const runWithTransaction = async (adapter, fn) => {
 			result = await adapter.transaction(async (trx) => {
 				return als.run({
 					adapter: trx,
-					pendingHooks
+					pendingHooks,
+					isTransactionActive: true
 				}, fn);
 			});
 		} catch (e) {

package/dist/db/adapter/factory.mjs

@@ -1,7 +1,7 @@
 import { BetterAuthError } from "../../error/index.mjs";
-import { getAuthTables } from "../get-tables.mjs";
 import { getColorDepth } from "../../env/color-depth.mjs";
 import { TTY_COLORS, createLogger } from "../../env/logger.mjs";
+import { getAuthTables } from "../get-tables.mjs";
 import { safeJSONParse } from "../../utils/json.mjs";
 import { initGetDefaultModelName } from "./get-default-model-name.mjs";
 import { initGetDefaultFieldName } from "./get-default-field-name.mjs";
@@ -58,6 +58,7 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 					else if (method === "delete" && !config.debugLogs.delete) return;
 					else if (method === "deleteMany" && !config.debugLogs.deleteMany) return;
 					else if (method === "consumeOne" && !config.debugLogs.consumeOne) return;
+					else if (method === "incrementOne" && !config.debugLogs.incrementOne) return;
 					else if (method === "count" && !config.debugLogs.count) return;
 				}
 				logger.info(`[${config.adapterName}]`, ...args);
@@ -515,6 +516,7 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 				where,
 				update: data
 			}));
+			if (typeof updatedCount !== "number" || !Number.isFinite(updatedCount)) throw new BetterAuthError(`Adapter "${config.adapterId}" updateMany must return a finite number affected row count.`);
 			debugLog({ method: "updateMany" }, `${formatTransactionId(thisTransactionId)} ${formatStep(3, 4)}`, `${formatMethod("updateMany")} ${formatAction("DB Result")}:`, {
 				model,
 				data: updatedCount
@@ -691,53 +693,77 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 				model,
 				where
 			});
-			let res;
-			let resultNeedsOutputTransform = true;
-			if (adapterInstance.consumeOne) res = await withSpan(`db consumeOne ${model}`, {
+			if (typeof adapterInstance.consumeOne !== "function") throw new BetterAuthError(`Adapter "${config.adapterId}" must implement consumeOne for atomic single-use credential consumption.`);
+			const res = await withSpan(`db consumeOne ${model}`, {
 				[ATTR_DB_OPERATION_NAME]: "consumeOne",
 				[ATTR_DB_COLLECTION_NAME]: model
 			}, () => adapterInstance.consumeOne({
 				model,
 				where
 			}));
-			else {
-				res = await withSpan(`db consumeOne ${model}`, {
-					[ATTR_DB_OPERATION_NAME]: "consumeOne",
-					[ATTR_DB_COLLECTION_NAME]: model
-				}, () => adapter.transaction(async (trx) => {
-					const target = (await trx.findMany({
-						model: unsafeModel,
-						where: unsafeWhere,
-						limit: 1
-					}))[0];
-					if (!target) return null;
-					const deleted = await trx.deleteMany({
-						model: unsafeModel,
-						where: [...unsafeWhere, {
-							field: "id",
-							value: target.id,
-							operator: "eq",
-							connector: "AND",
-							mode: "sensitive"
-						}]
-					});
-					if (typeof deleted !== "number") throw new BetterAuthError(`Adapter "${config.adapterId}" returned a non-numeric value from deleteMany during the consumeOne fallback. Return the number of deleted rows, or implement a native consumeOne for atomic single-use consumption.`);
-					return Number.isFinite(deleted) && deleted > 0 ? target : null;
-				}));
-				resultNeedsOutputTransform = false;
-			}
 			debugLog({ method: "consumeOne" }, `${formatTransactionId(thisTransactionId)} ${formatStep(2, 3)}`, `${formatMethod("consumeOne")} ${formatAction("DB Result")}:`, {
 				model,
 				data: res
 			});
 			let transformed = res;
-			if (!config.disableTransformOutput && resultNeedsOutputTransform && res) transformed = await transformOutput(res, unsafeModel, void 0, void 0);
+			if (!config.disableTransformOutput && res) transformed = await transformOutput(res, unsafeModel, void 0, void 0);
 			debugLog({ method: "consumeOne" }, `${formatTransactionId(thisTransactionId)} ${formatStep(3, 3)}`, `${formatMethod("consumeOne")} ${formatAction("Parsed Result")}:`, {
 				model,
 				data: transformed
 			});
 			return transformed;
 		},
+		incrementOne: async ({ model: unsafeModel, where: unsafeWhere, increment: unsafeIncrement, set: unsafeSet }) => {
+			const hasIncrement = Object.keys(unsafeIncrement).length > 0;
+			const hasSet = !!unsafeSet && Object.keys(unsafeSet).length > 0;
+			if (!hasIncrement && !hasSet) throw new BetterAuthError("incrementOne requires a non-empty `increment` or `set`; both were empty.");
+			transactionId++;
+			const thisTransactionId = transactionId;
+			const model = getModelName(unsafeModel);
+			const where = transformWhereClause({
+				model: unsafeModel,
+				where: unsafeWhere,
+				action: "incrementOne"
+			});
+			unsafeModel = getDefaultModelName(unsafeModel);
+			debugLog({ method: "incrementOne" }, `${formatTransactionId(thisTransactionId)} ${formatStep(1, 3)}`, `${formatMethod("incrementOne")} ${formatAction("IncrementOne")}:`, {
+				model,
+				where,
+				increment: unsafeIncrement,
+				set: unsafeSet
+			});
+			if (typeof adapterInstance.incrementOne !== "function") throw new BetterAuthError(`Adapter "${config.adapterId}" must implement incrementOne for atomic guarded counter updates.`);
+			const mappedKeys = config.mapKeysTransformInput ?? {};
+			const increment = {};
+			for (const [field, delta] of Object.entries(unsafeIncrement)) increment[mappedKeys[field] || getFieldName({
+				model: unsafeModel,
+				field
+			})] = delta;
+			let set;
+			if (unsafeSet && !config.disableTransformInput) set = await transformInput(unsafeSet, unsafeModel, "update");
+			else set = unsafeSet;
+			if (Object.keys(increment).length === 0 && (!set || Object.keys(set).length === 0)) throw new BetterAuthError("incrementOne resolved to an empty update: every increment/set field was unknown to the schema or transformed away.");
+			const res = await withSpan(`db incrementOne ${model}`, {
+				[ATTR_DB_OPERATION_NAME]: "incrementOne",
+				[ATTR_DB_COLLECTION_NAME]: model
+			}, () => adapterInstance.incrementOne({
+				model,
+				where,
+				increment,
+				set
+			}));
+			debugLog({ method: "incrementOne" }, `${formatTransactionId(thisTransactionId)} ${formatStep(2, 3)}`, `${formatMethod("incrementOne")} ${formatAction("DB Result")}:`, {
+				model,
+				data: res
+			});
+			let transformed = res;
+			if (!config.disableTransformOutput && res) transformed = await transformOutput(res, unsafeModel, void 0, void 0);
+			debugLog({ method: "incrementOne" }, `${formatTransactionId(thisTransactionId)} ${formatStep(3, 3)}`, `${formatMethod("incrementOne")} ${formatAction("Parsed Result")}:`, {
+				model,
+				data: transformed
+			});
+			return transformed;
+		},
 		count: async ({ model: unsafeModel, where: unsafeWhere }) => {
 			transactionId++;
 			const thisTransactionId = transactionId;

package/dist/db/adapter/index.d.mts

@@ -23,6 +23,7 @@ type DBAdapterDebugLogOption = boolean | {
   delete?: boolean | undefined;
   deleteMany?: boolean | undefined;
   consumeOne?: boolean | undefined;
+  incrementOne?: boolean | undefined;
   count?: boolean | undefined;
 } | {
   /**
@@ -198,7 +199,7 @@ interface DBAdapterFactoryConfig<Options extends BetterAuthOptions = BetterAuthO
     /**
      * The action which was called from the adapter.
      */
-    action: "create" | "update" | "findOne" | "findMany" | "updateMany" | "delete" | "deleteMany" | "consumeOne" | "count";
+    action: "create" | "update" | "findOne" | "findMany" | "updateMany" | "delete" | "deleteMany" | "consumeOne" | "incrementOne" | "count";
     /**
      * The model name.
      */
@@ -427,15 +428,43 @@ type DBAdapter<Options extends BetterAuthOptions = BetterAuthOptions> = {
    * race-safe primitive for consuming single-use credentials
    * (verification tokens, authorization codes, one-time tokens).
    *
-   * Always defined on the factory-wrapped adapter. When the underlying
-   * `CustomAdapter` does not implement `consumeOne`, the factory provides
-   * a fallback that wraps `findMany + deleteMany` in `transaction(...)`
-   * and returns the row only when the delete reports an affected row.
+   * Always defined on the factory-wrapped adapter. The underlying
+   * `CustomAdapter` must implement this natively; there is no portable
+   * fallback that can guarantee cross-process single-use semantics.
    */
   consumeOne: <T>(data: {
     model: string;
     where: Where[];
   }) => Promise<T | null>;
+  /**
+   * Atomically apply signed numeric deltas to a single row matching the where
+   * clause. For each entry in `increment`, the operation applies
+   * `field = field + delta` in one atomic step; a negative delta decrements.
+   *
+   * The `where` clause is both the selector AND the guard: comparison
+   * operators are honored, so passing `{ field: "remaining", operator: "gt",
+   * value: 0 }` only mutates the row while `remaining` is still above zero.
+   * When the guard matches no row, the operation makes no change and returns
+   * `null`.
+   *
+   * The optional `set` map assigns absolute values to fields in the same
+   * atomic operation, alongside the increments.
+   *
+   * Returns the updated row, or `null` when the guard matched no row. Under
+   * concurrent invocation against the same row, this is the race-safe
+   * primitive for guarded counter updates (e.g. decrementing a remaining-uses
+   * counter only while it is still positive).
+   *
+   * Always defined on the factory-wrapped adapter. The underlying
+   * `CustomAdapter` must implement this natively; there is no portable
+   * fallback that can guarantee guarded counter semantics across runtimes.
+   */
+  incrementOne: <T>(data: {
+    model: string;
+    where: Where[];
+    increment: Record<string, number>;
+    set?: Record<string, unknown> | undefined;
+  }) => Promise<T | null>;
   /**
    * Execute multiple operations in a transaction.
    * If the adapter doesn't support transactions, operations will be executed sequentially.
@@ -518,17 +547,32 @@ interface CustomAdapter {
     where: CleanedWhere[];
   }) => Promise<number>;
   /**
-   * Optional native atomic single-row consume. When omitted, the adapter
-   * factory falls back to `transaction(findMany + deleteMany)`.
+   * Native atomic single-row consume.
    * Implementing this method natively (e.g. `DELETE ... RETURNING *`,
    * `findOneAndDelete`, `OUTPUT deleted.*`) gives one round trip and the
    * strongest race-safety guarantee. Implementations must delete at most
-   * one matching row. TODO(consume-one-required): tighten to required in the
-   * next minor on `next`.
+   * one matching row.
+   */
+  consumeOne: <T>(data: {
+    model: string;
+    where: CleanedWhere[];
+  }) => Promise<T | null>;
+  /**
+   * Native atomic guarded counter mutation. Applies
+   * `field = field + delta` for each entry in `increment` (negative deltas
+   * decrement), with `where` acting as both selector and guard and `set`
+   * assigning absolute values in the same operation. Returns the updated row,
+   * or `null` when the guard matched no row.
+   *
+   * Implementing this natively (e.g. `UPDATE ... SET n = n + $delta WHERE ...
+   * RETURNING *`) gives one round trip and the strongest race-safety
+   * guarantee.
    */
-  consumeOne?: <T>(data: {
+  incrementOne: <T>(data: {
     model: string;
     where: CleanedWhere[];
+    increment: Record<string, number>;
+    set?: Record<string, unknown> | undefined;
   }) => Promise<T | null>;
   count: ({
     model,

package/dist/db/adapter/types.d.mts

@@ -94,7 +94,7 @@ type AdapterFactoryCustomizeAdapterCreator = (config: {
   }: {
     where: W;
     model: string;
-    action: "create" | "update" | "findOne" | "findMany" | "updateMany" | "delete" | "deleteMany" | "consumeOne" | "count";
+    action: "create" | "update" | "findOne" | "findMany" | "updateMany" | "delete" | "deleteMany" | "consumeOne" | "incrementOne" | "count";
   }) => W extends undefined ? undefined : CleanedWhere[];
 }) => CustomAdapter;
 type AdapterTestDebugLogs = {

package/dist/db/type.d.mts

@@ -143,16 +143,21 @@ interface SecondaryStorage {
   get: (key: string) => Awaitable<unknown>;
   /**
    * Atomically get a value and delete it from storage.
+   */
+  getAndDelete: (key: string) => Awaitable<unknown>;
+  /**
+   * Atomically increment the counter at `key` by one, returning the
+   * post-increment value.
    *
-   * This is optional for backwards compatibility with existing secondary
-   * storage implementations. Single-use credential consumers use it when
-   * present to avoid a read-then-delete race.
+   * When the key is absent, it is created with a value of `1` and the given
+   * `ttl` (in SECONDS). The TTL is applied only on creation; later increments
+   * never extend it, so the counter expires a fixed window after it was first
+   * created.
    *
-   * TODO(secondary-storage-atomic-consume): make this required in the next
-   * breaking release, or require database-backed verification storage for
-   * security-sensitive consume paths.
+   * Required so secondary-storage-backed rate limiting can enforce the limit
+   * in one distributed-safe operation.
    */
-  getAndDelete?: (key: string) => Awaitable<unknown>;
+  increment: (key: string, ttl: number) => Awaitable<number>;
   set: (
   /**
    * Key to store

package/dist/instrumentation/tracer.mjs

@@ -2,7 +2,7 @@ import { ATTR_HTTP_RESPONSE_STATUS_CODE } from "./attributes.mjs";
 import { getOpenTelemetryAPI } from "./api.mjs";
 //#region src/instrumentation/tracer.ts
 const INSTRUMENTATION_SCOPE = "better-auth";
-const INSTRUMENTATION_VERSION = "1.7.0-beta.5";
+const INSTRUMENTATION_VERSION = "1.7.0-beta.7";
 /**
 * Better-auth uses `throw ctx.redirect(url)` for flow control (e.g. OAuth
 * callbacks). These are APIErrors with 3xx status codes and should not be

package/dist/oauth2/create-authorization-url.d.mts

@@ -7,7 +7,7 @@ import { ProviderOptions } from "./oauth-provider.mjs";
  * `additionalParams`. Overriding `state`, PKCE, or `redirect_uri` would
  * break the callback correlation and session pinning guarantees.
  */
-declare const RESERVED_AUTHORIZATION_PARAMS: readonly ["state", "client_id", "redirect_uri", "response_type", "code_challenge", "code_challenge_method", "scope"];
+declare const RESERVED_AUTHORIZATION_PARAMS: readonly ["state", "client_id", "redirect_uri", "response_type", "code_challenge", "code_challenge_method", "nonce", "scope"];
 declare const RESERVED_AUTHORIZATION_PARAMS_SET: ReadonlySet<string>;
 declare function createAuthorizationURL({
   id,
@@ -24,6 +24,7 @@ declare function createAuthorizationURL({
   responseType,
   display,
   loginHint,
+  nonce,
   hd,
   responseMode,
   additionalParams,
@@ -43,6 +44,7 @@ declare function createAuthorizationURL({
   responseType?: string | undefined;
   display?: string | undefined;
   loginHint?: string | undefined;
+  nonce?: string | undefined;
   hd?: string | undefined;
   responseMode?: string | undefined;
   additionalParams?: Record<string, string> | undefined;

package/dist/oauth2/create-authorization-url.mjs

@@ -13,10 +13,11 @@ const RESERVED_AUTHORIZATION_PARAMS = [
 	"response_type",
 	"code_challenge",
 	"code_challenge_method",
+	"nonce",
 	"scope"
 ];
 const RESERVED_AUTHORIZATION_PARAMS_SET = new Set(RESERVED_AUTHORIZATION_PARAMS);
-async function createAuthorizationURL({ id, options, authorizationEndpoint, state, codeVerifier, scopes, claims, redirectURI, duration, prompt, accessType, responseType, display, loginHint, hd, responseMode, additionalParams, scopeJoiner }) {
+async function createAuthorizationURL({ id, options, authorizationEndpoint, state, codeVerifier, scopes, claims, redirectURI, duration, prompt, accessType, responseType, display, loginHint, nonce, hd, responseMode, additionalParams, scopeJoiner }) {
 	options = typeof options === "function" ? await options() : options;
 	const url = new URL(options.authorizationEndpoint || authorizationEndpoint);
 	url.searchParams.set("response_type", responseType || "code");
@@ -29,6 +30,7 @@ async function createAuthorizationURL({ id, options, authorizationEndpoint, stat
 	duration && url.searchParams.set("duration", duration);
 	display && url.searchParams.set("display", display);
 	loginHint && url.searchParams.set("login_hint", loginHint);
+	nonce && url.searchParams.set("nonce", nonce);
 	prompt && url.searchParams.set("prompt", prompt);
 	hd && url.searchParams.set("hd", hd);
 	accessType && url.searchParams.set("access_type", accessType);