@better-auth/oauth-provider 1.6.11 → 1.6.13

package/dist/client-resource.d.mts

@@ -1,9 +1,16 @@
-import { s as ResourceServerMetadata } from "./oauth-BqWgUea8.mjs";
+import { s as ResourceServerMetadata } from "./oauth-D74mBkw6.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
-import { Auth } from "better-auth/types";
+import { BetterAuthOptions } from "better-auth/types";
 
 //#region src/client-resource.d.ts
-declare const oauthProviderResourceClient: <T extends Auth | undefined>(auth?: T) => {
+type ResourceClientAuth = {
+  options: {
+    baseURL?: BetterAuthOptions["baseURL"];
+    basePath?: BetterAuthOptions["basePath"];
+  };
+  $context: Promise<unknown>;
+};
+declare const oauthProviderResourceClient: <T extends ResourceClientAuth | undefined = undefined>(auth?: T) => {
   id: "oauth-provider-resource-client";
   version: string;
   getActions(): {
@@ -43,7 +50,7 @@ interface VerifyAccessTokenRemote {
    */
   force?: boolean;
 }
-type VerifyAccessTokenOutput<T> = T extends Auth ? (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload>;
+type VerifyAccessTokenOutput<T> = T extends undefined ? (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload>;
 type VerifyAccessTokenAuthOpts = {
   verifyOptions?: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience">>;
   scopes?: string[];
@@ -64,12 +71,12 @@ type VerifyAccessTokenNoAuthOpts = {
   remoteVerify: VerifyAccessTokenRemote; /** Maps non-url (ie urn, client) resources to resource_metadata */
   resourceMetadataMappings?: Record<string, string>;
 };
-type ProtectedResourceMetadataOutput<T> = T extends Auth ? (overrides?: Partial<ResourceServerMetadata>, opts?: {
+type ProtectedResourceMetadataOutput<T> = T extends undefined ? (overrides: ResourceServerMetadata, opts?: {
   silenceWarnings?: {
     oidcScopes?: boolean;
   };
   externalScopes?: string[];
-}) => Promise<ResourceServerMetadata> : (overrides: ResourceServerMetadata, opts?: {
+}) => Promise<ResourceServerMetadata> : (overrides?: Partial<ResourceServerMetadata>, opts?: {
   silenceWarnings?: {
     oidcScopes?: boolean;
   };

package/dist/client-resource.mjs

@@ -1,5 +1,5 @@
-import { S as handleMcpErrors, a as getOAuthProviderPlugin, i as getJwtPlugin } from "./utils-LAthGy-x.mjs";
-import { t as PACKAGE_VERSION } from "./version-CRjaDWWg.mjs";
+import { S as handleMcpErrors, a as getOAuthProviderPlugin, i as getJwtPlugin } from "./utils-DoYEeMrg.mjs";
+import { t as PACKAGE_VERSION } from "./version-MLrabwrK.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-C4GaGx2I.mjs";
+import { n as oauthProvider } from "./oauth-CUqnBdrR.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-CRjaDWWg.mjs";
+import { t as PACKAGE_VERSION } from "./version-MLrabwrK.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as Scope, a as OAuthClient, b as Awaitable, c as TokenEndpointAuthMethod, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as GrantType, l as AuthorizePrompt, m as OAuthRefreshToken, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-BqWgUea8.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-C4GaGx2I.mjs";
+import { _ as Scope, a as OAuthClient, b as Awaitable, c as TokenEndpointAuthMethod, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as GrantType, l as AuthorizePrompt, m as OAuthRefreshToken, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-D74mBkw6.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-CUqnBdrR.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
@@ -21,6 +21,7 @@ verifyOptions: Parameters<typeof verifyAccessToken>[1], handler: (req: Request,
 //#region src/metadata.d.ts
 declare function authServerMetadata(ctx: GenericEndpointContext, opts?: JwtOptions, overrides?: {
   scopes_supported?: AuthServerMetadata["scopes_supported"];
+  dynamic_client_registration_supported?: boolean;
   public_client_supported?: boolean;
   grant_types_supported?: GrantType[];
   jwt_disabled?: boolean;

package/dist/index.mjs

@@ -1,5 +1,5 @@
-import { C as mcpHandler, _ as signedQueryIssuedAtParam, b as validateClientCredentials, c as isPKCERequired, d as parsePrompt, f as postLoginClearedParam, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as getJwtPlugin, l as normalizeTimestampValue, m as resolveSessionAuthTime, n as decryptStoredClientSecret, o as getSignedQueryIssuedAt, p as removePromptFromQuery, r as getClient, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as storeClientSecret, x as verifyOAuthQueryParams, y as storeToken } from "./utils-LAthGy-x.mjs";
-import { t as PACKAGE_VERSION } from "./version-CRjaDWWg.mjs";
+import { C as mcpHandler, _ as signedQueryIssuedAtParam, b as validateClientCredentials, c as isPKCERequired, d as parsePrompt, f as postLoginClearedParam, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as getJwtPlugin, l as normalizeTimestampValue, m as resolveSessionAuthTime, n as decryptStoredClientSecret, o as getSignedQueryIssuedAt, p as removePromptFromQuery, r as getClient, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as storeClientSecret, x as verifyOAuthQueryParams, y as storeToken } from "./utils-DoYEeMrg.mjs";
+import { t as PACKAGE_VERSION } from "./version-MLrabwrK.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -14,6 +14,7 @@ import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
 import { signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
+import { SafeUrlSchema } from "@better-auth/core/utils/redirect-uri";
 //#region src/consent.ts
 async function consentEndpoint(ctx, opts) {
 	const oauthRequest = await oAuthState.get();
@@ -174,11 +175,6 @@ async function postLogin(ctx, opts) {
 }
 //#endregion
 //#region src/types/zod.ts
-const DANGEROUS_SCHEMES = [
-	"javascript:",
-	"data:",
-	"vbscript:"
-];
 /**
 * Runtime schema for OAuthAuthorizationQuery.
 * Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
@@ -214,34 +210,6 @@ const verificationValueSchema = z.object({
 	referenceId: z.string().optional(),
 	authTime: z.number().optional()
 }).passthrough();
-/**
-* Reusable URL validation for OAuth redirect URIs.
-* - Blocks dangerous schemes (javascript:, data:, vbscript:)
-* - For http/https: requires HTTPS (HTTP allowed only for loopback hosts: 127.0.0.0/8, [::1], *.localhost per RFC 6761)
-* - Allows custom schemes for mobile apps (e.g., myapp://callback)
-*/
-const SafeUrlSchema = z.url().superRefine((val, ctx) => {
-	if (!URL.canParse(val)) {
-		ctx.addIssue({
-			code: "custom",
-			message: "URL must be parseable",
-			fatal: true
-		});
-		return z.NEVER;
-	}
-	const u = new URL(val);
-	if (DANGEROUS_SCHEMES.includes(u.protocol)) {
-		ctx.addIssue({
-			code: "custom",
-			message: "URL cannot use javascript:, data:, or vbscript: scheme"
-		});
-		return;
-	}
-	if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
-		code: "custom",
-		message: "Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)"
-	});
-});
 //#endregion
 //#region src/userinfo.ts
 /**
@@ -605,11 +573,7 @@ async function createUserTokens(ctx, opts, params) {
 async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri) {
 	const verification = await ctx.context.internalAdapter.consumeVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
 	if (!verification) throw new APIError("UNAUTHORIZED", {
-		error_description: "Invalid code",
-		error: "invalid_grant"
-	});
-	if (!verification.expiresAt || verification.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
-		error_description: "code expired",
+		error_description: "invalid code",
 		error: "invalid_grant"
 	});
 	let rawValue;
@@ -1237,6 +1201,28 @@ const publicSessionMiddleware = (opts) => createAuthMiddleware(async (ctx) => {
 	if (!await verifyOAuthQueryParams(query, ctx.context.secret)) throw new APIError("UNAUTHORIZED", { error: "invalid_signature" });
 });
 //#endregion
+//#region src/oauthClient/privileges.ts
+/**
+* Authorizes a client action against the configured `clientPrivileges` hook.
+*
+* This is the single authorization helper for every OAuth client mutation. The
+* create path enforces it at the shared creation chokepoint so that no
+* registration route can reach client persistence without it.
+*
+* @throws APIError UNAUTHORIZED when there is no session or the hook denies the action.
+* @throws APIError BAD_REQUEST when the request carries no headers.
+*/
+async function assertClientPrivileges(ctx, session, opts, action) {
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action,
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+}
+//#endregion
 //#region src/register.ts
 /**
 * Resolves the auth method and type for unauthenticated DCR.
@@ -1331,6 +1317,9 @@ async function checkOAuthClient(client, opts, settings) {
 async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const body = ctx.body;
 	const session = await getSessionFromCtx(ctx);
+	if (settings.isRegister) {
+		if (session) await assertClientPrivileges(ctx, session, opts, "create");
+	} else await assertClientPrivileges(ctx, session, opts, "create");
 	const isPublic = body.token_endpoint_auth_method === "none";
 	await checkOAuthClient(ctx.body, opts, settings);
 	const clientId = opts.generateClientId?.() || generateRandomString(32, "a-z", "A-Z");
@@ -1662,16 +1651,6 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 		clientSecret: (opts.prefix?.clientSecret ?? "") + clientSecret
 	});
 }
-async function assertClientPrivileges(ctx, session, opts, action) {
-	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action,
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
-}
 //#endregion
 //#region src/oauthClient/index.ts
 const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/create-client", {
@@ -1854,7 +1833,6 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		}
 	}
 }, async (ctx) => {
-	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client", {
@@ -2024,7 +2002,6 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		} }
 	} }
 }, async (ctx) => {
-	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const getOAuthClient = (opts) => createAuthEndpoint("/oauth2/get-client", {
@@ -2228,12 +2205,12 @@ async function updateConsentEndpoint(ctx, opts) {
 		error_description: "no consent",
 		error: "not_found"
 	});
+	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
 	const client = await getClient(ctx, opts, consent.clientId);
-	if (!consent) throw new APIError("NOT_FOUND", {
-		error_description: "no consent",
+	if (!client) throw new APIError("NOT_FOUND", {
+		error_description: "client not found",
 		error: "not_found"
 	});
-	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
 	const allowedScopes = client?.scopes ?? opts.scopes ?? [];
 	const updates = ctx.body.update;
 	const scopes = updates.scopes;
@@ -2831,6 +2808,47 @@ const oauthProvider = (options) => {
 	if (opts.grantTypes && opts.grantTypes.includes("refresh_token") && !opts.grantTypes.includes("authorization_code")) throw new BetterAuthError("refresh_token grant requires authorization_code grant");
 	if (opts.disableJwtPlugin && (opts.storeClientSecret === "hashed" || typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret)) throw new BetterAuthError("unable to store hashed secrets because id tokens will be signed with secret");
 	if (!opts.disableJwtPlugin && (opts.storeClientSecret === "encrypted" || typeof opts.storeClientSecret === "object" && ("encrypt" in opts.storeClientSecret || "decrypt" in opts.storeClientSecret))) throw new BetterAuthError("encryption method not recommended, please use 'hashed' or the 'hash' function");
+	const handleIssuerMetadataRequest = async (request, ctx) => {
+		const requestPathname = new URL(request.url).pathname;
+		const requestPath = ctx.options.advanced?.skipTrailingSlashes ? requestPathname.replace(/\/+$/, "") || "/" : requestPathname;
+		const issuer = opts.disableJwtPlugin ? ctx.baseURL : getJwtPlugin(ctx)?.options?.jwt?.issuer ?? ctx.baseURL;
+		let issuerPath = "/";
+		try {
+			issuerPath = new URL(issuer).pathname.replace(/\/$/, "") || "";
+		} catch {
+			issuerPath = new URL(ctx.baseURL).pathname.replace(/\/$/, "") || "";
+		}
+		const endpointCtx = { context: ctx };
+		const authServerMetadataPaths = new Set([`/.well-known/oauth-authorization-server${issuerPath}`, `${issuerPath}/.well-known/oauth-authorization-server`]);
+		const openIdConfigPath = `${issuerPath}/.well-known/openid-configuration`;
+		const isAuthServerMetadataRequest = authServerMetadataPaths.has(requestPath);
+		const isOpenIdConfigRequest = opts.scopes?.includes("openid") && requestPath === openIdConfigPath;
+		const createMetadataResponse = (metadata) => {
+			const response = metadataResponse(metadata);
+			if (request.method === "HEAD") return new Response(null, {
+				status: response.status,
+				headers: response.headers
+			});
+			return response;
+		};
+		if (isAuthServerMetadataRequest || isOpenIdConfigRequest) {
+			if (request.method !== "GET" && request.method !== "HEAD") return { response: new Response(null, {
+				status: 405,
+				headers: { Allow: "GET, HEAD" }
+			}) };
+		}
+		if (isAuthServerMetadataRequest) {
+			if (opts.scopes?.includes("openid")) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
+			return { response: createMetadataResponse(authServerMetadata(endpointCtx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx)?.options, {
+				scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+				dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
+				public_client_supported: opts.allowUnauthenticatedClientRegistration,
+				grant_types_supported: opts.grantTypes,
+				jwt_disabled: opts.disableJwtPlugin
+			})) };
+		}
+		if (isOpenIdConfigRequest) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
+	};
 	return {
 		id: "oauth-provider",
 		version: PACKAGE_VERSION,
@@ -2852,6 +2870,7 @@ const oauthProvider = (options) => {
 				if (!opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
 			}
 		},
+		onRequest: handleIssuerMetadataRequest,
 		hooks: {
 			before: [{
 				matcher(ctx) {
@@ -2908,6 +2927,7 @@ const oauthProvider = (options) => {
 				if (opts.scopes && opts.scopes.includes("openid")) return oidcServerMetadata(ctx, opts);
 				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
 					scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+					dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
 					public_client_supported: opts.allowUnauthenticatedClientRegistration,
 					grant_types_supported: opts.grantTypes,
 					jwt_disabled: opts.disableJwtPlugin
@@ -4030,7 +4050,7 @@ function authServerMetadata(ctx, opts, overrides) {
 		authorization_endpoint: `${baseURL}/oauth2/authorize`,
 		token_endpoint: `${baseURL}/oauth2/token`,
 		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
-		registration_endpoint: `${baseURL}/oauth2/register`,
+		registration_endpoint: overrides?.dynamic_client_registration_supported ? `${baseURL}/oauth2/register` : void 0,
 		introspection_endpoint: `${baseURL}/oauth2/introspect`,
 		revocation_endpoint: `${baseURL}/oauth2/revoke`,
 		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
@@ -4057,6 +4077,7 @@ function oidcServerMetadata(ctx, opts) {
 	return {
 		...authServerMetadata(ctx, jwtPluginOptions, {
 			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+			dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
 			public_client_supported: opts.allowUnauthenticatedClientRegistration,
 			grant_types_supported: opts.grantTypes,
 			jwt_disabled: opts.disableJwtPlugin

package/dist/{oauth-C4GaGx2I.d.mts → oauth-CUqnBdrR.d.mts}

@@ -1,4 +1,4 @@
-import { _ as Scope, a as OAuthClient, d as OAuthConsent, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions } from "./oauth-BqWgUea8.mjs";
+import { _ as Scope, a as OAuthClient, d as OAuthConsent, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions } from "./oauth-D74mBkw6.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
@@ -30,6 +30,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
   version: string;
   options: NoInfer<O>;
   init: (ctx: better_auth0.AuthContext) => void;
+  onRequest: (request: Request, ctx: better_auth0.AuthContext) => Promise<{
+    response: Response;
+  } | {
+    request: Request;
+  } | void>;
   hooks: {
     before: {
       matcher(ctx: better_auth0.HookEndpointContext): any;

package/dist/{oauth-BqWgUea8.d.mts → oauth-D74mBkw6.d.mts}

@@ -1380,9 +1380,11 @@ interface AuthServerMetadata {
   /**
    * The URL of the dynamic client registration endpoint.
    *
+   * This field is only present when `allowDynamicClientRegistration` is enabled.
+   *
    * @default `/oauth2/register`
    */
-  registration_endpoint: string;
+  registration_endpoint?: string;
   /**
    * Supported scopes.
    */

package/dist/{utils-LAthGy-x.mjs → utils-DoYEeMrg.mjs}

@@ -254,11 +254,13 @@ function basicToClientCredentials(authorization) {
 	if (authorization.startsWith("Basic ")) {
 		const encoded = authorization.replace("Basic ", "");
 		const decoded = new TextDecoder().decode(base64.decode(encoded));
-		if (!decoded.includes(":")) throw new APIError$1("BAD_REQUEST", {
+		const separatorIndex = decoded.indexOf(":");
+		if (separatorIndex === -1) throw new APIError$1("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"
 		});
-		const [id, secret] = decoded.split(":", 2);
+		const id = decoded.slice(0, separatorIndex);
+		const secret = decoded.slice(separatorIndex + 1);
 		if (!id || !secret) throw new APIError$1("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"

package/dist/{version-CRjaDWWg.mjs → version-MLrabwrK.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.11";
+const PACKAGE_VERSION = "1.6.13";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.11",
+  "version": "1.6.13",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.11",
-    "better-auth": "1.6.11"
+    "@better-auth/core": "1.6.13",
+    "better-auth": "1.6.13"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.0",
+    "@better-auth/utils": "0.4.1",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.11",
-    "better-auth": "^1.6.11"
+    "@better-auth/core": "^1.6.13",
+    "better-auth": "^1.6.13"
   },
   "scripts": {
     "build": "tsdown",