@better-auth/oauth-provider 1.6.2 → 1.6.3

package/dist/client-resource.d.mts

@@ -1,4 +1,4 @@
-import { a as ResourceServerMetadata } from "./oauth-Cc0nzj5Q.mjs";
+import { a as ResourceServerMetadata } from "./oauth-IpUqx-_N.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";
 

package/dist/client-resource.mjs

@@ -1,5 +1,5 @@
 import { a as getJwtPlugin, o as getOAuthProviderPlugin, y as handleMcpErrors } from "./utils-B9Pj9EPf.mjs";
-import { t as PACKAGE_VERSION } from "./version-Usf6Oz_M.mjs";
+import { t as PACKAGE_VERSION } from "./version-BlcZ64XB.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-CetEXi_Z.mjs";
+import { n as oauthProvider } from "./oauth-DH61OMT6.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-Usf6Oz_M.mjs";
+import { t as PACKAGE_VERSION } from "./version-BlcZ64XB.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-Cc0nzj5Q.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-CetEXi_Z.mjs";
+import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-IpUqx-_N.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-DH61OMT6.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
@@ -44,7 +44,7 @@ declare const oauthProviderAuthServerMetadata: <Auth extends {
   };
 }>(auth: Auth, opts?: {
   headers?: HeadersInit;
-}) => (_request: Request) => Promise<Response>;
+}) => (request: Request) => Promise<Response>;
 /**
  * Provides an exportable `/.well-known/openid-configuration`.
  *
@@ -59,6 +59,6 @@ declare const oauthProviderOpenIdConfigMetadata: <Auth extends {
   };
 }>(auth: Auth, opts?: {
   headers?: HeadersInit;
-}) => (_request: Request) => Promise<Response>;
+}) => (request: Request) => Promise<Response>;
 //#endregion
 export { AuthServerMetadata, AuthorizePrompt, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };

package/dist/index.mjs

@@ -1,5 +1,5 @@
 import { _ as validateClientCredentials, a as getJwtPlugin, b as mcpHandler, c as isPKCERequired, d as parsePrompt, f as resolveSessionAuthTime, g as storeToken, h as storeClientSecret, i as getClient, l as normalizeTimestampValue, m as searchParamsToQuery, n as decryptStoredClientSecret, p as resolveSubjectIdentifier, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as verifyOAuthQueryParams } from "./utils-B9Pj9EPf.mjs";
-import { t as PACKAGE_VERSION } from "./version-Usf6Oz_M.mjs";
+import { t as PACKAGE_VERSION } from "./version-BlcZ64XB.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -153,6 +153,81 @@ async function postLogin(ctx, opts) {
 	};
 }
 //#endregion
+//#region src/types/zod.ts
+const DANGEROUS_SCHEMES = [
+	"javascript:",
+	"data:",
+	"vbscript:"
+];
+function isLocalhost(hostname) {
+	return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname.endsWith(".localhost");
+}
+/**
+* Runtime schema for OAuthAuthorizationQuery.
+* Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
+*/
+const oauthAuthorizationQuerySchema = z.object({
+	response_type: z.literal("code").optional(),
+	request_uri: z.string().optional(),
+	redirect_uri: z.string(),
+	scope: z.string().optional(),
+	state: z.string(),
+	client_id: z.string(),
+	prompt: z.string().optional(),
+	display: z.string().optional(),
+	ui_locales: z.string().optional(),
+	max_age: z.coerce.number().optional(),
+	acr_values: z.string().optional(),
+	login_hint: z.string().optional(),
+	id_token_hint: z.string().optional(),
+	code_challenge: z.string().optional(),
+	code_challenge_method: z.literal("S256").optional(),
+	nonce: z.string().optional()
+}).passthrough();
+/**
+* Runtime schema for the authorization code verification value.
+* Validates structure on deserialization from the JSON blob stored in the DB.
+* Uses passthrough so future fields (e.g. from authorization challenge) don't break parsing.
+*/
+const verificationValueSchema = z.object({
+	type: z.literal("authorization_code"),
+	query: oauthAuthorizationQuerySchema,
+	sessionId: z.string(),
+	userId: z.string(),
+	referenceId: z.string().optional(),
+	authTime: z.number().optional()
+}).passthrough();
+/**
+* Reusable URL validation for OAuth redirect URIs.
+* - Blocks dangerous schemes (javascript:, data:, vbscript:)
+* - For http/https: requires HTTPS (HTTP allowed only for localhost)
+* - Allows custom schemes for mobile apps (e.g., myapp://callback)
+*/
+const SafeUrlSchema = z.url().superRefine((val, ctx) => {
+	if (!URL.canParse(val)) {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL must be parseable",
+			fatal: true
+		});
+		return z.NEVER;
+	}
+	const u = new URL(val);
+	if (DANGEROUS_SCHEMES.includes(u.protocol)) {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL cannot use javascript:, data:, or vbscript: scheme"
+		});
+		return;
+	}
+	if (u.protocol === "http:" || u.protocol === "https:") {
+		if (u.protocol === "http:" && !isLocalhost(u.hostname)) ctx.addIssue({
+			code: "custom",
+			message: "Redirect URI must use HTTPS (HTTP allowed only for localhost)"
+		});
+	}
+});
+//#endregion
 //#region src/userinfo.ts
 /**
 * Provides shared /userinfo and id_token claims functionality
@@ -265,7 +340,7 @@ async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, r
 		options: jwtPluginOptions,
 		payload: {
 			...customClaims,
-			sub: user.id,
+			sub: user?.id,
 			aud: typeof audience === "string" ? audience : audience?.length === 1 ? audience.at(0) : audience,
 			azp: client.clientId,
 			scope: scopes.join(" "),
@@ -399,21 +474,29 @@ async function checkResource(ctx, opts, scopes) {
 	}
 	return audience?.length === 1 ? audience.at(0) : audience;
 }
-async function createUserTokens(ctx, opts, client, scopes, user, referenceId, sessionId, nonce, additional, authTime) {
+async function createUserTokens(ctx, opts, params) {
+	const { client, scopes, user, grantType, referenceId, sessionId, nonce, refreshToken: existingRefreshToken, authTime, verificationValue } = params;
 	const iat = Math.floor(Date.now() / 1e3);
-	const defaultExp = iat + (opts.accessTokenExpiresIn ?? 3600);
+	const defaultExp = iat + (user ? opts.accessTokenExpiresIn ?? 3600 : opts.m2mAccessTokenExpiresIn ?? 3600);
 	const exp = opts.scopeExpirations ? scopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
 		return prev < curr ? prev : curr;
 	}, defaultExp) : defaultExp;
 	const audience = await checkResource(ctx, opts, scopes);
-	const isRefreshToken = additional?.refreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access");
+	const isRefreshToken = user && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
 	const isJwtAccessToken = audience && !opts.disableJwtPlugin;
-	const isIdToken = scopes.includes("openid");
-	const earlyRefreshToken = isRefreshToken && !isJwtAccessToken ? await createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
+	const isIdToken = user && scopes.includes("openid");
+	const customFields = opts.customTokenResponseFields ? await opts.customTokenResponseFields({
+		grantType,
+		user,
+		scopes,
+		metadata: parseClientMetadata(client.metadata),
+		verificationValue
+	}) : void 0;
+	const earlyRefreshToken = isRefreshToken && user && !isJwtAccessToken ? await createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
 		iat,
 		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
 		sid: sessionId
-	}, additional?.refreshToken, authTime) : void 0;
+	}, existingRefreshToken, authTime) : void 0;
 	const [accessToken, refreshToken, idToken] = await Promise.all([
 		isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, {
 			iat,
@@ -424,14 +507,15 @@ async function createUserTokens(ctx, opts, client, scopes, user, referenceId, se
 			exp,
 			sid: sessionId
 		}, referenceId, earlyRefreshToken?.id),
-		earlyRefreshToken ? earlyRefreshToken : isRefreshToken ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
+		earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
 			iat,
 			exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
 			sid: sessionId
-		}, additional?.refreshToken, authTime) : void 0,
-		isIdToken ? createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime) : void 0
+		}, existingRefreshToken, authTime) : void 0,
+		isIdToken && user ? createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime) : void 0
 	]);
 	return ctx.json({
+		...customFields,
 		access_token: accessToken,
 		expires_in: exp - iat,
 		expires_at: exp,
@@ -447,7 +531,6 @@ async function createUserTokens(ctx, opts, client, scopes, user, referenceId, se
 /** Checks verification value */
 async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri) {
 	const verification = await ctx.context.internalAdapter.findVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
-	const verificationValue = verification ? JSON.parse(verification?.value) : void 0;
 	if (!verification) throw new APIError("UNAUTHORIZED", {
 		error_description: "Invalid code",
 		error: "invalid_verification"
@@ -457,22 +540,25 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 		error_description: "code expired",
 		error: "invalid_verification"
 	});
-	if (!verificationValue) throw new APIError("UNAUTHORIZED", {
-		error_description: "missing verification value content",
-		error: "invalid_verification"
-	});
-	if (verificationValue.type !== "authorization_code") throw new APIError("UNAUTHORIZED", {
-		error_description: "incorrect verification type",
+	let rawValue;
+	try {
+		rawValue = JSON.parse(verification.value);
+	} catch {
+		throw new APIError("UNAUTHORIZED", {
+			error_description: "malformed verification value",
+			error: "invalid_verification"
+		});
+	}
+	const parsed = verificationValueSchema.safeParse(rawValue);
+	if (!parsed.success) throw new APIError("UNAUTHORIZED", {
+		error_description: "malformed verification value",
 		error: "invalid_verification"
 	});
+	const verificationValue = parsed.data;
 	if (verificationValue.query.client_id !== client_id) throw new APIError("UNAUTHORIZED", {
 		error_description: "invalid client_id",
 		error: "invalid_client"
 	});
-	if (!verificationValue.userId) throw new APIError("BAD_REQUEST", {
-		error_description: "missing user_id on challenge",
-		error: "invalid_user"
-	});
 	if (verificationValue.query?.redirect_uri && verificationValue.query?.redirect_uri !== redirect_uri) throw new APIError("BAD_REQUEST", {
 		error_description: "redirect_uri mismatch",
 		error: "invalid_request"
@@ -565,7 +651,17 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		error: "invalid_request"
 	});
 	const authTime = verificationValue.authTime != null ? normalizeTimestampValue(verificationValue.authTime) : resolveSessionAuthTime(session);
-	return createUserTokens(ctx, opts, client, verificationValue.query.scope?.split(" ") ?? [], user, verificationValue.referenceId, session.id, verificationValue.query?.nonce, void 0, authTime);
+	return createUserTokens(ctx, opts, {
+		client,
+		scopes: verificationValue.query.scope?.split(" ") ?? [],
+		user,
+		grantType: "authorization_code",
+		referenceId: verificationValue.referenceId,
+		sessionId: session.id,
+		nonce: verificationValue.query?.nonce,
+		authTime,
+		verificationValue
+	});
 }
 /**
 * Grant that allows direct access to an API using the application's credentials
@@ -608,43 +704,11 @@ async function handleClientCredentialsGrant(ctx, opts) {
 		});
 	}
 	if (!requestedScopes) requestedScopes = client.scopes ?? opts.clientCredentialGrantDefaultScopes ?? opts.scopes ?? [];
-	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
-	const audience = await checkResource(ctx, opts, requestedScopes);
-	const iat = Math.floor(Date.now() / 1e3);
-	const defaultExp = iat + (opts.m2mAccessTokenExpiresIn ?? 3600);
-	const exp = opts.scopeExpirations && requestedScopes ? requestedScopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
-		return prev < curr ? prev : curr;
-	}, defaultExp) : defaultExp;
-	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
+	return createUserTokens(ctx, opts, {
+		client,
 		scopes: requestedScopes,
-		resource: ctx.body.resource,
-		metadata: parseClientMetadata(client.metadata)
-	}) : {};
-	const accessToken = audience && !opts.disableJwtPlugin ? await signJWT(ctx, {
-		options: jwtPluginOptions,
-		payload: {
-			...customClaims,
-			aud: audience,
-			azp: client.clientId,
-			scope: requestedScopes.join(" "),
-			iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
-			iat,
-			exp
-		}
-	}) : await createOpaqueAccessToken(ctx, opts, void 0, client, requestedScopes, {
-		iat,
-		exp
+		grantType: "client_credentials"
 	});
-	return ctx.json({
-		access_token: accessToken,
-		expires_in: exp - iat,
-		expires_at: exp,
-		token_type: "Bearer",
-		scope: requestedScopes.join(" ")
-	}, { headers: {
-		"Cache-Control": "no-store",
-		Pragma: "no-cache"
-	} });
 }
 /**
 * Obtains new Session Jwt and Refresh Tokens using a refresh token
@@ -720,7 +784,16 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		error: "invalid_request"
 	});
 	const authTime = refreshToken.authTime != null ? normalizeTimestampValue(refreshToken.authTime) : void 0;
-	return createUserTokens(ctx, opts, client, requestedScopes ?? scopes, user, refreshToken.referenceId, refreshToken.sessionId, void 0, { refreshToken }, authTime);
+	return createUserTokens(ctx, opts, {
+		client,
+		scopes: requestedScopes ?? scopes,
+		user,
+		grantType: "refresh_token",
+		referenceId: refreshToken.referenceId,
+		sessionId: refreshToken.sessionId,
+		refreshToken,
+		authTime
+	});
 }
 //#endregion
 //#region src/introspect.ts
@@ -1102,6 +1175,21 @@ const publicSessionMiddleware = (opts) => createAuthMiddleware(async (ctx) => {
 });
 //#endregion
 //#region src/register.ts
+/**
+* Resolves the auth method and type for unauthenticated DCR.
+* Overrides confidential methods to "none" per RFC 7591 Section 3.2.1.
+* When overriding, clears type "web" since it is only valid for confidential clients.
+*/
+function resolveUnauthenticatedAuth(body) {
+	if (body.token_endpoint_auth_method === "none") return {
+		tokenEndpointAuthMethod: "none",
+		type: body.type
+	};
+	return {
+		tokenEndpointAuthMethod: "none",
+		type: body.type === "web" ? void 0 : body.type
+	};
+}
 async function registerEndpoint(ctx, opts) {
 	if (!opts.allowDynamicClientRegistration) throw new APIError("FORBIDDEN", {
 		error: "access_denied",
@@ -1113,12 +1201,16 @@ async function registerEndpoint(ctx, opts) {
 		error: "invalid_token",
 		error_description: "Authentication required for client registration"
 	});
-	const isPublic = body.token_endpoint_auth_method === "none";
-	if (!session && !isPublic) throw new APIError("UNAUTHORIZED", {
-		error: "invalid_request",
-		error_description: "Authentication required for confidential client registration"
-	});
-	if (!ctx.body.scope) ctx.body.scope = (opts.clientRegistrationDefaultScopes ?? opts.scopes)?.join(" ");
+	if (!session) {
+		if (body.grant_types?.includes("client_credentials")) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "client_credentials grant requires authenticated registration"
+		});
+		const resolved = resolveUnauthenticatedAuth(body);
+		body.token_endpoint_auth_method = resolved.tokenEndpointAuthMethod;
+		body.type = resolved.type;
+	}
+	if (!body.scope) body.scope = (opts.clientRegistrationDefaultScopes ?? opts.scopes)?.join(" ");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: true });
 }
 async function checkOAuthClient(client, opts, settings) {
@@ -1309,46 +1401,6 @@ function schemaToOAuth(input) {
 	};
 }
 //#endregion
-//#region src/types/zod.ts
-const DANGEROUS_SCHEMES = [
-	"javascript:",
-	"data:",
-	"vbscript:"
-];
-function isLocalhost(hostname) {
-	return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname.endsWith(".localhost");
-}
-/**
-* Reusable URL validation for OAuth redirect URIs.
-* - Blocks dangerous schemes (javascript:, data:, vbscript:)
-* - For http/https: requires HTTPS (HTTP allowed only for localhost)
-* - Allows custom schemes for mobile apps (e.g., myapp://callback)
-*/
-const SafeUrlSchema = z.url().superRefine((val, ctx) => {
-	if (!URL.canParse(val)) {
-		ctx.addIssue({
-			code: "custom",
-			message: "URL must be parseable",
-			fatal: true
-		});
-		return z.NEVER;
-	}
-	const u = new URL(val);
-	if (DANGEROUS_SCHEMES.includes(u.protocol)) {
-		ctx.addIssue({
-			code: "custom",
-			message: "URL cannot use javascript:, data:, or vbscript: scheme"
-		});
-		return;
-	}
-	if (u.protocol === "http:" || u.protocol === "https:") {
-		if (u.protocol === "http:" && !isLocalhost(u.hostname)) ctx.addIssue({
-			code: "custom",
-			message: "Redirect URI must use HTTPS (HTTP allowed only for localhost)"
-		});
-	}
-});
-//#endregion
 //#region src/oauthClient/endpoints.ts
 async function getClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
@@ -3955,6 +4007,16 @@ function oidcServerMetadata(ctx, opts) {
 		]
 	};
 }
+const METADATA_CACHE_CONTROL = "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400";
+function metadataResponse(body, extraHeaders) {
+	const headers = new Headers(extraHeaders);
+	if (!headers.has("Cache-Control")) headers.set("Cache-Control", METADATA_CACHE_CONTROL);
+	headers.set("Content-Type", "application/json");
+	return new Response(JSON.stringify(body), {
+		status: 200,
+		headers
+	});
+}
 /**
 * Provides an exportable `/.well-known/oauth-authorization-server`.
 *
@@ -3964,16 +4026,11 @@ function oidcServerMetadata(ctx, opts) {
 * @external
 */
 const oauthProviderAuthServerMetadata = (auth, opts) => {
-	return async (_request) => {
-		const res = await auth.api.getOAuthServerConfig();
-		return new Response(JSON.stringify(res), {
-			status: 200,
-			headers: {
-				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
-				...opts?.headers,
-				"Content-Type": "application/json"
-			}
-		});
+	return async (request) => {
+		return metadataResponse(await auth.api.getOAuthServerConfig({
+			request,
+			asResponse: false
+		}), opts?.headers);
 	};
 };
 /**
@@ -3985,16 +4042,11 @@ const oauthProviderAuthServerMetadata = (auth, opts) => {
 * @external
 */
 const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
-	return async (_request) => {
-		const res = await auth.api.getOpenIdConfig();
-		return new Response(JSON.stringify(res), {
-			status: 200,
-			headers: {
-				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
-				...opts?.headers,
-				"Content-Type": "application/json"
-			}
-		});
+	return async (request) => {
+		return metadataResponse(await auth.api.getOpenIdConfig({
+			request,
+			asResponse: false
+		}), opts?.headers);
 	};
 };
 //#endregion

package/dist/{oauth-CetEXi_Z.d.mts → oauth-DH61OMT6.d.mts}

@@ -1,4 +1,4 @@
-import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-Cc0nzj5Q.mjs";
+import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-IpUqx-_N.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
@@ -428,8 +428,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       access_token: string;
       expires_in: number;
       expires_at: number;
-      token_type: string;
+      token_type: "Bearer";
+      refresh_token: string | undefined;
       scope: string;
+      id_token: string | undefined;
     }>;
     oauth2Introspect: better_call0.StrictEndpoint<"/oauth2/introspect", {
       method: "POST";

package/dist/{oauth-Cc0nzj5Q.d.mts → oauth-IpUqx-_N.d.mts}

@@ -752,6 +752,34 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
     resource?: string; /** oAuthClient metadata */
     metadata?: Record<string, any>;
   }) => Awaitable<Record<string, any>>;
+  /**
+   * Custom fields to include in the token response body.
+   *
+   * Unlike `customAccessTokenClaims` (which adds claims inside the JWT payload),
+   * this adds fields to the JSON response envelope alongside `access_token`,
+   * `token_type`, etc. Standard OAuth fields (`access_token`, `token_type`,
+   * `expires_in`, `expires_at`, `refresh_token`, `scope`, `id_token`) cannot
+   * be overridden.
+   *
+   * @param info - context that may be useful when creating custom fields
+   */
+  customTokenResponseFields?: (info: {
+    /** The grant type being processed */grantType: GrantType;
+    /**
+     * The user, if applicable.
+     * Undefined for `client_credentials` (M2M, no user).
+     * Always present for `authorization_code` and `refresh_token`.
+     */
+    user?: (User & Record<string, unknown>) | null; /** Scopes granted for this token */
+    scopes: Scopes; /** oAuthClient metadata */
+    metadata?: Record<string, any>;
+    /**
+     * The authorization code verification value.
+     * Only present for `authorization_code` grant. Contains the original
+     * authorization request parameters (`query`), `referenceId`, `sessionId`, etc.
+     */
+    verificationValue?: VerificationValue;
+  }) => Awaitable<Record<string, unknown>>;
   /**
    * Overwrite specific /.well-known/openid-configuration
    * values so they are not available publically.

package/dist/{version-Usf6Oz_M.mjs → version-BlcZ64XB.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.2";
+const PACKAGE_VERSION = "1.6.3";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.2",
-    "better-auth": "1.6.2"
+    "@better-auth/core": "1.6.3",
+    "better-auth": "1.6.3"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.2",
-    "better-auth": "^1.6.2"
+    "@better-auth/core": "^1.6.3",
+    "better-auth": "^1.6.3"
   },
   "scripts": {
     "build": "tsdown",